00:00:00If you've been following the headlines lately, you've probably seen all of the warnings about
00:00:04the dangers of running autonomous AI agents. It could be accidental data leaks or high profile
00:00:10security breaches like we saw with OpenClaw. The reality is that giving an AI agent full
00:00:15access to your host terminal is pretty dangerous. But we're not gonna stop using these tools just
00:00:21because of security concerns, right? What we need is a better sandbox. And there's this little
00:00:28incredible tool out there called Code on Incas, which lets you run CLAWD code in a completely
00:00:34isolated Incas container, so you can safely run your coding agents without worrying about having
00:00:40your SSH keys or environment variables leaked. In today's video, we're gonna take a closer look on
00:00:46how Code on Incas works, and then I'll show you how to set it up yourself, so you can safely start
00:00:51running your own fleet of autonomous AI agents. It's gonna be a lot of fun, so let's dive into it.
00:00:58So first of all, what is Incas? Well, actually, I covered Incas in greater detail in one of my
00:01:07previous videos, so go check that out if you want to dive deeper into how it works. But essentially,
00:01:12Incas is an open source system container and virtual machine manager that allows you to run
00:01:18full Linux systems in isolated environments. And Code on Incas takes this idea to the next level
00:01:24by letting you deploy fully isolated mini Linux machines with CLAWD code pre-installed on them,
00:01:31so you can use them as sandboxed CLAWD code agents. It's a pretty cool idea. It basically
00:01:36gives CLAWD its own dedicated Linux environment. And unlike Docker's privileged mode, Inca's system
00:01:43containers behave like full Linux machines, and they also have a persistent state, so you can stop
00:01:49and start sessions without losing progress or conversation history. One of the best parts about
00:01:54this setup is that it solves the permission hell. Usually when a container creates a file,
00:02:00it's owned by root, and you're stuck running chown just to edit your own code. But Incas uses UID
00:02:08mapping, so it effectively tricks the system so that everything CLAWD creates in the sandbox
00:02:14is natively owned by you on your local machine. And in my previous video, I showed you how to set up
00:02:20Inca's containers on a Linux machine. But this time, I will show you how to set them up on a Mac.
00:02:26So we will basically be using a tool called Colima, which is its own container. And we're going to be
00:02:31running Incas inside of it, which is another container. And we're going to be running CLAWD
00:02:36code inside of that, which is a true Inception style scenario. So first and foremost, make sure
00:02:42you have downloaded Colima. And on the right over here, I have set up a simple folder called my test
00:02:48app where we will store everything that CLAWD code produces through our Incas containers. So now let's
00:02:55start a simple Colima instance. And we will pass the mount flag to allow writing permissions to
00:03:00the folder that I just created. Once we've done that, we will SSH into our Colima container. And
00:03:06from here, we basically need to follow the instructions laid out in the code on Incas
00:03:11repository. So copy these lines to install and configure Incas. And then it says that we should
00:03:17run the bash command. But in my previous tests, this didn't actually work as expected. So instead,
00:03:23you can do the same thing by copying the contents into an install sh file and then running that the
00:03:29setup script will now run and it detects that Incas is already installed, which is great, but we still
00:03:35need to configure our firewall. But we will do that in a moment. Right now just click one to build from
00:03:42source and let the script do its job. Once you've done that, we can go ahead and run our firewall
00:03:47configuration commands. And according to the instructions, the next thing you should do is
00:03:52run koi build. But in my previous tests, I encountered some network connectivity issues.
00:03:58Since Incas is running inside the Colima virtual machine, it creates its own virtual network bridge.
00:04:04Usually it's called Incas BR zero to give CLAWD containers internet access. But here's where it
00:04:10gets tricky. By default, Linux firewalls and even Docker's own networking rules can sometimes
00:04:16conflict with this bridge. To fix this, we need to ensure that the Colima virtual machine allows
00:04:22traffic to flow freely between the Incas bridge and the outside world. We do this by adding the
00:04:28Incas bridge to our trusted firewall zone and enabling IP version 4 forwarding. And once you
00:04:34see success printed out twice in the terminal, we are now officially ready to build code on Incas.
