Spin up a full development environment in seconds — just by asking your agent.
Each devbox is an isolated container with VSCode in your browser, a visual desktop via VNC, headless Chromium for testing, and up to 5 routable app ports — all accessible via clean URLs on your domain. No SSH tunnels, no port forwarding, no "works on my machine".
Need to prototype something? Clone a repo and start coding? Debug a frontend on a real browser? Spin up a devbox. It self-registers with Traefik, assigns itself a unique ID, and hands you ready-to-use URLs. When you're done, tear it down. Zero cleanup.
Whether you're working from your laptop, a tablet, or someone else's machine — your full dev environment is one URL away.
- Self-registering containers — auto-assigns ID, configures routing, builds
APP_URL_*env vars - Flexible routing — choose between Traefik (self-managed) or Cloudflare Tunnels (zero open ports)
- VSCode Web — browser-based IDE on port 8000
- noVNC — visual desktop access on port 8002
- Chromium CDP — headless browser automation on port 9222
- 5 app slots — routed via Traefik with configurable tags (e.g.
api,app,dashboard) - Project setup scripts —
.openclaw/setup.shconvention for automated repo setup - nvm — Node version management, reads
.nvmrcautomatically
+-----------------------------------------------------------+
| Devbox Container (ghcr.io/adshrc/openclaw-devbox:latest) |
| |
| +----------+ +----------+ +-------------------+ |
| | VSCode | | noVNC | | Chromium (CDP) | |
| | :8000 | | :8002 | | :9222 | |
| +----------+ +----------+ +-------------------+ |
| |
| App 1 :8003 App 2 :8004 App 3 :8005 |
| App 4 :8006 App 5 :8007 |
+----------------------------+------------------------------+
|
+-----------------------+
| Traefik/Cloudflared |
+-----------------------+
|
Browser: https://{tag}-{id}.{domain}
The OpenClaw container needs access to the Docker daemon on the host to manage devbox containers. Start your OpenClaw container with these additional flags:
-v /var/run/docker.sock:/var/run/docker.sock
-v /usr/bin/docker:/usr/bin/docker:roOn the host, set the correct permissions to make the Docker socket accessible:
chmod 666 /var/run/docker.sockNote: This must be done on the host machine before starting the OpenClaw container. If the container is already running, restart it after adding the volume mounts (e.g. docker-compose.yml)
Important: The host path mapped to
/home/node/.openclawinside the OpenClaw container must not be a system directory (e.g./etc,/proc,/sys,/dev,/root,/boot,/run,/var/run). Use a dedicated path like/home/openclawor/opt/openclawinstead.
Devboxes need a way to expose services via URLs. Choose one:
Best for: servers with an existing Traefik setup.
If you haven't set up Traefik yet, follow the OpenClaw + Traefik Setup Guide.
Devbox containers automatically register Traefik routes on startup by writing config files to the Traefik config directory.
Your OpenClaw container needs the Traefik config directory mounted. Start your OpenClaw container with this additional flag (if not within /home/openclaw):
-v path_to_traefik:/home/node/.openclaw/traefikMake sure that you have a wildcard DNS record (*.example.com) pointing to your server.
Best for: environments without a reverse proxy, behind NAT, or where you don't want to expose any ports.
Each devbox starts cloudflared internally and registers DNS records via the Cloudflare API. All traffic is routed through Cloudflare's network — no open ports or Traefik needed.
Requirements:
- A Cloudflare account with a domain managed by Cloudflare
- A Cloudflare API token with Zone:DNS:Edit and Account:Tunnel:Edit permissions
During onboarding, the agent will:
- Validate your Cloudflare API token
- Look up the Zone ID for your domain
- Create a named tunnel (
openclaw-devboxes) - Store
CF_API_TOKEN,CF_ZONE_ID,CF_ACCOUNT_ID,CF_TUNNEL_ID, andCF_TUNNEL_TOKENin the agent config
npx clawhub@latest install devboxesOR
git clone https://github.com/adshrc/openclaw-devboxes-skillthen copy the SKILL.md and references/ directories into your OpenClaw workspace:
/home/node/.openclaw/workspace/skills/devboxes/
├── SKILL.md
└── references/
└── setup-script-guide.md
Once installed, simply ask your OpenClaw agent:
"Set up the devboxes skill"
The agent will read the skill's onboarding instructions and handle everything:
- Pull the Docker image
- Set up the counter file and permissions
- Configure
openclaw.jsonwith the devboxes agent - Ask you for your domain and GitHub token
After setup, just ask:
"Spin up a devbox for project X"
The agent spawns a container, waits for self-registration, and returns your URLs.
