ClamBot: AI Agent Runs LLM-Generated Code in WASM Sandbox for Security
What ClamBot Does
ClamBot is an AI agent framework that addresses security concerns with existing agent frameworks by running all LLM-generated code in a WebAssembly sandbox instead of using exec() or subprocess calls. The creator built it after trying frameworks that execute arbitrary code directly on the host machine, citing examples like LangChain having a CVE for this approach, AutoGen shelling out with subprocess, and SWE-Agent running bash commands from the model.
Technical Implementation
ClamBot is built on top of amla-sandbox, a WASM sandbox that uses QuickJS in Wasmtime. The LLM writes JavaScript code that runs in a memory-isolated sandbox with zero network access. Every tool call (HTTP, filesystem, cron) must pass through an approval gate back in Python. No Docker or VM is required - it runs as one binary.
Key Features
- Sandbox Security: All code runs in WASM - cannot touch host memory or network
- Approval Gate: SHA-256 fingerprinted approval gate on every tool call with pre-approve patterns (e.g., "allow web_fetch for api.coinbase.com")
- Clam Reuse: Successful scripts get saved as "clams" and can be reused, reducing API costs for repeated requests
- Multi-Provider Support: OpenRouter, Anthropic, OpenAI, Gemini, DeepSeek, Groq, Ollama
- Telegram Integration: Telegram bot with inline approval buttons
- Additional Features: Persistent memory, cron scheduling, SSRF protection that blocks private IPs, secrets never appear in logs/tool args/traces
Example Workflow
User asks: "what are the top movers on binance?" The sandbox executes JavaScript → makes http_request to Binance API → goes through approval gate → returns result. The bot responds with the top 10 movers on Binance by 24h change.
Getting Started
bash git clone https://github.com/clamguy/clambot.git
cd clambot
uv run clambot onboard
uv run clambot agentStack and Scale
The project is built with Python + QuickJS/Wasmtime, contains approximately 10K lines of code, and was inspired by OpenClaw and nanobot. The creator built it because they wanted "an AI agent I could actually trust on my server."
📖 Read the full source: r/openclaw
👀 See Also
AIBrain adds persistent memory and self-improvement to Claude Code
AIBrain is a tool that gives Claude Code persistent memory between sessions with semantic search retrieval and self-improvement cycles. It includes 53 workflows, 44 skills, 9 MCP servers, and supports multi-agent mesh networking via Tailscale.
Developer builds local AI research agent that creates podcasts from topics or YouTube links
A developer built a fully local AI agent that takes topics or YouTube links and generates deep-dive reports, conversational podcast scripts, and audio. The system dynamically researches, extracts insights, refines summaries, and creates natural back-and-forth conversations.
Layered Defense Framework for Claude Code Rule Enforcement
An IT operations professional built an 8-layer defense framework to enforce Claude Code rules after discovering that both CLAUDE.md prompts and blocking hooks could be bypassed. The approach adapts the Swiss cheese model from accident investigation to prevent workarounds.
Open Source Book Genesis: 20 Claude Code Skills for Autonomous Book Writing
Book Genesis is an open-source system of 20 specialized Claude Code skills that takes a book idea and produces a complete, publish-ready manuscript through a 14-phase autonomous pipeline. It includes a 'Chaos Engine' to break AI predictability patterns and has generated a 68,000-word memoir scoring 9.0/10 on its Genesis Score.