00:04:40Now the documentation can be a little bit confusing here because to build the tool, you need to run a
00:04:46setup script, which is inside the repo. So the easiest way forward is to clone the code on Incas
00:04:52repository directly, then CD into it, and then run koi build from there. At least that's how I got it
00:04:59working. The build process takes about a minute or two to compile everything. But once that's finished,
00:05:04then the fun begins. We can now finally spin up our autonomous CLAWD code agents inside their own
00:05:11Incas bubbles. So let's do that now. To show you how this works in practice, I've set up two terminal
00:05:16windows. I'm launching our first instance on slot one, passing in the workspace path so CLAWD knows
00:05:23where to save the files. And I'm also adding the network open flag. And this is crucial because it
00:05:28allows the agent to reach the internet, download dependencies and hit the API as it needs to function.
00:05:35I'll do the exact same thing for slot two, essentially creating like a tag team duo.
00:05:40One agent will be entirely focused on the back end and the other is dedicated for the front end
00:05:45portion. For this demo, I'm going to ask them to build a Star Wars holocron app, a tool that
00:05:51fetches character data from the SWAPI API. And to make it more interesting, I've also asked the front
00:05:57end agent to give the UI a flickering blue hologram effect inspired by the classic 1977 Star Wars
00:06:04terminal look. And then we just let them cook. And a few minutes later, we see that both of our agents
00:06:10have successfully collaborated working in the same workspace. And they've created both the back end
00:06:16and the front end interface. So now let's open the browser and see how it looks. Okay, so it's looking
00:06:22pretty good. We have that classic Star Wars hologram glow effect going. And now if I query data about
00:06:28Darth Vader, we can see it successfully retrieves it. Same thing for Yoda. And same thing for Luke
00:06:34Skywalker. So this is the power of safely orchestrating AI agents without ever exposing
00:06:40your primary host machine to unknown dependencies or messy code bases. And now I want to show you
00:06:46another example where this kind of security is very useful. So let's say you've downloaded a file,
00:06:52and you suspect this file might contain malware. And for this demonstration purposes, I will
00:06:56actually use a sample malware file provided by the ACAR Institute that is usually used as a
00:07:02demonstration file mimicking a real computer virus. Now the file in essence doesn't do anything harmful,
00:07:09but it does contain a malware signature inside of it. So now let's suppose you have that file,
00:07:14but you don't want to unzip it on your local machine. So this is where again, you can use
00:07:19code on Incas to do the archive extraction for you. And then maybe we can use clod code to run
00:07:25a comprehensive analysis on the contents of that file. So in this second example, I've started a new
00:07:30kalima instance. And this time I'm passing in the folder that contains the ACAR file as a workspace,
00:07:37so we can then pass it to Incas. So I've gone through the whole process again of installing
00:07:41Koi and configuring it. And now we've launched a new AI agent. What we can do now is in a separate
00:07:48terminal window, push the file onto the Incas instance. And you can do this by using the Inca
00:07:54file push command, and by specifying the container ID of that particular Koi instance. And once we've
00:08:00transferred it, I can now ask clod code to examine the contents and run a comprehensive analysis
00:08:06report. So a few moments later, we see that clod code has finished the analysis. And as expected,
00:08:11it has determined that this file is completely safe and not malicious at all. And it did identify that
00:08:17this is indeed an ACAR malware test file. And it has laid out all the details of it in the analysis
00:08:24report. So this is pretty cool. If you're a security researcher, or just a developer who
00:08:29receives a lot of untrusted files, you can definitely use the same process to safely and
00:08:34securely inspect them, you can get all the analytical power of clod with the impenetrable
00:08:40shield of an Inca system container. So there you have it, that is code on Incas. In a nutshell,
00:08:47there are all sorts of other helpful commands this tool provides that I didn't get the chance to
00:08:52highlight in this video. Like for example, you can launch instances with your own custom images,
00:08:57and you can manage snapshots and sessions. So do check out the full project to get a deeper dive.
00:09:03I think nowadays with so many security threats on every digital corner of the web, tools such
00:09:09as this one really helps to manage AI agent orchestration safely. And it's using Incas to do
00:09:16so which I'm a big fan of. So that gets my stamp of approval. But what do you think about this tool?
00:09:21Have you tried it? Will you use it? Let us know in the comment section down below. And folks,
00:09:26if you found this video helpful, please let me know by smashing that like button underneath the video.
00:09:31And don't forget to subscribe to our channel so you don't miss out on any other of our future
00:09:36technical breakdowns. This has been Andris from Better Stack and I will see you in the next videos.