NanoClaw Challenges OpenClaw with Container-Isolated AI Agents for Enhanced Security
OpenClaw by Peter Steinberger is currently all the rage in the AI world – and not only because of the new approach of unleashing an AI agent on the user’s computer, but also because it creates serious security problems. Currently, there are already more than 150,000 OpenClaw instances worldwide, mostly from private users who are potentially easy targets for attacks.
A new open-source project called NanoClaw now promises personal AI assistants with significantly improved security architecture. NanoClaw positions itself as a lean alternative to OpenClaw and addresses fundamental security concerns that can arise with more complex systems.
Criticism of existing solutions
Developer Gavriel Cohen, who worked as a developer for Wix.com for many years, justifies the development of NanoClaw with fundamental concerns about OpenClaw’s architecture. The established project comprises over 52 modules, 45 dependencies, and abstractions for 15 different communication channels. The central criticism: all components run in a single Node.js process with shared memory.
“I cannot sleep peacefully when running software I don’t understand and that has access to my life,” explains the developer his motivation. OpenClaw relies on application-based security through allowlists and pairing codes, rather than operating system isolation.
Security through container isolation
NanoClaw pursues a fundamentally different approach. The system uses Linux containers (Apple Container on macOS, Docker on Linux) to isolate AI agents. Each agent runs in its own container environment with a separate file system. Agents only gain access to explicitly shared directories.
This architecture means concretely: bash commands are executed within the container, not on the host system. Each WhatsApp group gets its own container with an isolated file system and separate memory file. A compromised agent can only access the resources assigned to it.
Minimalism as principle
The project consistently pursues clarity. The entire codebase consists of a few files in a single Node.js process. The developer states that the architecture can be understood in eight minutes. Core components include:
- Orchestrator for state management and message processing
- WhatsApp integration via the Baileys library
- SQLite database for messages and group management
- Container runner for isolated agent execution
- Task scheduler for recurring tasks
Instead of configuration files, NanoClaw relies on direct code modifications. Users should adapt the system to their needs with the help of Claude Code by having the source code modified.
Agent Swarms as unique selling point
As a technical feature, NanoClaw is the first personal AI assistant to support so-called agent swarms. These are teams of specialized agents that work together on complex tasks. The feature is based on the Claude Agent SDK.
Users can instruct the assistant, for example, to analyze git history weekly or summarize messages from specific sources daily. All agents run in their isolated container environments.
Contribution strategy through skills
The project pursues an unusual development strategy. Instead of integrating new features directly into the codebase, contributors should develop so-called skills. These skills are instructions for Claude Code on how to extend a NanoClaw installation with certain functions.
Concretely, this means: if someone wants Telegram support, they don’t create a pull request with Telegram code, but rather a skill file that teaches Claude Code how to adapt the installation accordingly. Users then run the /add-telegram command and receive individually customized code.
Currently, skills are being sought for additional communication channels (Telegram, Slack, Discord), Windows support via WSL2, and session management.
Technical requirements
NanoClaw requires macOS or Linux, Node.js version 20 or higher, and Claude Code. Apple Container on macOS or Docker serves as the container runtime. Installation is done via Claude Code, which handles all dependencies, authentication, and container configuration.
The architecture follows a simple data flow: WhatsApp receives messages, stores them in SQLite, a polling loop processes them, containers execute the AI agents, and send responses back. Communication between processes occurs via the file system.
Open security questions
While container isolation represents a significant security improvement over process-internal permission checks, practical security depends on several factors. The quality of container configuration, the security of mounted directories, and the trustworthiness of the Claude Agent SDK play a central role.
The project refers to a security document that describes the complete security model. The developer emphasizes that the manageable codebase allows users to verify for themselves what they are running.
NanoClaw addresses legitimate security concerns with personal AI assistants through consistent isolation and radical simplification. Whether this approach prevails depends on whether users are willing to trade functionality for clarity and security. The skill-based extension strategy is an interesting experiment whose practical viability remains to be seen.
