logo of Akmatori
GitHub
08.02.2026

Matchlock: Secure AI Agent Sandboxing with MicroVMs

head-image

AI agents increasingly need to execute code, install packages, and make API calls. But giving them unrestricted access to your infrastructure creates serious security risks. Matchlock solves this by providing ephemeral microVM sandboxes that boot in under a second and isolate agents from your host system.

What is Matchlock?

Matchlock is an open-source CLI tool that launches AI workloads in isolated Firecracker microVMs on Linux or Apple's Virtualization.framework on macOS. Each sandbox gets a full Linux environment where agents can do whatever they need. They can install packages, write files, and make network requests. But all of this happens in a disposable container that vanishes when you are done.

The standout feature is secret injection through a MITM proxy. When your agent calls an external API, Matchlock intercepts the request on the host and injects real credentials in-flight. The VM only ever sees placeholder tokens. If an agent gets tricked into running malicious code, your API keys stay safe because they never entered the sandbox in the first place.

Key Features

  • Sub-second boot times with Firecracker microVMs
  • Network allowlisting blocks all outbound traffic except explicitly permitted hosts
  • Secret injection keeps credentials on the host, never inside the VM
  • Copy-on-write filesystems make each run completely disposable
  • Go and Python SDKs for embedding sandboxes in your applications

Installation

Install via Homebrew on both Linux and macOS:

brew tap jingkaihe/essentials
brew install matchlock

Usage

Run a basic sandbox with Alpine Linux:

matchlock run --image alpine:latest cat /etc/os-release

For AI agent workloads, combine network allowlisting with secret injection:

export ANTHROPIC_API_KEY=sk-xxx

matchlock run --image python:3.12-alpine \
  --allow-host "api.anthropic.com" \
  --secret [email protected] \
  python agent.py

The agent sees ANTHROPIC_API_KEY as a placeholder string like SANDBOX_SECRET_a1b2c3d4. When it makes a request to api.anthropic.com, Matchlock swaps in the real key at the proxy layer.

Operational Tips

For long-running agent sessions, create persistent sandboxes:

matchlock run --image ubuntu:latest --rm=false
# Returns VM ID like vm-abc12345

matchlock exec vm-abc12345 -it bash

Pre-build images to speed up startup times:

matchlock build python:3.12-alpine

Conclusion

Matchlock brings defense-in-depth to AI agent deployments. Network isolation prevents data exfiltration, secret injection keeps credentials secure, and disposable VMs contain any damage. For SRE teams deploying autonomous agents, it provides the security boundaries that production environments demand.

Akmatori provides an AI-powered SRE assistant that helps teams manage incidents and automate operations. Built on Gcore infrastructure, Akmatori combines the reliability of enterprise-grade cloud computing with intelligent automation. Learn more at akmatori.com and gcore.com.

Akmatori team

Automate incident response and prevent on-call burnout with AI-driven agents!

Try Akmatori for free