Public beta

Cage your AI agents before
they rage against your machine

Clawcage runs every AI agent in an air-gapped Linux VM on your Mac. Full network inspection, credential isolation and kill-switch control.

macOS 13+ · Apple Silicon · Free & open source

Clawcage desktop application
Features

Built for AI safety

Caged Claw
Open Source

Made to host any claw of your choice

You are not vendor locked to a specific claw — run any AI agent of your choice.

Claude CodeGeminiCodexOpenClaw
+ any agent you want

Air-Gapped Sandbox

Every AI agent runs in a full Linux VM with no direct internet access. Traffic is routed through a MITM proxy with domain-level allow/block policies.

Guest VM
clawcage-pty-agent
clawcage-net-proxy
clawcage-sys-watch
vsock
Host
MITM proxy
Policy engine
Credential vault

Full Visibility

See every HTTP request, tool call, and file change in real time.

MethodRequestStatus
POSTapi.anthropic.com/v1/messagesallowed
GETpypi.org/simple/requests/allowed
POSTexfil.evil.com/stealdenied

Credential Isolation

API keys never enter the guest VM. The proxy injects credentials on the host side.

ANTHROPIC_API_KEYblocked in VM
host injects at proxy
x-api-key: sk-ant-***injected

Network Policy Engine

Granular domain allow/block lists with HTTP method+path rules. Corp policies override user settings. Hot-reload without restarting.

DomainActionMethods
api.anthropic.comallowPOST
*.openai.comallowPOST, GET
pypi.orgallowGET
*.evil.comblock*
raw.githubusercontent.comallowGET

Native Terminal

Full xterm.js terminal with multi-shell support, dynamic resize, and natural interaction.

shell-0shell-1shell-2
root@clawcage:~/project$ python train.py
Epoch 1/10 ████████░░ 80% [loss: 0.342]

Live System Metrics

Real-time CPU, memory, and disk usage charts from the guest VM.

CPU 23%RAM 856 MB / 2 GBDisk 3.0 / 10 GB

AI Usage Analytics

Track token usage, costs, and model calls per provider.

claude-4-sonnet1.2M
gpt-4o680K
gemini-2.5190K

Ephemeral by Default

VMs are stateless — the scratch disk is formatted fresh every boot. No writes survive across sessions.

Session A
~/project/model.py~/project/data.csv~/project/.env
reboot
Session B
~/project/model.py~/project/data.csv~/project/.env
clean slate
How it works

Zero to sandbox in 10 seconds

Step 1

Create an environment

Pick a template, set hardware limits, and optionally add your API keys. Each environment is a fully isolated VM.

Step 2

Run your AI agent

Launch Claude, Codex, Gemini, or any tool. It runs inside the VM with no direct internet access.

Step 3

Observe everything

Watch every network request, tool call, and file change in real time. Block or allow domains on the fly.

Step 4

Stay in control

Credential isolation keeps your API keys safe. Ephemeral VMs ensure nothing persists beyond the session.

Create an environmentRun your AI agentObserve everythingStay in control
Pricing

Free forever. Pro when you need it.

Open Source
$0forever

Everything you need to sandbox AI agents locally.

  • Unlimited local VMs
  • Air-gapped sandbox with MITM proxy
  • Network policy engine
  • Credential isolation
  • Full telemetry & analytics
  • Bring your own API keys
Download
Maybe?
Pro
Maybe?

Managed infrastructure so you don't have to bring your own.

  • Everything in Open Source
  • Managed AI inference endpoints
  • Managed VPN for sandboxed traffic
  • No API keys needed
  • Usage dashboard & billing
  • Priority support

Ready to sandbox your AI?

Free, open source, and built for developers who want full control over their AI agents.

Download for macOSStar on GitHub