NanoClaw: The Container-Isolated AI Agent Platform You Can Actually Audit

NanoClaw is a personal AI assistant framework built on Anthropic’s Claude Agent SDK. It launched at the end of January 2026 and gained significant early traction, reaching thousands of GitHub stars within its first weeks.

What makes it different: every agent runs in its own Linux container. That’s OS-level isolation, not application-level permission checks. If an agent goes rogue, it’s trapped in the container — no access to your host filesystem, no lateral movement.

We run NanoClaw in production at Cybernauten for internal automation and research workflows. It handles scheduled tasks and isolated jobs with strong security boundaries.

If you’re building multi-agent systems on Claude and you care about security, auditability, and simplicity, NanoClaw is worth serious consideration.

What Is NanoClaw?

NanoClaw is an open-source framework for running Claude-powered AI agents with container isolation. It’s built by Gavriel Cohen, an Israeli developer who created it after encountering security concerns with OpenClaw while running his digital marketing agency.

The architecture is deliberately simple. A single Node.js process manages message queues (stored in SQLite), spawns Docker containers for agent execution, and handles conversation routing. Each messaging group gets its own isolated sandbox with its own CLAUDE.md context file.

The codebase is ~4,000 lines of TypeScript across ~15 files. You can audit the entire thing in about 8 minutes. Compare that to OpenClaw’s 434,000 lines (audit time: 1–2 weeks) or LangChain’s tens of thousands of lines.

NanoClaw integrates with WhatsApp (primary), Telegram, Discord, Slack, and Gmail. It supports scheduled tasks, Agent Swarms (multi-agent coordination), and a skills system for extensibility. Everything runs locally — you control the infrastructure, you own the data.

The project is MIT licensed with a commitment from the creator to keep it open source forever.

Why Container Isolation Matters

Most AI agent frameworks use application-level security. They give the LLM a list of allowed operations and hope it follows the rules. If the model misbehaves, hallucinates a command, or gets prompt-injected, it has direct access to your host system.

NanoClaw uses a different model. Each agent runs in a Linux container — Docker on Linux, Apple Container on macOS. Apple Container is Apple’s official container runtime (introduced with macOS 15), distinct from Docker Desktop. It runs lightweight Linux VMs using Apple’s native Virtualization.framework — no Rosetta emulation, no x86 translation overhead on Apple Silicon. For Mac developers, this means native-speed container isolation without Docker Desktop or its licensing overhead. The container only sees directories you explicitly mount. The agent can run Bash commands, edit files, and execute code — but it’s all happening inside the sandbox.

If something goes wrong, the blast radius is limited to the container. The agent can’t:

• Access other groups’ data
• Read your SSH keys or credentials
• Write to system directories
• Break out to the host

This is the same isolation model used by CI/CD runners and production container orchestration. It’s battle-tested infrastructure applied to AI agents.

Andrej Karpathy praised NanoClaw’s auditability and configurability, calling out the manageable codebase and skill-based configuration as key strengths.

Agent Swarms: How Multi-Agent Coordination Works

NanoClaw is the first personal AI assistant to support Agent Swarms — teams of specialized agents collaborating on complex tasks.

Agent Swarms are a native feature of the Claude Agent SDK. Instead of one agent trying to do everything, you spawn multiple agents with different roles. Each agent runs in its own container with its own context window.

Example role split for a content workflow:

• Researcher agent: Gathers facts, verifies sources, produces structured research documents
• Writer agent: Takes research and produces prose following editorial guidelines
• Editor agent: Reviews drafts against quality checklist — uses NanoClaw’s call_llm MCP tool to call GPT-5.4 externally for cross-checking (NanoClaw itself runs on Claude, but the agent can call external APIs via MCP tools)
• QA agent: Validates frontmatter, checks links, ensures MDX syntax is correct
• Publisher agent: Finalizes files, commits to git, triggers deployment

Each agent sees only the files it needs. The Researcher works in the research directory. The Writer sees the assignment and research but not the full pipeline. The Publisher has read-only access to drafts and write access to the repo.

Agent Swarms handle coordination via inter-agent messaging and shared task lists. Agents can work in parallel — multiple researchers investigating different angles simultaneously, then synthesizing results. This is how you scale from “one AI assistant” to “AI team.”

What You Can Build With NanoClaw

NanoClaw isn’t trying to be everything. It’s designed for personal and small-team use cases where you want Claude-native infrastructure with strong isolation guarantees.

Content pipelines: Research → Writing → Editing → QA → Publishing workflows with specialized agents handling each step. That’s what we do.

Internal tooling: The creator built NanoClaw for his agency to give team members WhatsApp access to sales pipeline data without building custom dashboards.

Code assistance: Local code analysis and generation that keeps proprietary code private. Agent runs in a container with read access to your codebase but no network access.

Data analysis: Process sensitive business data locally. Agent has access to data files but can’t send them anywhere.

Automation: Scheduled tasks that run autonomously. Cron-style jobs with exponential backoff for retries. Each job runs with or without conversation history depending on whether you need context.

The pattern: specialized agents, isolated environments, Claude-powered reasoning, local execution.

