Lean-verified multi-agent sandboxing for OpenClaw and NemoClaw
Project description
BoxClaw SDK
Zero-Trust Runtime Execution Sandboxing for AI Agents
The boxclaw SDK acts as the execution-environment boundary for LLMs operating inside agent frameworks (like OpenClaw, LangChain, or custom OpenAI scripts). By wrapping standard Python operations in our native OS-Hooks (sys.addaudithook), any AI acting through the functions decorated with our @boxclaw_guardrail must provide mathematical or deterministic proof that its intended behavior adheres to local security invariants.
This is fundamentally different from semantic guardrails (which scan text output for bad words). BoxClaw catches real OS system calls, FFI loads (like ctypes), network requests, and filesystem writes at the CPython Virtual Machine level.
Installation
pip install boxclaw
Usage
Agent frameworks often grant LLMs unrestricted access to local system resources (e.g., executing arbitrary Bash commands or running generated Python scripts). BoxClaw allows you to restrict the AI to authorized capabilities only.
To set it up, simply wrap the function your Agent uses with the @boxclaw_guardrail and declare exactly what operations it is allowed to perform.
Example: Securing a File Agent
from boxclaw import boxclaw_guardrail
import subprocess
import os
# Limit the agent strictly to Network requests.
# It is completely blocked from modifying the File System or running Bash Commands.
@boxclaw_guardrail(agent_id="web-crawler-bot", required_capabilities=["network_send"])
def agent_execute(llm_generated_code: str):
# DANGEROUS! If the LLM generates malicious code here (e.g. `import os; os.system('rm -rf /')`),
# BoxClaw will instantly catch the deep OS call and throw a PermissionError Exception.
exec(llm_generated_code)
try:
# ❌ This will trigger the Sandbox Security Guard and throw an exception
# because the agent ONLY has network_send capabilities.
malicious_ai_action = "with open('stolen_data.txt', 'w') as f: f.write('secret')"
agent_execute(malicious_ai_action)
except Exception as e:
print(f"Blocked by BoxClaw: {e}")
Security Capabilities
You can specify specific scopes to limit your LLMs strictly to the tasks you hired them to do:
system_execute: Blocks arbitrary subprocess commandsnetwork_send: Blocks unauthorized HTTP/socket connectionswrite_fs: Prevents the agent from modifying the filesystemffi_load: Mathematically blocks C-Extensions /ctypessandbox escapes
Links
- PyPI Package: https://pypi.org/project/boxclaw/
- GitHub Repository: https://github.com/certior/boxclaw
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file boxclaw-0.1.3.tar.gz.
File metadata
- Download URL: boxclaw-0.1.3.tar.gz
- Upload date:
- Size: 12.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b18d16625421f2e7a218aaf9b9e5d47fc58205967035e1a74952d7755907cf5
|
|
| MD5 |
ceea0e3aeb120660ff03bef857acdaeb
|
|
| BLAKE2b-256 |
c32287a6fa1cd0e1467aeba9b5dfc7563b8eb66c8749dc7ce02701e75f6b41bc
|
File details
Details for the file boxclaw-0.1.3-py3-none-any.whl.
File metadata
- Download URL: boxclaw-0.1.3-py3-none-any.whl
- Upload date:
- Size: 15.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94741bf916a032cc5c087770d1903446247d2bff373684c0a1406cb3f4056b9d
|
|
| MD5 |
f75fd38de30492acb2ee9d20d53f295e
|
|
| BLAKE2b-256 |
bf52bf2f00c7624be83ab5a52589ecadc128910f67add197eb47f20ffea8237c
|
