Running OpenClaw locally means handing the agent real API keys — keys that live as environment variables accessible to every process on your machine, every npm package you've installed, and potentially any prompt injection that sneaks through. A new open-source project called Nilbox is trying to fix that at the architecture level.
Nilbox appeared on Hacker News on April 18th with the pitch: "Run OpenClaw without exposing your API tokens." The approach is elegant: OpenClaw runs inside an isolated VM, but the VM never receives your real credentials. Instead, it gets a dummy placeholder token. A lightweight proxy on your host machine intercepts outbound API calls, swaps in the real token at the network layer, and forwards the request to the provider — all without the VM ever knowing a real key existed.
The Problem Nilbox Is Solving
If you've ever spun up OpenClaw on a shared machine, a laptop with dozens of npm packages installed, or a server with multiple services running, you've accepted a quiet risk: your API keys sit in plain text as environment variables. Any process with access to process.env (or a clever enough prompt injection) can read and exfiltrate them.
The standard advice — "use a dedicated machine" — is impractical for most people. Nilbox offers a different path.
Zero-Token Architecture
The core idea behind Nilbox is what they call Zero Token Architecture:
- OpenClaw runs inside a VM — a private sandbox on your existing PC, Mac, or Linux machine. No dedicated hardware required.
- The VM gets a dummy token — something like
ANTHROPIC_API_KEY=ANTHROPIC_API_KEY. OpenClaw sees it as a valid-looking key and runs normally. - The host proxy intercepts and swaps — when OpenClaw makes an API call, the nilbox proxy on the host intercepts the request, replaces the dummy token with your real credential, and forwards it to the cloud provider.
- Zero attack surface — even if the VM is fully compromised, there are no real credentials to steal.
Beyond token security, Nilbox layers on additional controls:
- Directory-level access control: OpenClaw can only read directories you explicitly allow. Your
~/.ssh,~/.env, and~/Documentsstay invisible unless you open them. - Network allowlist: Outbound traffic from the VM is blocked by default. You approve specific destinations (like
api.anthropic.com). Everything else is silently dropped. - Spending caps: Set daily and monthly limits per provider. Once the cap is hit, Nilbox automatically blocks further requests — no more overnight bill shock.
Setup
Nilbox is open-source and described as a one-click install that works on macOS, Windows, and Linux. The project's landing page emphasizes that no admin privileges or terminal experience is required — the VM spins up from a single UI action.
The GitHub repository is at github.com/rednakta/nilbox (based on the HN author's handle; check the site for the official link).
Why This Matters
The security concerns Nilbox addresses aren't hypothetical. Prompt injection attacks against OpenClaw agents are an active research area, and the attack surface grows with each new plugin and channel integration you add. Keeping real credentials entirely outside the agent's execution environment is a sound defense-in-depth approach.
The project is still early — the HN post (3 points at time of writing) hasn't caught fire yet — but the architecture is interesting enough to watch. Similar zero-trust approaches have worked well in other agentic contexts (see: ArmorClaw's intent-assurance plugin), and "sandbox the whole thing" is a natural next step for users who want to give their OpenClaw agent access to sensitive systems without fully trusting every line of the agent's tool chain.
Try It
- Site: nilbox.run
- HN discussion: Show HN: Nilbox – Run OpenClaw without exposing your API tokens
If API token security is a concern in your OpenClaw setup — especially if you're running the agent on a shared machine, giving it access to email or files, or using community-built skills from ClawHub — Nilbox is worth a look.