Pick an attack, press play, watch each system respond step by step. The honest verdict up front: harnesses contain a hostile agent at a hardware boundary; OrchestKit only blocks known-bad patterns — it has no containment. A seatbelt, not a roll cage.
Own the runtime. Sandbox at the OS: container / microVM per agent. Answer: “can the agent escape onto my host?”
Runs inside a harness. Guards at PreToolUse: deny-rules, write-time secret block, supply-chain gates. Answer: “should this command run at all?” — but a guard is advisory in-process text, not a trust boundary.
The question that matters: “if the agent turns hostile, am I contained?” NanoClaw: yes (microVM). Hermes (Docker): yes; Hermes (local default): no. OrchestKit: no — bypass one regex or jailbreak the model once, and your host (~/.ssh, ~/.aws, .env, every other repo) is fully reachable. ork is prevention; they are containment. Prevention-by-denylist loses to novel input.
microVM / seccomp / cap-drop holds even when everything inside is hostile. ork’s denylist stops known-bad; base64, $IFS, char-by-char script writes, python -c all walk through. One bypass → full host.
NanoClaw’s OneCLI vault means the agent never holds raw keys (injected per-request, rate-limited). ork’s session has full ambient access to every key already on disk. The secret-scanner only stops a key being written, not read + exfiltrated.
A network-namespaced container can rule out exfil destinations. ork can’t — the agent can curl your data anywhere. (This is improvement #2 below, not a shipped feature.)
Hermes took an independent audit (#7826). ork’s security is self-asserted. And their architecture is “never trust the agent, contain it” — the correct post-prompt-injection stance. ork’s is “trust the agent, catch mistakes.”
“Immune to skill-poisoning” → ork has no runtime self-improvement at all; it’s immune because the feature is absent. Crash-proof because there’s no engine — not a win on equal terms.
“Supply-chain hygiene wins” → true, but that protects against a malicious ork distribution, not against the agent on your box. Different threat; I conflated them.
What actually holds up: telemetry discipline (off-by-default, self-hosted, hashed — beats NanoClaw’s unverified); write-time secret-commit block (narrow but real); hooks fire in every permission mode. All prevention. None is containment.
Claude Code ships an opt-in OS Bash-sandbox (Seatbelt/bwrap). ork:doctor reads settings.local.json for sandbox.enabled and nudges /sandbox-on with a sane allowlist. Honest limits: no runtime detection API, and it's Bash-only (Read/Write/MCP unsandboxed) — raises the floor, not the ceiling.
One PreToolUse Bash guard that asks on outbound curl/wget/nc to non-allowlisted hosts and on staged curl→sh / eval $(curl) / base64-decode-exec. Pure policy-layer win.
Ship a reference devcontainer.json + “run CC+ork inside NanoClaw’s microVM” guide. OrchestKit = the policy layer; here’s how to pair it with an isolation layer for the strongest posture.
Everything below is prevention: it decides whether a tool call runs. None of it is containment (see the missing layer 0). This is the honest design, faithfully traced from src/hooks/src/entries/pretool.ts.
The key design move: compound-split runs first so echo ok && rm -rf / can't smuggle a dangerous command past the matcher by hiding behind a harmless prefix. Security guards are synchronous (the command waits on the verdict); advisory hooks are async and can never block — so a slow hint never delays you, and a security verdict is never skipped.
The pipeline above. Fires in every permission mode (incl. skip-permissions) — the deny rules get bypassed there, the hooks don't.
Bash(rm -rf /), chmod 777, force-push to main/master, mkfs, dd if=, fork-bomb — hard CC-level deny.
npm run test:security must pass before merge — command-injection, dep-confusion, secret-scanning, path-traversal, symlink, unicode, npm-audit (moderate+, 4 trees).
Claude Code has a native OS sandbox (Seatbelt / bubblewrap, sandbox.* settings, since 2.1.83). But it's opt-in and ork neither enables nor requires it. With it OFF (the common default), a bypassed guard has nothing underneath. Turn it on — or run in a container — and there's a real boundary. ork ships zero sandbox config by design.
3-tier: DENY catastrophic (rm -rf /, fork-bomb, DROP DATABASE, |sh), ASK gray-zone (terraform destroy, sudo, kill), ALLOW rest.
Splits && ; | $( ) so a dangerous command can't evade matching by hiding in a compound. Anti-evasion.
Branch protection (no direct commit to main/dev), branch-naming, commit-message, atomic-commit, stacked-PR delete guard.
15 high-confidence patterns (OpenAI/Anthropic/GitHub keys…) on Write/Edit content. OWASP ASI02/03 — blocks the secret before it lands.
Protects sensitive files (.env, keys); resolves symlinks first (anti-bypass); enforces file-size gate (300 / 500 test lines).
Flags risky code on Write — eval, dynamic exec, shell-string interpolation, injection-shaped patterns.
Sanitizes MCP memory writes — untrusted graph input validated before it persists to the knowledge graph.
CI / headless guard on CronCreate — prevents unattended scheduling escapes in non-interactive runs.
Honest caveat on this layer: several of these (command-injection, path-traversal, unicode-attacks, jq/sqlite-injection) harden the guards' own parsers against malicious input — i.e. they secure the security tool, not your machine from the agent. Necessary, but it's meta-security, not containment.
The diff in one diagram. A boundary (the box) is what holds when the agent turns hostile. ork's guards always live inside the boundary — they pick what runs; the boundary picks what can escape.
ork:doctor reads settings.local.json for sandbox.enabled and nudges you to /sandbox-on (+ a recommended fs/network allowlist). Caveat: no runtime detection API, and it's Bash-only — so this raises the floor, not the ceiling.
A reference devcontainer.json + “run CC+ork inside a container / NanoClaw microVM” guide. This is the real full boundary — column C. ork stays the policy layer; the container is the wall.
To own an OS boundary, ork would have to stop being a CC plugin and become a runtime that spawns containers. That's a different product, not a feature. Don't.
Research: NanoClaw = nanocoai/nanoclaw (MIT, ~30k★, microVM per agent, OneCLI vault). Hermes = NousResearch/hermes-agent (MIT, Docker-hardened, local default = no isolation; audit #7826: 4 critical / 9 high). OrchestKit verdicts file-cited to src/hooks/src/… + tests/security/. ⚠️ Avoid typosquat forks qwibitai/nanoclaw, thenvoi/nanoclaw-thenvoi — install only from nanocoai/nanoclaw.