The devbox agent config maps these paths from the OpenClaw container into each devbox:
| Agent path | Devbox container path | Purpose |
|---|---|---|
/home/node/.openclaw/.devbox-counter |
/shared/.devbox-counter |
ID counter |
/home/node/.openclaw/traefik/configs |
/traefik |
Traefik route configs (Traefik mode only) |
Important: Both paths must be writable by sandbox containers (UID 1000). The counter file needs
chmod 666, and the Traefik devboxes dir should be owned by1000:1000.
Each container's entrypoint automatically:
- Reads and increments the shared counter → assigns
DEVBOX_ID - Builds
APP_URL_1..5,VSCODE_URL,NOVNC_URLfrom tags + domain + ID - Writes env vars to
/etc/devbox.envand/etc/profile.d/devbox.sh(available in all shells) - Routes based on
ROUTING_MODE:- Traefik (default): Writes config to
/traefik/devbox-{id}.yml - Cloudflare Tunnel: Generates cloudflared ingress config, registers DNS CNAME records via CF API, starts
cloudflared tunnel run
- Traefik (default): Writes config to
No manual routing or ID assignment needed.
The devbox working directory is /workspace. Cloned repos should live under /workspace/<repo>.
OpenClaw manages the container lifecycle — containers are removed when sessions end. Traefik route configs left behind are harmless.
Projects can include .openclaw/setup.sh for automated setup inside a devbox:
#!/bin/bash
export NVM_DIR="/root/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
nvm install && nvm use
npm install
cp template.env .env
sed -i "s/PORT=.*/PORT=$APP_PORT_1/" .env
tmux new -d -s my-server "source /root/.nvm/nvm.sh; nvm use; npm run dev; exec \$SHELL"
echo "Running at $APP_URL_1"See setup-script-guide.md for full conventions.
| Variable | Example | Description |
|---|---|---|
ROUTING_MODE |
traefik or cloudflared |
Routing backend (default: traefik) |
GITHUB_TOKEN |
ghp_... |
GitHub PAT for cloning |
DEVBOX_DOMAIN |
example.com |
Base domain |
APP_TAG_1..5 |
app1, app2, ... |
Route tags (e.g. use "app1" as "api") |
ENABLE_VNC |
true |
Enable noVNC |
ENABLE_VSCODE |
true |
Enable VSCode Web |
CF_TUNNEL_TOKEN |
eyJ... |
Cloudflare tunnel run token (cloudflared only) |
CF_API_TOKEN |
abc123 |
CF API token for DNS registration (cloudflared only) |
CF_ZONE_ID |
xyz789 |
CF zone ID for the domain (cloudflared only) |
CF_TUNNEL_ID |
uuid |
CF tunnel ID for CNAME targets (cloudflared only) |
| Variable | Example | Description |
|---|---|---|
DEVBOX_ID |
1 |
Auto-assigned sequential ID |
APP_URL_1..5 |
https://app1-1.example.com |
Full URLs per app slot |
APP_PORT_1..5 |
8003..8007 |
Internal ports |
VSCODE_URL |
https://vscode-1.example.com |
VSCode Web URL |
NOVNC_URL |
https://novnc-1.example.com/vnc.html |
noVNC URL |
| Port | Service |
|---|---|
| 8000 | VSCode Web |
| 8002 | noVNC |
| 9222 | Chrome DevTools Protocol (CDP) |
| 8003-8007 | App slots 1-5 |
The devbox agent has browser access via Chromium CDP on port 9222. The subagent can use the browser tool to navigate, screenshot, and interact with apps running inside the container (use http://localhost:{port}).
- Sandbox containers run with all Linux capabilities dropped (
CapDrop: ALL). Bind-mounted files/dirs must be world-writable. - The devbox working directory is always
/workspace.
MIT