#FYI, I improved the docs for https://

This looks like exactly what is needed to prevent prompt injection / token exfil

I noticed you're sandboxing using firejail. Could this work with the in-built Docker sandboxing?

I think it could work, as it only needs a shared directory for the socket claw-wrap uses. I will do some testing tomorrow!

But if I understood correctly the built-in docker sandboxing is only for tool calls, no? Meaning if there’s any successful prompt injection from those calls (fetching a site or reading a mail with hidden prompts) it may still successfully leak secrets when the agent itself can read them.

That’s why I started working on the idea of running the full agent process inside a sandbox, but with its own workspace and full read/write capabilities for most of the vm: it has no problem installing skills, new homebrew tools etc, it just can’t see any of the secrets needed to do tool calls to my mail or github.

sorry, @honest flame I almost missed this message, this is awesome

I will add something to our readme