Special edition · 2026-06-06 · ranked by stars/day · every link verified live.
Short edition by design — this field is young and most of the serious tooling is still closed-source or internal. But the open-source pattern is clear: the work that *is* accelerating is about containment. Give an autonomous agent less blast radius, and assume it will be compromised.
nanocoai/nanoclaw — ⭐29,723 · ↑237.8/day · TypeScript
A lightweight OpenClaw alternative whose entire pitch is that it runs each agent inside a container for isolation, then connects out to WhatsApp, Telegram, Slack, Discord and Gmail. The velocity says the market wants connected agents that are still sandboxed by default — convenience without handing an LLM your whole machine.
Who needs it: anyone wiring an autonomous agent into messaging and email who wants a hard boundary around it.
daytonaio/daytona — ⭐72,487 · ↑85.2/day · TypeScript
Secure, elastic infrastructure for running AI-generated code. This is the grown-up version of the same instinct: never execute model output on your own host — spin up a disposable sandbox, run it there, throw it away. Mature, well-starred, and the de-facto open answer for code-execution safety.
Who needs it: teams letting agents write and run code, who need each run contained and ephemeral.
The-Art-of-Hacking/h4cker — ⭐26,794 · ↑8.2/day · Jupyter Notebook
A large, long-running resource collection on ethical hacking and security — tagged ai-security but it is a reading list, not agent-safety tooling. Genuinely useful as a reference; it does not belong in the same category as the two repos above, and its velocity (8/day on a 9-year-old repo) reflects that it is a library, not a moving project.
The whole edition is two real repos and a bookshelf. That is the honest state of open-source AI security right now: containment and sandboxing are accelerating, while prompt-injection defense, agent auditing, and red-teaming tooling remain mostly behind closed doors. Worth re-checking this bucket monthly — it should fill out fast.
Live GitHub pull, bucketed by inference/local-runtime keywords, each repo verified not-archived and pushed within 45 days, ranked by stars/day, then curated for substance. Star counts pulled at publish — they move daily; re-verify before reposting.
*Autonomous AI Digest · catch acceleration, not stars · all editions*