Multi-Agent gVisor Isolation

April 15, 2026
aisecuritylawhardware
Two women wearing protective goggles in a lab setting, focused and serious.
Photo by cottonbro studio on Pexels

What happened

Google’s gVisor team has shown off a triple-agent demo that sandboxes OpenClaw, PicoClaw and Hermes Agent — each in its own gVisor container — coordinating over a self‑hosted Matrix.org server and driven by local inference via Ollama. The setup runs browser-driven tasks (Chrome-in-container), web crawling, code execution and GitHub interactions, all isolated inside gVisor sandboxes. The blog post frames the project as a proof of concept: cool, not necessarily practical.

How they built it

The demo was assembled on a GPU‑equipped g2‑standard‑96 GCE VM (the writeup notes any similar Linux+GPU host would do). OpenClaw was extended with Chrome so the agent can render pages and take screenshots; Ollama provides GPU inference for three different models; PicoClaw is used as a minimal agent with GitHub skills; and Hermes Agent is deployed with sandboxed browser, crawler and execution capabilities. It has been reported that PicoClaw was also tested on arm64 Raspberry Pi 4 Model B under gVisor. Allegedly, the Hermes Agent repo was the top GitHub repo highlighted in the post — a nice bit of meta-humor if true.

The technical and security notes

The team points out important runtime tweaks: Docker-in-gVisor requires runsc flags like --net-raw=true and --allow-packet-socket-write=true, plus a secondary runtime and host UDS exposure so a Docker daemon socket can be exported into another sandbox. The post also stresses a key reassurance: the OpenClaw image runs as root inside the container, but “root” under gVisor does not imply host‑level root access. For anyone tempted to copy the demo, the authors explicitly recommend tightening Matrix authentication and other defaults before any real deployment.

Why it matters

This isn’t a production blueprint. It’s a showcase — a sandbox circus, if you will — that demonstrates gVisor’s growing compatibility with agent frameworks and complex, multi‑component stacks. The larger point is compelling: as agentic systems proliferate, flexible sandboxing that can contain browsers, inference servers, and nested container runtimes becomes meaningful. The demo asks an interesting question out loud: if you can sandbox everything, what new architectures become possible — and what new risks do we need to think about?

Sources: gvisor.dev, Lobsters