Skip to main content

AI Coding Agent in a Container: Why Developers Stop Worrying About What Their Assistant Breaks

Ilustrační obrázek
Imagine giving an AI assistant access to your computer — to all your files, SSH keys, browser passwords, and half your professional life. That's exactly what developers do when they run AI coding agents directly on their main machine. But one experienced tech journalist decided he was done with this risk. He moved his AI agent into an isolated container on a separate server, and now he doesn't care at all what the agent breaks — because whatever goes wrong stays trapped in an isolated box that can be restored to its original state with a single click.

Why running an AI agent on your own computer is dangerous

An AI coding agent is a tool that reads files, edits code, installs dependencies, and runs shell commands with the same permissions as the user who launched it. On a test server, that's fine. On a laptop where you have SSH keys to production servers, online banking logged into the browser, and years of work in your files, it's a lottery ticket. And it's not just a theoretical risk. In early 2026, security firm Ox Security revealed that the popular open-source agent OpenClaw stored API keys in plaintext, created backups of deleted credentials with a .bak extension, and used over a hundred eval calls in the code. Subsequently, Oasis Security discovered the ClawJacked vulnerability — a local WebSocket that any malicious website open in the browser could connect to. At the height of the panic, there were over 100,000 publicly accessible OpenClaw instances on the internet. OpenClaw's approach to security is best summed up by its creator's response to reported bugs: "This is a hobby project. If you want to help, send a PR. Once it's production-ready, I'll be happy to look at vulnerabilities."

Hermes Agent: an agent that doesn't take security lightly

An alternative that is gaining trust in the developer community is Hermes Agent by the research group Nous Research — the same team behind the popular open-weight Hermes model series. Unlike OpenClaw, it doesn't treat security as an afterthought but as a default constraint. Hermes has a public security policy with a ninety-day coordinated vulnerability disclosure window, a dedicated security email, and clearly defined what is and isn't in scope for protection. The documentation openly acknowledges: "The only security boundary against a hostile LLM is the operating system." Everything else — approval of destructive commands, redaction of secret keys in outputs, the Skills Guard injection scanner — is explicitly labeled as accident prevention, not a sandbox.

How container isolation works

Adam Conway, tech journalist at XDA Developers, described his specific setup in a July 9, 2026 article. His Hermes Agent runs inside an unprivileged LXC container on a Proxmox server. The container is a separate entity with its own user without root privileges, and limited CPU, memory, and disk. Thanks to copy-on-write storage, he can create a snapshot before every agent action — and if the agent breaks something, he can restore the container to its previous state with a single command. What's important: an unprivileged LXC is not a security guarantee against a targeted attack. It's a practical isolation layer for your own agent — not protection against a hacker actively looking for a way out. That's why Conway puts only the bare minimum into the container: cloned repositories, essential dependencies, and an API key for MiniMax. No production tokens, no SSH keys to anything important.

MiniMax M3: a model that handles programming for pennies

The coding model of choice is MiniMax M3 — the latest model from Chinese company MiniMax with 428 billion parameters, deployed as an API service. Conway uses it through a MiniMax subscription, since a model of this size couldn't run on local hardware. For context: MiniMax M3 follows the M2.7 model, which Conway previously tested as a cheap alternative to Claude Opus and called it "surprisingly good — not as good as Opus, but perfectly sufficient for everyday programming."

Price comparison

MiniMax M2.7 cost roughly $0.30 per million input tokens and $1.20 per million output tokens. Against Claude Opus 4.6 ($5 input / $25 output) it was roughly 17–21× cheaper. The starter plan with 1,500 requests every five hours came to $10 per month. M3, the successor to M2.7, is expected to be even more capable in agent and coding tasks — and remains orders of magnitude cheaper than premium models from Anthropic or OpenAI. For Czech developers, this is important information: if you're paying $20–100 per month for Claude or ChatGPT, you can get comparable performance for coding tasks at a fraction of the price — and thanks to an isolated container, you also eliminate the security risk.

