AI agents are getting more powerful by the day, and that’s precisely why Luke Hinds decided to build Nono. Released on Hacker News Show HN on February 1, 2026, this open-source security tool has quickly captured the attention of developers who are waking up to a uncomfortable reality: letting AI agents run code on your machine without proper isolation is essentially handing over the keys to your digital kingdom.
The problem Nono solves is deceptively simple yet critically important. When you run an AI agent like Claude Code or any other autonomous coding assistant, you’re essentially allowing a piece of software with unpredictable behavior to execute arbitrary commands on your system. Prompt injections, hallucinations, or compromised tools can easily read your ~/.ssh directory, exfiltrate API credentials, or worse. Traditional application-level sandboxes might give you a false sense of security, but here’s the catch: they can be bypassed by the very code they’re supposed to be sandboxing.
Nono takes a fundamentally different approach by leveraging kernel-level security primitives that are impossible to escape from user space. On Linux, it uses Landlock LSM (available since kernel 5.13), while macOS users get the protection of Seatbelt through sandbox_init. The beauty of this architecture is that once the sandbox is established and the process executes, there’s no system call available to expand permissions. The kernel simply says no, and that’s that.
Using Nono is refreshingly straightforward. A typical command looks like `nono run –read ./src –allow ./output — cargo build`, which restricts the build process to reading from your source directory and writing only to the output folder. Need to block network access entirely? Just add `–net-block`. Working with API keys? Nono can load secrets from macOS Keychain or Linux Secret Service, inject them as environment variables, and then zeroize them from memory immediately after execution. It even has built-in protection against destructive actions like `rm -rf ~/`, which should save more than a few developers from catastrophic accidents.
The project itself is a testament to focused engineering. Written in approximately 2,000 lines of Rust, it uses the landlock crate on Linux and raw FFI to sandbox_init() on macOS. All paths are canonicalized at grant time to prevent symlink escape attacks. It’s the kind of lean, security-critical codebase that inspires confidence.
Nono was originally built for OpenClaw, an AI agent platform, but Hinds quickly realized that every agent runner faces this same security challenge. With AI agents increasingly being granted broad system permissions across the industry, tools like Nono aren’t just nice to have—they’re becoming essential infrastructure. The fact that it shot to the top of Hacker News within hours of release suggests that developers are hungry for practical solutions to this growing problem.
If you’re experimenting with AI agents or already using them in your workflow, Nono deserves a spot in your toolkit. It’s available under Apache 2.0 license at nono.sh, and the community is already contributing improvements. In a world where AI capabilities are advancing faster than our security practices can keep up, Nono offers something invaluable: peace of mind that your helpful AI assistant can’t accidentally—or maliciously—burn down your digital house.
Leave a comment