Architecture: Single Process, Maximum Simplicity

NanoClaw runs as a single Node.js process. That’s it. No microservices, no message brokers, no distributed coordination.

Message flow:

1. WhatsApp message arrives via Baileys library
2. Message stored in SQLite queue
3. Per-group polling loop picks up message
4. Container spawned for that group’s agent
5. Claude Agent SDK runs agentic loop (read files, edit code, run commands)
6. Response streamed back to messaging channel
7. Container shuts down

State lives in SQLite. Context lives in per-group CLAUDE.md files. Communication between host and container happens via filesystem mounts and environment variables.

This architecture has trade-offs:

• Pros: Easy to understand, straightforward debugging, minimal dependencies, runs on cheap VPS
• Cons: Container spawn adds latency, no horizontal scaling, designed for single machine

For personal use and small teams, the simplicity wins. For enterprise multi-tenant deployments, look at OpenClaw or LangChain.

NanoClaw vs. OpenClaw

OpenClaw is the full-featured distributed AI agent system that preceded NanoClaw. NanoClaw was created specifically to solve OpenClaw’s security problems.

Key differences:

Aspect	NanoClaw	OpenClaw
Codebase Size	~4,000 lines, 15 files	~434,000 lines, 53 config files
Security Model	OS-level container isolation	Application-level allowlists
Architecture	Single Node.js process	Microservices with HTTP
Audit Time	~8 minutes	1–2 weeks
Dependencies	~5	70+
Customization	Fork and modify code	Configure via YAML/JSON
Agent Isolation	Yes, by default	No, process-level only

OpenClaw has more features and handles distributed team scenarios. NanoClaw is simpler, more secure, and easier to audit.

If you’re a single developer or small team and you care about understanding the system you’re running, NanoClaw is the better choice.

NanoClaw vs. LangChain and CrewAI

NanoClaw isn’t trying to replace LangChain or CrewAI. It occupies a different niche.

LangChain is a general-purpose LLM orchestration framework. It supports every major LLM, has 600+ integrations, and powers enterprise RAG systems. It’s also complex — steep learning curve, many abstraction layers, overkill for simple use cases.

CrewAI is a role-based multi-agent system built on LangChain. You define agents with roles, goals, and tools via YAML config. It’s intuitive for multi-agent work distribution but inherits LangChain’s complexity.

NanoClaw is Claude-only, personal assistant-focused, and designed for developers who want to understand and modify the code directly. It’s not LLM-agnostic. It doesn’t have 600 integrations. It has 4,000 lines you can read.

When to use each:

• LangChain: Enterprise systems, multi-LLM hybrid approaches, complex RAG workflows
• CrewAI: Role-based agent teams with clear task delegation
• NanoClaw: Claude-native workflows, container-isolated agents, code you can audit

Example NanoClaw Workflow

We run NanoClaw on a Hetzner Proxmox VM to power our content operations. Our entire publication workflow is agent-driven.

When we decide to cover a new tool:

1. Assignment brief gets created with target keyword, content type, and angle
2. Researcher agent spawns, gathers facts from official docs, GitHub, and trusted sources
3. Research document saved with citations
4. Writer agent spawns, reads research and assignment, produces draft
5. Formatter agent cleans up Markdown and frontmatter
6. Editor agent reviews against checklist (calls GPT-5.4 externally via call_llm MCP tool to avoid echo chambers — NanoClaw’s agents run on Claude, but MCP tools can reach external APIs)
7. If revisions needed, Writer fixes and resubmits (max 3 revisions)
8. QA agent validates frontmatter schema, checks links, runs technical validation
9. Publisher agent finalizes MDX, commits to git, triggers Astro build

Each agent runs in an isolated container. The Researcher sees only the assignment directory. The Writer sees assignment + research but not the full repo. The Publisher has controlled write access.

This gives us:

• Security: Agents can’t accidentally touch files they shouldn’t
• Clarity: Each agent has a single job, minimal context
• Debugging: If something breaks, container logs show exactly what the agent tried to do
• Scalability: We can parallelize research across multiple agents

We’re not “fully autonomous” — there’s human oversight (me, as Chef vom Dienst) coordinating the pipeline. But the grunt work is delegated to agents, and container isolation means we can trust them with production tasks.

What Works Well, What’s Still Rough

NanoClaw is about two months old. It’s impressive for its age, but there are rough edges.

What works:

• Container security model is solid. We’ve had zero issues with agents accessing files they shouldn’t.
• WhatsApp integration is stable. Per-group isolation works as advertised.
• Agent Swarms coordination via Claude SDK is reliable. Agents spawn, execute, and return results without intervention.
• SQLite state management is lightweight and fast for our scale.
• Claude Code CLI setup is smooth. The AI walks you through dependencies, auth, and container config interactively.

What’s rough:

• Container overhead is noticeable. Each message has spawn latency. For interactive chat, it’s tolerable. For high-throughput scenarios, it would be a problem.
• No GUI. Everything is CLI/API-first. That’s fine for developers, less ideal for non-technical operators.
• Early documentation. You’ll need to read code to understand some behaviors.
• No built-in observability. You instrument it yourself with logs and monitoring.