Discord as an interface — programming through messages

The most interesting part of the setup is that all control happens through Discord. Conway sends a message to the bot — "clone this repo," "create a new project," "check what's in that git repo" — and the agent works in the container regardless of whether Conway is at his computer or somewhere on the go with just his phone. The first project he assigned to the agent was a simple Markdown editor for the browser. He sent the request via Discord, went about his business, and within minutes the agent had created the project structure, installed dependencies, and started the development server. The editor was immediately accessible from any device on the network — including his phone.

Profiles and on-demand models

Hermes organizes everything into profiles — each profile has its own configuration, API keys, skills, session history, and communication bot. The personal assistant profile and the coding profile are completely separate — they don't share memory, keys, or tokens. A mistake in one can't spill over into the other. And best of all: the model is interchangeable. Conway currently uses MiniMax M3, but can switch to DeepSeek V4 Pro or GLM 5.2 in moments — just change the configuration file. Hermes supports MiniMax, Z.AI (GLM), OpenRouter, and standard OpenAI endpoints. For coding, this model flexibility is a key advantage.

Broader context: AI agent security is the theme of 2026

Conway's approach fits into a broader trend. As AI agents gain access to files, terminals, and networks, the need to isolate them grows as well. Nvidia responded with its own tool NemoClaw — a sandbox that wraps OpenClaw and restricts its system access. But even that doesn't solve the cultural problem of OpenClaw, which encourages users to connect dozens of services into a single trust zone. For comparison: Claude Code by Anthropic runs directly in the developer's terminal and works with files on the local disk. OpenCode (an open-source alternative to Claude Code) works similarly — if you run it on your main machine, it has access to everything you do. GitHub Copilot and Cursor primarily operate within the IDE, so their blast radius is more limited, but they still work within the context of your development environment. Conway's containerized approach represents a third way: an agent that is fully capable but trapped in an isolated cage. It can clone repositories, install packages, run tests — anything. But whatever it breaks or deletes only affects the container, which can be restored from a snapshot in seconds.

What this means for Czech developers

This approach is relevant to the Czech scene as well. Many Czech companies and freelancers are experimenting with AI development assistants, but often without a clear security strategy. Yet solutions like Proxmox (which is popular among Czech Linux enthusiasts) combined with the open-source Hermes Agent make it possible to build a secure development environment practically for free. Key recommendations: - Never run an AI agent with full permissions on your main work machine - Use a container (LXC, Docker) or a virtual machine as an isolation layer - Take snapshots before every major agent action - Put only the absolute minimum of sensitive data into the container - For the Czech environment, the GDPR aspect is also relevant — if the agent processes personal data, isolation in a container on your own hardware is far safer than sending everything to the cloud Hermes Agent is open-source (MIT license) and its deployment is free. You only pay for the API key to the model you use — and as the comparison with MiniMax shows, it can be significantly cheaper than a subscription to commercial tools.

Is Hermes Agent suitable for beginners too, or only for experienced Linux administrators?

Hermes Agent requires basic knowledge of the command line and containerization. It's not a "download and click" tool — you need to understand concepts like LXC containers, API keys, and profile configuration. For a complete beginner, it might be easier to start with Cursor or GitHub Copilot within an IDE. But if you have basic Linux experience and want maximum control over what your AI agent has access to, Hermes is currently the best open-source choice.

Does MiniMax M3 support Czech, and how is it with understanding Czech code?

MiniMax M3 is a model developed by the Chinese company MiniMax, but its training data includes many languages. It should handle Czech at a basic level — it understands comments in code, can answer queries in Czech. For coding tasks, however, English is the primary language (variable names, library documentation), so Czech isn't an obstacle. If you need a model with excellent Czech support, models from OpenAI (GPT-5.x, Codex) and Anthropic (Claude) are better in this regard, but also significantly more expensive.

Can I set up a similar isolated environment on Windows or macOS?

Yes, the principle is the same across platforms. On Windows, you can use WSL2 with Docker or Hyper-V with a virtual machine. On macOS, Docker Desktop or UTM with a virtualized Linux works well. Proxmox itself is a Linux virtualization platform, but the concept of isolating the agent in a container or VM is universal. The key is that the agent shouldn't have access to your main files, passwords, and SSH keys — regardless of which platform you use.

X

Don't miss out!

Subscribe for the latest news and updates.