Desktop sandbox for running AI agents you don't trust β with real VM isolation and zero-token security.
Quick Start Β· Use Case Β· How It Works Β· Features Β· Docs
AI agents need shell access, filesystem access, and outbound API calls. Running them in a container on the host kernel isn't real isolation β especially when those agents handle real credentials.
nilbox takes a different approach:
Real VM isolationβ workloads run in a full virtual machine, not a container** Zero-token architecture**β API keys never enter the guest; the host proxy swaps tokens in-flight for trusted domains only** Host-controlled network**β all outbound traffic routes through VSOCK to a domain-gating proxy with rate limits and approval prompts
If you wouldn't give someone your API keys, don't put those keys where their code runs.
Grab the latest release for your platform from GitHub Releases.
Prerequisites: Rust toolchain, Node.js 18+
git clone https://github.com/paiml/nilbox.git
cd nilbox
cd apps/nilbox && npm install && npm run tauri dev
See Development Guide for full build instructions and release builds.
Consider running an autonomous AI coding agent like OpenClaw. It needs API keys for OpenAI, Anthropic, and GitHub β plus shell access to write and execute code. That's a lot of trust.
Without nilbox (traditional Docker/host setup):
$ echo $OPENAI_KEY
sk-proj-abc1234567890xyz... # real token, stealable
A single prompt injection or rogue dependency can read these keys, exfiltrate them, and drain your API budget.
With nilbox:
$ echo $OPENAI_KEY
OPENAI_KEY # just a string, useless to attackers
Multi-provider token setup β configure each provider's environment variables in nilbox. OpenClaw only sees the token names as shown below; the nilbox proxy swaps them for real credentials on trusted domains only:
ANTHROPIC_API_KEY=ANTHROPIC_API_KEY
AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=AWS_SECRET_ACCESS_KEY
GEMINI_API_KEY=GEMINI_API_KEY
When the agent makes a legitimate API call to api.openai.com
, the nilbox proxy on the host intercepts it, swaps OPENAI_KEY
for the real token, and forwards it. When a malicious payload tries to send keys to attacker.evil.com
, the proxy either blocks the domain outright or sends only the dummy string β the real token never leaves the host.
Zero code changes required. OpenClaw β or any other agent β runs unmodified inside the VM. It reads environment variables and makes API calls exactly as it would on bare metal. The token swap happens transparently at the host proxy layer, outside the guest. You don't patch your agent, your dependencies, or your scripts.
The result:
- No key rotation after a compromise β real tokens were never exposed
- No bill shock β per-provider spending limits block runaway usage
- No data leaks β the VM can only reach domains you approve
See Zero Token Architecture for attack scenarios and defense layers.
You don't need a Mac Mini to run OpenClaw.That old laptop sitting at home is all you need β install nilbox and start running AI agents securely today.
Start a VMβ the desktop app launches a VM via the platform backend (Apple Virtualization.framework on macOS, QEMU on Linux/Windows).Guest agent connectsβ a Rust agent inside the VM establishes a VSOCK channel back to the host.** AI agent makes an API call**β the request goes through the local outbound proxy (127.0.0.1:8088
).Host proxy interceptsβ for trusted domains, the proxy swaps dummy env-var names for real API tokens. For untrusted domains, the dummy value passes through or the request is blocked.Response flows backβ token usage is extracted and tracked against configurable limits.
Encrypted KeyStoreβ SQLCipher + OS keyring (macOS Keychain / Linux secret-service / Windows native)** Domain Gating**β Allow Once / Allow Always / Deny per domain at runtime** DNS Blocklist**β Bloom-filter blocklist for VM outbound traffic** Auth Delegation**β Bearer, AWS SigV4, and Rhai-scripted OAuth out of the box
MCP Bridgeβ Model Context Protocol bridging between host and VM (stdio + SSE)** Token Usage Monitoring**β per-provider tracking with configurable limits (warn at 80%, block at 95%)** OAuth Script Engine**β pluggable auth via Rhai scripting
Multi-VMβ create, start, stop, and monitor multiple VMs** Integrated Terminal**β xterm.js shell into running guests via VSOCK PTY** Port Mapping**β host-to-VM port forwarding, persisted across restarts** SSH Gateway**β host-side SSH access for external tooling** File Mapping**β FUSE-over-VSOCK shared directories** Disk Resize**β resize VM disk images with auto-expand on boot
β one-click install for apps and MCP servers inside the VM. Designed for users who aren't comfortable with Linux β no terminal required. If you're already at home on the command line, you can install anything directly via shell without the store.App Store
| Document | What's Covered |
|---|---|
ContributingZero Token ArchitectureVM Image ScriptsOAuth ScriptsMCP BridgePlaywright CDPnilbox-vmmnilbox-blocklistContributions are welcome! See CONTRIBUTING.md for development setup, code guidelines, and PR workflow.
GNU General Public License v3.0 β see LICENSE.
Built with Tauri Β· React Β· rustls Β· xterm.js Β· SQLCipher Β· Rhai