What’s missing:

• Long-term memory beyond SQLite (no vector DB or RAG integration out of the box)
• Horizontal scaling (designed for single machine)
• Enterprise features (multi-user auth, audit logs, role-based access)

For a personal AI assistant or small-team automation tool, these limitations aren’t blockers. For enterprise deployment, you’d need to extend it or look elsewhere.

Pricing: Just API Costs

NanoClaw is MIT licensed and completely free. No subscription, no vendor fees.

What you pay for:

• Claude API usage: Anthropic charges per token. Sonnet is ~$3/MTok input, ~$15/MTok output (as of March 2026). For reference: a full content workflow (Researcher → Writer → Editor → QA → Publisher) consumes roughly 394,000 tokens per article, coming to approximately $5.50 at current Sonnet pricing. For moderate usage across workflows, expect $5–50/month depending on volume.
• Infrastructure: A $5–15/month VPS (Hetzner, DigitalOcean, Linode) is enough for personal use. Costs increase if you’re running additional services on the same host.

Total cost: $5–50/month for most users. No vendor lock-in. You control the deployment, you own the infrastructure.

Compare to proprietary AI agent platforms that charge $50–500/month subscription fees on top of API costs.

Installation and Setup

NanoClaw requires:

• Node.js 20+
• Docker (Linux) or Apple Container (macOS, requires Ventura+ with virtualization enabled)
• Anthropic API key
• Claude Code CLI (recommended for setup)

Setup is AI-assisted via Claude Code. Run /setup and Claude walks through dependency checks, WhatsApp authentication, container configuration, and skills setup.

The process:

1. Clone the repo: git clone https://github.com/qwibitai/nanoclaw.git
2. Run setup: npm install && npm run setup
3. Authenticate WhatsApp (QR code scan)
4. Configure skills (Telegram, Discord, Slack, etc.)
5. Run: npm start

For production deployment on a VPS, deployment guides exist for Hetzner, DigitalOcean, and AWS.

Who Should Use NanoClaw?

Best for:

• Individual developers building agent-driven workflows
• Startup teams automating internal processes
• Content operations (research, writing, publishing pipelines)
• Founders who want AI infrastructure they can audit and control
• Security-conscious users who need OS-level isolation

Not for:

• Enterprise teams needing multi-tenant SaaS deployments
• Developers requiring multi-LLM flexibility (OpenAI + Anthropic + Cohere)
• Users unfamiliar with Docker, Node.js, and CLI tools
• Teams needing GUI dashboards for non-technical operators

If you’re technical, you trust Claude, and you care about security and simplicity, NanoClaw is the most practical personal AI assistant framework available right now.

The Verdict

NanoClaw does one thing exceptionally well: it gives you Claude-powered agents with OS-level isolation in a codebase you can actually understand.

The 4,000-line architecture is a feature, not a compromise. You can read the code, understand the security model, and modify the behavior without navigating plugin APIs or YAML configuration hell.

Container isolation solves the trust problem. You can give agents powerful tools (file access, Bash execution) without worrying about runaway behavior. If something breaks, the container is the boundary.

Agent Swarms support via Claude SDK makes multi-agent coordination straightforward. A content workflow — research, writing, editing, QA, publishing — works best when each agent has a clear role and isolated execution environment.

The trade-offs are honest. This isn’t for enterprise multi-tenant deployments. It’s not horizontally scalable. It’s Claude-only. But if you’re building on Claude and you want infrastructure you can trust, NanoClaw is the right tool.

We use it in production. It works.

Score: 8.5/10

When to use NanoClaw: You’re building agent workflows on Claude, you care about security, and you want code simple enough to audit in minutes.

When to skip it: You need multi-LLM support, GUI dashboards, or enterprise features like multi-tenancy and RBAC.

The one-line take: Container isolation + auditable code + Agent Swarms = the most practical personal AI assistant framework for Claude-native workflows.

FAQ

Is NanoClaw production-ready?

It’s young (launched Jan 31, 2026), but it can run in production for content operations without issues. Expect rough edges and early documentation, but the core architecture is solid.

Can I use NanoClaw with OpenAI or other LLMs?

NanoClaw agents run on Claude via Anthropic’s Claude Agent SDK — that’s not configurable. However, agents can call external LLM APIs (like OpenAI GPT-5.4) as tool calls via MCP, if you configure those tools and supply your own API keys. This is opt-in and different from native multi-LLM orchestration. If you need full multi-LLM routing, use LangChain.

How does NanoClaw handle long-term memory?

Conversation history is stored in SQLite. For semantic search or RAG over past conversations, you’d need to extend it with a vector database via a custom MCP server.

Does NanoClaw support horizontal scaling?

No. It’s designed as a single-machine deployment. For distributed multi-instance scenarios, look at OpenClaw.

What’s the container overhead?

Each message spawns a Docker container, which adds latency. For interactive chat, it’s acceptable. For high-throughput scenarios, it could be a bottleneck. We don’t have official benchmarks yet.

Can I contribute to NanoClaw?

Yes. It’s MIT licensed on GitHub. Community contributions and forks are encouraged.