alt Hacker NewsI rushed out nono.sh (the opposite of yolo!) in response to this and its already negated a few gateway attacks.
It uses kernel-level security primitives (Landlock on Linux, Seatbelt on macOS) to create sandboxes where unauthorized operations are structurally impossible. API keys are also stored in apples secure enclave (or the kernel keyring in linux) , and injected at run time and zeroized from memory after use. There is also some blocking of destructive actions (rm -rf ~/)
its as simple to run as: nono run --profile openclaw -- openclaw gateway
You can also use it to sandbox things like npm install:
nono run --allow node_modules --allow-file package.json package.lock npm install pkg
Its early in, there will be bugs! PR's welcome and all that!
Replies
Obviously I'm biased but this looks really useful.
Why not use containers (eg. Podman) with secrets management?
Is this better than using sandbox-exec (on mac) directly?
Heads up that your url is wrong. Should be https://nono.sh