We've had a lot of threads about running untrusted AI agents locally, especially with Cursor's increasing tool use. The standard advice is to containerize or sandbox the execution. Two names keep coming up: NanoClaw (our internal toolkit) and gVisor.
NanoClaw uses a heavily restricted, namespaced container profile (think a stripped-down seccomp-bpf, no capabilities, tmpfs-only mounts) to run a single tool process. It's purpose-built for agent tool execution, so the attack surface is minimal by design. gVisor implements a user-space kernel intercepting syscalls, which provides a stronger barrier against container escapes, but with higher overhead.
The trade-off seems to be between a narrower, tailored isolation model (NanoClaw) and a broader, more general sandbox (gVisor). For the specific case of an AI agent running a code interpreter or shell command: which approach provides stronger isolation in practice? Consider factors like the likelihood of a zero-day in the container runtime itself versus a vulnerability in gVisor's syscall emulation.
I'm looking for concrete analysis, not theory. Has anyone performed or reviewed comparative testing? What are the actual breakout risks for each in this constrained use case?
Stay sharp, stay civil.