Multi-Agent Sandbox

Set up sandboxed agents that collaborate with agents from other OpenClaw gateways via Discord and a shared VPS, without exposing private data.

Architecture

CODEBLOCK0

Three pillars: socat bridges (container → host → VPS), Tailscale mesh VPN (private networking), Discord + sessions_send (inter-agent communication).

Prerequisites

- OpenClaw running with Docker sandbox support
Tailscale installed on all machines (server A + VPS + server B)
A Discord bot token per sandbox agent (https://discord.com/developers/applications)
A shared VPS accessible via Tailscale

Step 1 — Create the Sandbox Agent

Add to openclaw.json under agents.list:

CODEBLOCK1

Key constraints:

- sandbox.mode: "all" — all exec runs through Docker, never on host
readOnlyRoot: true — container filesystem is immutable except workspace
tools.deny — no gateway (can't modify config), no cron (can't schedule on host)
scope: "agent" — isolated container per agent (valid values: session | agent | shared)

Step 2 — A2A Permissions (Hub-Spoke Pattern)

Configure bidirectional communication using per-agent outbound allowlists (PR #39102):

CODEBLOCK2

Result: sandbox → main-agent ✅ | sandbox → other-sandbox ❌ | main-agent → anyone ✅

Both agents also need subagents.allowAgents for sessions_spawn:

CODEBLOCK3

Must be set on BOTH agents. Forgetting one direction = silent "access denied" errors.

Step 3 — Add SSH to Docker Image

The default sandbox image lacks SSH. Edit Dockerfile.sandbox:

CODEBLOCK4

Rebuild and force-recreate containers:

CODEBLOCK5

Step 4 — Socat Bridges

Two bridges on each host. Always bind on 172.17.0.1 (docker0), never 0.0.0.0.

Bridge 1: Container → Gateway (local)

CODEBLOCK6

Bridge 2: Container → VPS SSH (via Tailscale)

CODEBLOCK7

Enable, start, and open firewall:

CODEBLOCK8

The VPS bridge depends on Tailscale (Wants=tailscaled.service). Without this, socat tries to connect before the Tailscale interface exists — silent failure.

Step 5 — Discord Multi-Bot

Create a Discord bot

1. https://discord.com/developers/applications → New Application
Bot → Reset Token → copy
Enable all 3 Privileged Gateway Intents (MESSAGE CONTENT, SERVER MEMBERS, PRESENCE)
Invite: INLINECODE16

Configure in openclaw.json

CODEBLOCK9

Agent routing bindings

CODEBLOCK10

requireMention: true is non-negotiable on shared guilds. Without it, two bots respond to each other = infinite loop + astronomical token bill.

Step 6 — Tailscale

Install on all machines:

CODEBLOCK11

The --ssh flag enables Tailscale SSH (identity-based auth, no keys to manage). For machines where you can't interactively authenticate:

CODEBLOCK12

Do NOT install Tailscale inside the container. It requires NET_ADMIN capability, which defeats the sandbox purpose. Use socat bridges instead.

Step 7 — Sandbox Workspace

Create minimal workspace files:

CODEBLOCK13

SOUL.md — Define agent identity and constraints.
TOOLS.md — Document SSH access: INLINECODE20

Communication Patterns

CODEBLOCK14

Gotchas

1. Container not using new image — After rebuilding Docker image, stop and remove old containers. OpenClaw reuses running containers.
Cross-context messaging — Agent spawned from WhatsApp cannot write to Discord. First trigger must come from the right channel.
MESSAGE CONTENT Intent — Must be enabled in Discord Developer Portal or bot receives empty messages.
Socat silent timeout — If ssh -p 2222 hangs with no error, check UFW rules on docker0.
Agent ID rename — Renaming an agent (e.g., sandbox → spoke) breaks active sessions that reference the old ID. Add the old ID to agentToAgent.allow until those sessions expire.
sessions_send timeout — timeoutSeconds: 0 for fire-and-forget, timeoutSeconds: 60 when waiting for a response. Timeout ≠ message not delivered.
Bot token exposure — Never post tokens in Discord channels. If exposed, reset immediately via Developer Portal.

多智能体沙盒

搭建沙盒化智能体，通过Discord和共享VPS与其他OpenClaw网关的智能体协作，同时不暴露私有数据。

架构

网关 A（服务器 A）网关 B（服务器 B）
├── 主智能体（完全访问权限） ├── 主智能体（完全访问权限）
│ agentToAgent.allow: [] │ agentToAgent.allow: []
└── 沙盒智能体（Docker） └── 沙盒智能体（Docker）
agentToAgent.allow: [main] agentToAgent.allow: [main]
├── Discord ←── 共享服务器 ──→ Discord
│ requireMention: true
└── SSH ─→ socat ─→ Tailscale ─→ 共享 VPS ←── SSH
100.y.y.y

三大支柱：socat桥接（容器 → 主机 → VPS）、Tailscale网状VPN（私有网络）、Discord + sessions_send（智能体间通信）。

前置条件

- 运行中的OpenClaw，支持Docker沙盒
所有机器上安装Tailscale（服务器A + VPS + 服务器B）
每个沙盒智能体一个Discord机器人令牌（https://discord.com/developers/applications）
可通过Tailscale访问的共享VPS

