NanoClaw: the lightweight, secure alternative to OpenClaw

Just a few weeks after OpenClaw exploded onto the scene with its 145,000 GitHub stars, a new project arrived to shake up the open-source AI OpenClaw ecosystem. NanoClaw, released on 31 January 2026 under the MIT license, takes a radically different approach: a complete AI agent in just 500 lines of TypeScript, with container-based isolation baked in from the ground up. In a single week, the project has already passed 7,000 GitHub stars. Here is a technical look at a project that puts security at the center of everything.

Why NanoClaw exists: OpenClaw's weaknesses

To understand NanoClaw, you first have to understand the problem it solves. OpenClaw is an extraordinarily powerful tool, but that power has a downside: security. By default, OpenClaw runs with the same permissions as the user who launched it. It can read all your files, run any command, and access your SSH keys, your API tokens, and your databases.

Several incidents were documented in the very first weeks:

• Prompt injection through web pages: an attacker embeds hidden instructions in a web page the agent visits, triggering the execution of unwanted commands
• Data exfiltration: the agent, manipulated by a malicious prompt, sends sensitive files to an external server
• Privilege escalation: on certain configurations, the agent manages to obtain rights higher than those of the user

These incidents did not call OpenClaw's usefulness into question, but they highlighted a glaring need: an AI agent that is secure by design, not by after-the-fact configuration.

Architecture: simplicity as a defense

NanoClaw's founding principle fits in a single sentence: what you can audit, you can trust. And to be able to audit it, the code has to be small enough for a human to read and understand.

The core of NanoClaw is only ~500 lines of TypeScript. According to the community's measurements, an experienced developer can audit the entire codebase in about 8 minutes. Compare that with OpenClaw and its tens of thousands of lines of code and hundreds of dependencies, and the difference in philosophy becomes obvious.

The main components

NanoClaw's architecture breaks down into three distinct layers:

1. The orchestration core (~200 lines): manages the agent's lifecycle, communication with the LLM, and tool handling
2. The isolation layer (~150 lines): wraps each execution in an isolated container with strictly defined permissions
3. The interfaces (~150 lines): handle input/output, configuration, and reporting

This simplicity is not a trade-off on features: it is a deliberate architectural choice. NanoClaw relies on Anthropic's Claude Agent SDK for all the complex logic of interacting with LLMs, which lets it stay minimal while remaining functionally complete.

Container-based isolation: the heart of its security

NanoClaw's most distinctive feature is its OS-level container isolation. Every task the agent runs executes in its own isolated container, with strictly limited permissions.

On macOS: Apple Containers

On macOS, NanoClaw uses Apple Containers, Apple's native containerization technology. Each agent runs in an environment completely isolated from the host system:

# Launch NanoClaw with Apple Containers isolation on macOS
npx nanoclaw --runtime apple-container \
  --mount-readonly ~/projects/my-project \
  --allow-network api.anthropic.com \
  "Analyze the source code and suggest improvements"

In this example, the agent has read-only access to the project directory and can only communicate with Anthropic's API. It cannot modify files, access other directories, or contact other servers.

On Linux: Docker

On Linux, NanoClaw uses Docker for isolation. If you don't have Docker installed yet, check out our complete Docker tutorial to get started.

# Install NanoClaw
npm install -g nanoclaw

# Launch with Docker isolation on Linux
nanoclaw --runtime docker \
  --mount-readonly /home/user/project \
  --memory-limit 512m \
  --cpu-limit 1.0 \
  --no-network \
  "Run the unit tests and generate a report"

Note the resource-limiting options: --memory-limit and --cpu-limit prevent the agent from consuming too many system resources, even in the event of an infinite loop or unexpected behavior.

Agent Swarms: the power of the swarm

NanoClaw doesn't just run a single isolated agent. Thanks to its integration with the Anthropic Agent SDK, it natively supports the concept of Agent Swarms. This feature lets you break a complex task down into several subtasks, each run by a specialized sub-agent.

What makes NanoClaw's implementation unique is that each sub-agent gets its own isolated container with its own memory context. Sub-agents cannot access the memory or files of other sub-agents. They communicate exclusively through a message channel controlled by the orchestrating agent.

# Example of a task decomposed into a swarm
nanoclaw --swarm \
  --max-agents 5 \
  --shared-mount-readonly ~/project \
  --output-dir ~/results \
  "Perform a complete security audit of the project:
   analyze the dependencies, review the code,
   test the API endpoints, and generate a consolidated report"

In this example, NanoClaw automatically creates several sub-agents:

• An agent for dependency analysis (npm audit, CVE checking)
• An agent for static code analysis (security patterns, potential injections)
• An agent for API endpoint testing (fuzzing, authentication checks)
• An orchestrating agent that consolidates the results into a final report

Each sub-agent is isolated in its own container. If one of them is compromised (for example, via a prompt injection while analyzing a malicious file), the other agents and the host system remain protected.

