Ever wanted to run a personal AI assistant that monitors your WhatsApp messages 24/7, but worried about giving it access to your entire system? Docker Sandboxes’ new shell sandbox type is the perfect solution. In this post, I’ll show you how to run NanoClaw , a lightweight Claude-powered WhatsApp assistant, inside a secure, isolated Docker sandbox. What is the Shell Sandbox? Docker Sandboxes provides pre-configured environments for running AI coding agents like Claude Code, Gemini CLI, and others. But what if you want to run a different agent or tool that isn’t built-in? That’s where the shell sandbox comes in. It’s a minimal sandbox that drops you into an interactive bash shell inside an isolated microVM. No pre-installed agent, no opinions — just a clean Ubuntu environment with Node.js, Python, git, and common dev tools. You install whatever you need. Why Run NanoClaw in a Sandbox? NanoClaw already runs its agents in containers, so it’s security-conscious by design. But running the entire NanoClaw process inside a Docker sandbox adds another layer: Filesystem isolation – NanoClaw can only see the workspace directory you mount, not your home directory Credential management – API keys are injected via Docker’s proxy, never stored inside the sandbox Clean environment – No conflicts with your host’s Node.js version or global packages Disposability – Nuke it and start fresh anytime with docker sandbox rm Prerequisites Docker Desktop installed and running Docker Sandboxes CLI ( docker sandbox command available) (v.0.12.0 available in the nightly build as of Feb 13) An Anthropic API key in an env variable Setting It Up Create the sandbox Pick a directory on your host that will be mounted as the workspace inside the sandbox. This is the only part of your filesystem the sandbox can see: mkdir -p ~/nanoclaw-workspace docker sandbox create --name nanoclaw shell ~/nanoclaw-workspace Connect to it docker sandbox run nanoclaw You’re now inside the sandbox – an Ubuntu shell running in an isolated VM. Everything from here on happens inside the sandbox. Install Claude Code The shell sandbox comes with Node.js 20 pre-installed, so we can install Claude Code directly via npm: npm install -g @anthropic-ai/claude-code Configure the API key This is the one extra step needed in a shell sandbox. The built-in claude sandbox type does this automatically, but since we’re in a plain shell, we need to tell Claude Code to get its API key from Docker’s credential proxy: mkdir -p ~/.claude && cat > ~/.claude/settings.json << 'EOF' { "apiKeyHelper": "echo proxy-managed", "defaultMode": "bypassPermissions", "bypassPermissionsModeAccepted": true } EOF What this does: apiKeyHelper tells Claude Code to run echo proxy-managed to get its API key. The sandbox’s network proxy intercepts outgoing API calls and swaps this sentinel value for your real Anthropic key, so the actual key never exists inside the sandbox. Clone NanoClaw and install dependencies cd ~/workspace git clone https://github.com/†/nanoclaw.git cd nanoclaw npm install Run Claude and set up NanoClaw NanoClaw uses Claude Code for its initial setup – configuring WhatsApp authentication, the database, and the container runtime: claude Once Claude starts, run /setup and follow the prompts. Claude will walk you through scanning a WhatsApp QR code and configuring everything else. Start NanoClaw After setup completes, start the assistant: npm start NanoClaw is now running and listening for WhatsApp messages inside the sandbox. Managing the Sandbox # List all sandboxes docker sandbox ls # Stop the sandbox (stops NanoClaw too) docker sandbox stop nanoclaw # Start it again docker sandbox start nanoclaw # Remove it entirely docker sandbox rm nanoclaw What Else Could You Run? The shell sandbox isn’t specific to NanoClaw. Anything that runs on Linux and talks to AI APIs is a good fit: Custom agents built with the Claude Agent SDK or any other AI agent: Claude code, Codex, Github Copilot, OpenCode, Kiro, and more. AI-powered bots and automation scripts Experimental tools you don’t want running on your host The pattern is always the same: create a sandbox, install what you need, configure credentials via the proxy, and run it. docker sandbox create --name my-shell shell ~/my-workspace docker sandbox run my-shell