Background
OpenClaw implements Docker-based session sandboxing: non-main sessions (groups, channels) can be isolated in per-session Docker containers where bash executes inside Docker rather than on the host. This provides strong filesystem and process isolation for untrusted sessions.
Hermes Agent's terminal_tool.py currently executes bash directly on the host for all sessions. There is an execute_code sandbox but it's Python-only and not integrated with the terminal tool for shell sessions.
Proposal
Add optional Docker sandbox mode for terminal sessions, similar to OpenClaw's approach:
- Config: Add
execution.sandbox.mode: "docker"|"host" to config.yaml
- Per-session isolation: Non-main sessions (Telegram groups, Discord servers, etc.) run in Docker; main CLI session stays on host
- Sandbox defaults: Allowlist
bash, read, write; denylist browser, canvas, cron, gateway for sandboxed sessions
- Tool policy: Sandboxed sessions cannot invoke dangerous tools (file write outside workspace, etc.)
References
- OpenClaw:
agents.defaults.sandbox.mode + Docker exec for non-main sessions
- OpenClaw security model:
docs/gateway/security
Background
OpenClaw implements Docker-based session sandboxing: non-main sessions (groups, channels) can be isolated in per-session Docker containers where bash executes inside Docker rather than on the host. This provides strong filesystem and process isolation for untrusted sessions.
Hermes Agent's
terminal_tool.pycurrently executes bash directly on the host for all sessions. There is anexecute_codesandbox but it's Python-only and not integrated with the terminal tool for shell sessions.Proposal
Add optional Docker sandbox mode for terminal sessions, similar to OpenClaw's approach:
execution.sandbox.mode: "docker"|"host"toconfig.yamlbash,read,write; denylistbrowser,canvas,cron,gatewayfor sandboxed sessionsReferences
agents.defaults.sandbox.mode+ Docker exec for non-main sessionsdocs/gateway/security