Hardened Sovereign Agent Stacks
Lesson 2 of 2
Configuring Secure Sandboxes
Estimated time: 10 minutes
Configuring Secure Sandboxes
OpenClaw 2026.3.22 introduced pluggable sandbox backends. For a sovereign stack, Docker is the gold standard for isolation.
Implementation
To enable Docker sandboxing for all agents, update your openclaw.json:
{
"agents": {
"defaults": {
"sandbox": {
"kind": "docker",
"docker": {
"image": "node:22-bookworm-slim",
"workspaceAccess": "rw"
}
}
}
}
}
This ensures that when an agent runs exec or write, it happens inside a container, not on your host OS.