步骤 1 — 创建沙盒智能体

在openclaw.json的agents.list下添加：

json
{
id: sandbox,
workspace: /path/to/workspace-sandbox,
model: {
primary: anthropic/claude-sonnet-4-6,
fallbacks: [openai/gpt-4o]
},
identity: {
name: Sandbox,
emoji: 📦
},
sandbox: {
mode: all,
workspaceAccess: rw,
sessionToolsVisibility: all,
scope: agent,
docker: {
image: openclaw-sandbox:bookworm-slim,
readOnlyRoot: true,
network: bridge,
memory: 1536m,
cpus: 2
},
browser: { enabled: true }
},
tools: {
agentToAgent: {
allow: [your-main-agent-id]
},
alsoAllow: [message, sessionssend, sessionslist, sessions_history],
deny: [gateway, process, whatsapp_login, cron],
sandbox: {
tools: {
allow: [
exec, process, read, write, edit, apply_patch,
image, websearch, webfetch,
sessionslist, sessionshistory, sessionssend, sessionsspawn,
subagents, session_status, message, browser
],
deny: [
canvas, nodes, gateway, telegram, irc, googlechat,
slack, signal, imessage, whatsapp_login, cron
]
}
}
}
}

关键约束：

- sandbox.mode: all — 所有执行都通过Docker运行，绝不在主机上执行
readOnlyRoot: true — 容器文件系统除工作区外不可变
tools.deny — 无网关（无法修改配置），无cron（无法在主机上调度）
scope: agent — 每个智能体拥有独立容器（有效值：session | agent | shared）

步骤 2 — A2A权限（中心辐射模式）

使用基于智能体的出站白名单配置双向通信（PR #39102）：

json
{
tools: {
agentToAgent: { enabled: true, allow: [*] }
},
agents: {
list: [
{
id: main-agent,
tools: { agentToAgent: { allow: [*] } }
},
{
id: sandbox,
tools: { agentToAgent: { allow: [main-agent] } }
}
]
}
}

结果：sandbox → main-agent ✅ | sandbox → other-sandbox ❌ | main-agent → anyone ✅

两个智能体还需要为sessions_spawn设置subagents.allowAgents：

json
// 主智能体
subagents: { allowAgents: [sandbox] }

// 沙盒智能体
subagents: { allowAgents: [main-agent] }

必须在两个智能体上都设置。 忘记一个方向 = 静默访问被拒绝错误。

步骤 3 — 向Docker镜像添加SSH

默认沙盒镜像缺少SSH。编辑Dockerfile.sandbox：

dockerfile
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash ca-certificates curl git jq \
openssh-client \
python3 ripgrep \
&& rm -rf /var/lib/apt/lists/*

重建并强制重新创建容器：

bash
docker build -f Dockerfile.sandbox -t openclaw-sandbox:bookworm-slim .
docker ps --format {{.ID}} {{.Image}} | grep sandbox | awk {print $1} | xargs -r docker rm -f

步骤 4 — Socat桥接

每个主机上两个桥接。始终绑定在172.17.0.1（docker0），绝不使用0.0.0.0。

桥接 1：容器 → 网关（本地）

ini

/etc/systemd/system/socat-bridge-docker0-gateway.service

[Unit]
Description=Socat桥接：docker0 → 网关
After=network.target docker.service

[Service]
Type=simple
ExecStart=/usr/bin/socat TCP-LISTEN:18789,bind=172.17.0.1,reuseaddr,fork TCP:127.0.0.1:18789
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

桥接 2：容器 → VPS SSH（通过Tailscale）

ini

/etc/systemd/system/socat-bridge-docker0-vps-ssh.service

[Unit]
Description=Socat桥接：docker0:2222 → VPS Tailscale SSH
After=network.target docker.service tailscaled.service
Wants=tailscaled.service

[Service]
Type=simple
ExecStart=/usr/bin/socat TCP-LISTEN:2222,bind=172.17.0.1,reuseaddr,fork TCP:100.y.y.y:22
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

启用、启动并开放防火墙：

bash
sudo systemctl daemon-reload
sudo systemctl enable --now socat-bridge-docker0-gateway socat-bridge-docker0-vps-ssh
sudo ufw allow in on docker0 to 172.17.0.1 port 18789 proto tcp comment socat-gateway
sudo ufw allow in on docker0 to 172.17.0.1 port 2222 proto tcp comment socat-vps-ssh

VPS桥接依赖于Tailscale（Wants=tailscaled.service）。没有这个依赖，socat会在Tailscale接口存在之前尝试连接——导致静默失败。

步骤 5 — Discord多机器人

创建Discord机器人

1. https://discord.com/developers/applications → 新建应用
Bot → 重置令牌 → 复制
启用所有3个特权网关意图（消息内容、服务器成员、在线状态）
邀请链接：https://discord.com/oauth2/authorize?clientid=ID>&permissions=274878024704&scope=bot

在openclaw.json中配置

json
discord: {
enabled: true,
accounts: {
default: {
enabled: true,
name: 主机器人,
token: $DISCORDTOKENMAIN,
groupPolicy: allowlist,
dmPolicy: allowlist,
allowFrom: [<你的Discord用户ID>],
guilds: {
<

multi-agent-sandbox多智能体沙箱