The Claude Agent SDK: the foundation

NanoClaw is built on Anthropic's Claude Agent SDK, a development kit that provides the primitives needed to build AI agents. This SDK handles:

• The agent loop: the think-act-observe cycle that lets the agent reason and carry out actions
• Tool management: the interface between the agent and the actions it can perform (reading a file, running a command, etc.)
• Context management: the agent's working memory, including the conversation history and the results of previous actions
• Prompt security: built-in mechanisms to detect and block injection attempts

By building on this SDK rather than reimplementing all the agent logic, NanoClaw can focus on what sets it apart: isolation and security. It's an excellent example of the single-responsibility principle applied to software architecture.

Installation and configuration

Installing NanoClaw is deliberately minimalist:

# Global installation via npm
npm install -g nanoclaw

# Verify the installation
nanoclaw --version

# Configure the Anthropic API key
export ANTHROPIC_API_KEY=your_api_key

# First test with a simple task
nanoclaw "Show this container's system information"

On Linux, make sure Docker is installed and that your user is part of the docker group. Our Docker tutorial covers these prerequisites in detail.

# Verify that Docker is working
docker run hello-world

# If it isn't, add your user to the docker group
sudo usermod -aG docker $USER
# Then log out and log back in

Advanced configuration

For advanced users, NanoClaw supports a YAML configuration file that lets you define reusable execution profiles:

# Create the configuration file
mkdir -p ~/.config/nanoclaw
nano ~/.config/nanoclaw/config.yaml

A typical configuration example for a development project:

# Launch NanoClaw with a specific profile
nanoclaw --profile dev-secure \
  "Review the latest commits and check that they follow the conventions"

OpenClaw vs NanoClaw comparison

The two projects address different needs. Here is an objective comparison to help you choose:

In short: choose OpenClaw if you need maximum flexibility, multi-LLM support, and integration with messaging platforms. Choose NanoClaw if security is your absolute priority, if you work with sensitive data, or if you want to be able to audit your agent's entire codebase.

Defense in depth: the technical mechanisms

Let's go deeper into NanoClaw's security mechanisms. Container isolation is only the first line of defense. The project implements several additional layers:

Principle of least privilege

Each NanoClaw container starts with the minimum permissions needed for the task. By default:

• No network access (except to the LLM's API)
• No write access to the host filesystem
• No access to devices (USB, GPU, etc.)
• Limited memory and CPU
• No access to the host system's environment variables

The user must explicitly grant each additional permission through command-line options. This is the opposite of OpenClaw's approach, where everything is allowed by default.

Output validation

Before a result is returned to the user, NanoClaw runs a series of checks:

• Detection of sensitive data potentially being exfiltrated (API keys, passwords, tokens)
• Verification that created files stay within the authorized output directory
• Analysis of executed commands to detect suspicious behavior

Complete logging

Every action the agent takes is logged in detail. At any time, the user can inspect exactly what the agent did, which commands it ran, which files it accessed, and what data it sent to the LLM.

# View the logs from the last run
nanoclaw logs --last

# Export the logs in JSON format for analysis
nanoclaw logs --last --format json > audit.json

To dig deeper into container security concepts, our Docker tutorial covers best practices for isolation and permission management. If you work on a production server, also check out our server hardening guide.

Use cases: when to choose NanoClaw

NanoClaw is particularly well suited to the following scenarios:

Enterprise code auditing

When a company wants to use an AI agent to audit proprietary code, NanoClaw guarantees that the code cannot be exfiltrated. The agent only has read-only access to the files, and network communication is strictly limited to the LLM's API.

Processing sensitive data

In the context of the GDPR or similar regulations, NanoClaw provides the isolation guarantees needed to process personal data with an AI agent while maintaining regulatory compliance.

Production environments

For teams that want to integrate an AI agent into their production pipeline, NanoClaw provides the necessary security guarantees. Its minimal footprint and strict isolation considerably reduce the attack surface.

Teaching and training

The simplicity of NanoClaw's code makes it an excellent teaching tool. In 500 lines, it illustrates the fundamental concepts of AI agents: the agent loop, tool management, isolation, and orchestration. It's an ideal starting point for students and developers who want to understand how AI agents work from the inside.

The future of NanoClaw and secure agents

NanoClaw represents a deep trend in the AI ecosystem: the shift from an "everything is allowed by default" approach to a "nothing is allowed except what is explicitly authorized" approach. It's the same paradigm that transformed the security of operating systems and web browsers over the past twenty years.

Several developments are expected in the coming months:

• Multi-LLM support: integration with models other than Claude is under development
• Graphical interface: a minimalist web interface for non-technical users
• Profile marketplace: a system for sharing security configurations validated by the community
• Security certification: the project is aiming for SOC 2 certification to ease enterprise adoption

NanoClaw's rapid success, with 7,000 stars in a single week, shows that the developer community is ready for AI agents that don't sacrifice security on the altar of functionality. In a world where AI agents are becoming ever more autonomous and powerful, the ability to control and audit them is not a luxury: it is an absolute necessity.