← Back to research
·5 min read·opensource

NanoClaw

NanoClaw is a security-focused OpenClaw alternative that runs AI agents in Linux containers. First personal AI assistant to support Claude Agent Swarms.

Key takeaways

  • Container isolation by design — agents run in Apple Container (macOS) or Docker, not behind permission checks
  • First AI assistant to support Claude Agent Swarms for multi-agent collaboration
  • Minimal codebase designed to be understood in 8 minutes
  • AI-native philosophy — Claude Code handles setup, debugging, and customization

FAQ

How does NanoClaw differ from OpenClaw on security?

OpenClaw uses application-level security (allowlists, pairing codes) with everything in one Node process. NanoClaw runs agents in actual Linux containers with filesystem isolation.

What chat platforms does NanoClaw support?

WhatsApp only by default. Other platforms (Telegram, Slack, Discord) are added via skills that transform your fork.

What are Agent Swarms?

Teams of specialized Claude agents that collaborate on complex tasks. NanoClaw is the first personal AI assistant to support this Claude Code feature.

Overview

NanoClaw is a security-focused OpenClaw alternative built around a core insight: why does an AI assistant need direct host access? Just run it in a container.[1]

While OpenClaw uses application-level security (allowlists, pairing codes) with everything running in one Node process with shared memory, NanoClaw enforces OS-level isolation. Agents execute in actual Linux containers — Apple Container on macOS, Docker elsewhere.

With 10,000+ GitHub stars, NanoClaw has found an audience among security-conscious users willing to trade feature breadth for isolation guarantees.

Key Stats

MetricValue
GitHub Stars10K+
LanguageTypeScript/Node.js
Core FilesHandful (~8 key files)
PlatformWhatsApp (others via skills)
ContainerApple Container / Docker
LicenseMIT

Philosophy

NanoClaw is explicitly not a framework. It's working software designed for a single user's exact needs.

Core principles:

  • Small enough to understand — One process, a few source files, no microservices
  • Secure by isolation — Agents in containers, not behind permission checks
  • Built for one user — Fork it and customize for your exact needs
  • Customization = code changes — No configuration sprawl
  • AI-native — Claude Code guides setup, debugging, and modification
  • Skills over features — Contributors add transformation skills, not features

Installation

git clone https://github.com/qwibitai/nanoclaw.git
cd nanoclaw
claude

Then run /setup. Claude Code handles dependencies, authentication, container setup, and service configuration.

No installation wizard. No configuration files. Claude Code walks you through everything.

Architecture

WhatsApp (baileys) → SQLite → Polling loop → Container (Claude Agent SDK) → Response

Key files:

FilePurpose
src/index.tsOrchestrator: state, message loop, agent invocation
src/channels/whatsapp.tsWhatsApp connection, auth, send/receive
src/container-runner.tsSpawns streaming agent containers
src/task-scheduler.tsScheduled task execution
src/db.tsSQLite operations
groups/*/CLAUDE.mdPer-group memory

Single Node.js process. Agents execute in isolated Linux containers with mounted directories. Per-group message queue with concurrency control. IPC via filesystem.

Features

  • WhatsApp I/O — Message Claude from your phone
  • Isolated Group Context — Each group has own CLAUDE.md, filesystem, container
  • Main Channel — Private channel for admin control
  • Scheduled Tasks — Recurring jobs that run Claude and message you
  • Web Access — Search and fetch content
  • Container Isolation — Apple Container (macOS) or Docker
  • Agent Swarms — First personal AI to support multi-agent collaboration

Agent Swarms

NanoClaw is the first personal AI assistant to support Claude Agent Swarms — teams of specialized agents that collaborate on complex tasks.

This is a Claude Code feature that NanoClaw exposes through its architecture. Spin up multiple agents in your chat that work together on problems.

Security Model

LayerProtection
Container IsolationApple Container / Docker
FilesystemOnly explicitly mounted directories visible
Bash CommandsExecute inside container, not on host
Per-Group IsolationSeparate container per group
Memory IsolationPer-group CLAUDE.md and state

Agents can only see what's explicitly mounted. Even with bash access, commands run inside the sandbox.

Skills System

NanoClaw uses a skills-based contribution model. Instead of adding features to the codebase, contributors add skills that transform your fork.

Requested skills (RFS):

SkillPurpose
/add-telegramAdd Telegram as channel
/add-slackAdd Slack
/add-discordAdd Discord
/setup-windowsWindows via WSL2 + Docker
/add-clearConversation compaction command

Run a skill on your fork and get clean code that does exactly what you need — not a bloated system supporting every use case.

Strengths

  • True Isolation — Container-level, not application-level security
  • Minimal Codebase — Understand in 8 minutes, modify safely
  • Agent Swarms — First personal AI with multi-agent support
  • AI-Native UX — Claude Code handles everything
  • Fork-Friendly — Designed to be customized, not configured
  • Per-Group Isolation — Each conversation in its own sandbox

Weaknesses / Considerations

  • WhatsApp Only — Other platforms require skills/code changes
  • No Plugin Ecosystem — Skills are transformations, not plugins
  • Docker Required — Full security needs container runtime
  • Single Maintainer — Individual creator, not a company
  • Node.js Runtime — Higher memory than Go/Rust alternatives
  • Opinionated — "Fork and customize" may not suit everyone

Who Built It

Individual creator (qwibitai). The project is explicitly not a framework or company product — it's personal software shared for others to fork and adapt.

Ideal User

  • Security-focused individuals who need container isolation
  • Claude Code users comfortable with AI-guided setup
  • WhatsApp users (primary supported platform)
  • Developers willing to fork and customize code
  • Teams exploring Agent Swarms for multi-agent workflows

Bottom Line

NanoClaw makes a clear trade: feature breadth for security guarantees. While OpenClaw offers 52+ modules and 15 channel providers, NanoClaw offers WhatsApp and containers.

The container isolation model is genuinely different from application-level security. When an agent runs in Docker/Apple Container with only explicitly mounted directories visible, "the AI went rogue" has bounded blast radius.

The Agent Swarms support is unique — no other personal AI assistant exposes this Claude Code feature. For teams exploring multi-agent collaboration, this is currently the only option.

For users who need maximum security and are willing to customize code (or have Claude Code do it), NanoClaw delivers. For users who want plug-and-play multi-platform support, look elsewhere.