strangeClaw is a new open-source project that runs an AI agent inside a Firecracker microVM, creating a hardware-enforced security boundary between the autonomous agent and its host system. The project, posted to Hacker News on June 10, aims to solve one of the most pressing problems with modern AI agents: credential exposure. Rather than running tools directly on the host where API keys, secrets, and filesystem access are all fair game, strangeClaw keeps risky operations contained within an isolated VM that never touches the user's credentials or sensitive data. The core innovation is a request broker architecture that lives entirely on the host side of the VM boundary. When the agent inside the microVM needs to make an authenticated API call—say, searching the web via a paid service—it sends the intent to the broker without any secrets attached. The broker then checks policy rules, injects the appropriate credentials from a secrets.yaml file, makes the request, redacts sensitive data from the response, and hands back only the sanitized result. The agent observes denials when policies block requests, but it never holds API keys directly. The project implements two execution modes. Yolo mode runs the agent loop directly on the host with full filesystem access—useful for trusted local workflows where you want maximum flexibility. Fire mode activates the Firecracker microVM isolation layer, providing no host filesystem visibility and routing all external API calls through the credential broker. The strict agentic loop follows an Inspect → Choose → Act → Observe → Repeat pattern that runs until the model finishes its task, asks for clarification, or decides to replan. strangeClaw is provider-agnostic when it comes to LLMs, using LiteLLM as a proxy layer. In Fire mode, LLM credentials also stay on the host side through a dedicated host-side LLM proxy, meaning even your model API keys never enter the guest environment. The project supports CLI and Telegram adapters, skills loaded from markdown files in a skills//SKILL.md format following the Agent Skills specification, per-session state management, output file persistence, optional event journals, and Fire runtime log export for debugging.

Current Limitations

The project is explicitly marked as work-in-progress and not production-ready. Fire mode requires Linux with KVM support plus elevated privileges for TAP and iptables network management. Rootfs images must be rebuilt whenever guest code, built-in skills, or guest dependencies change—no hot-reloading of agent capabilities in the current version. Sessions cannot resume across VM restarts since files only persist while a session is actively running. The developer acknowledges that shell access is powerful but high-risk, recommending Yolo mode exclusively for trusted workflows and careful review of tool settings before running untrusted tasks.

Future Work

The roadmap includes expanding built-in skills focused on coding workflows, research tasks, and personal knowledge management. More integration-focused skills with broker policy examples for common APIs are planned. The developer wants to improve custom skill delivery in Fire mode without requiring rootfs rebuilds. Additional adapters beyond CLI and Telegram, plus better observability features like session replay and debugging tools, round out the planned improvements.

Key Takeaways

  • strangeClaw runs an autonomous agent inside a Firecracker microVM for hardware-enforced sandboxing
  • A host-side request broker handles credential injection and response redaction—agents never hold secrets directly
  • Two modes: Yolo (direct host execution) and Fire (full VM isolation with no host filesystem access)
  • LiteLLM provides provider-agnostic LLM access; even model API keys stay on the host in Fire mode
  • Project is experimental, requires Linux/KVM, and is not ready for production deployment

The Bottom Line

This is exactly the kind of thinking the agent ecosystem needs right now. Running an AI agent inside a microVM isn't just theoretical protection—it addresses real attack surfaces that exist today when agents get API keys and filesystem access by default. Whether strangeClaw itself becomes widely adopted or inspires similar architectures, the core idea—that your credentials should live on one side of a hardware boundary and never cross into an environment you don't control—is fundamentally sound. Worth watching. The project is MIT licensed with full source available on GitHub at github.com/itsthestranger/strangeClaw.