strangeClaw is a minimal, self-hosted autonomous AI agent experiment focused on secure tool use, credential isolation, and Firecracker-based sandboxing.

The core idea is simple: let the agent work autonomously, but keep the risky part inside a real sandbox. In fire mode, strangeClaw runs the agent inside a Firecracker microVM. The guest environment has no host filesystem access, no API credentials, and no LLM provider keys. Sensitive operations are handled by host-side services that enforce policy, inject credentials only when allowed, and redact results before returning them to the agent.

Why strangeClaw Exists

Most agent systems start by giving the model powerful tools, shell access, API access, and sometimes credentials, then try to manage the risk afterward.

strangeClaw explores a different architecture: isolate the agent’s execution environment and keep secrets outside of it. The agent can still plan, write code, call tools, fetch web data, and interact with external APIs, but credentials and policy enforcement remain host-side.

The project is intended for developers, researchers, and technically curious users exploring autonomous agents, secure tool use, sandboxed execution, and microVM-based isolation in a small, inspectable codebase.

Key Features

• Firecracker microVM sandboxing: In fire mode, the agent runs inside a dedicated Firecracker microVM. Risky tool use, code execution, and file writes happen away from the host filesystem.

• Host-side credential broker: API credentials live on the host, not in the sandbox. The request broker validates outgoing API calls against host-defined policy, injects credentials only after approval, and redacts responses before the agent observes them.

• Host-side LLM proxy: LLM provider keys stay host-side. In fire mode, the guest calls a host-side LLM service instead of holding model credentials itself.

• Fully agentic task execution: The agent can plan, use tools, observe results, ask clarifying questions when needed, and continue working autonomously until the task is complete or blocked.

• Provider-agnostic model access: LLM access is normalized through LiteLLM on the host side, making it possible to use different cloud or local model providers without tying the architecture to one vendor.

Security Model

strangeClaw does not try to make arbitrary tool use harmless. Instead, it experiments with limiting where risky behavior can happen and where secrets can exist.

In fire mode:

• The agent runs inside a microVM.
• The guest has no host filesystem mount.
• API credentials remain on the host.
• LLM keys remain on the host.
• Authenticated API calls go through the request broker.
• Broker denials are returned as observations, so the agent can adapt without receiving secrets.
• Output files are explicitly exported back to the host when a task finishes.

Current Limitations

strangeClaw is a work in progress and not production-ready.

Current limitations include:

• fire mode requires Linux with KVM support.
• Firecracker networking setup may require elevated privileges for TAP and firewall configuration.
• Custom guest code, dependencies, and bundled skills currently require rebuilding the Fire root filesystem.
• fire sessions are persistent only while the VM is running; resume across stopped fire sessions is not supported.
• The shell tool is powerful and should be enabled only when appropriate for the workflow.

Future Direction

Future work includes expanding the built-in skill set, improving custom skill delivery in fire mode, adding more adapters, strengthening observability, and improving session replay/debugging.

strangeClaw is an experiment in making autonomous agents more practical by making the boundary around them clearer: the agent can act, but the host keeps control of secrets, policy, and isolation.