Key takeaways
- Container isolation by design — agents run in Apple Container (macOS) or Docker, not behind permission checks
- First AI assistant to support Claude Agent Swarms for multi-agent collaboration
- Minimal codebase designed to be understood in 8 minutes
- AI-native philosophy — Claude Code handles setup, debugging, and customization
FAQ
How does NanoClaw differ from OpenClaw on security?
OpenClaw uses application-level security (allowlists, pairing codes) with everything in one Node process. NanoClaw runs agents in actual Linux containers with filesystem isolation.
What chat platforms does NanoClaw support?
WhatsApp only by default. Other platforms (Telegram, Slack, Discord) are added via skills that transform your fork.
What are Agent Swarms?
Teams of specialized Claude agents that collaborate on complex tasks. NanoClaw is the first personal AI assistant to support this Claude Code feature.
Overview
NanoClaw is a security-focused OpenClaw alternative built around a core insight: why does an AI assistant need direct host access? Just run it in a container.[1]
While OpenClaw uses application-level security (allowlists, pairing codes) with everything running in one Node process with shared memory, NanoClaw enforces OS-level isolation. Agents execute in actual Linux containers — Apple Container on macOS, Docker elsewhere.
With 10,000+ GitHub stars, NanoClaw has found an audience among security-conscious users willing to trade feature breadth for isolation guarantees.
Key Stats
| Metric | Value |
|---|---|
| GitHub Stars | 10K+ |
| Language | TypeScript/Node.js |
| Core Files | Handful (~8 key files) |
| Platform | WhatsApp (others via skills) |
| Container | Apple Container / Docker |
| License | MIT |
Philosophy
NanoClaw is explicitly not a framework. It's working software designed for a single user's exact needs.
Core principles:
- Small enough to understand — One process, a few source files, no microservices
- Secure by isolation — Agents in containers, not behind permission checks
- Built for one user — Fork it and customize for your exact needs
- Customization = code changes — No configuration sprawl
- AI-native — Claude Code guides setup, debugging, and modification
- Skills over features — Contributors add transformation skills, not features
Installation
git clone https://github.com/qwibitai/nanoclaw.git
cd nanoclaw
claude
Then run /setup. Claude Code handles dependencies, authentication, container setup, and service configuration.
No installation wizard. No configuration files. Claude Code walks you through everything.
Architecture
WhatsApp (baileys) → SQLite → Polling loop → Container (Claude Agent SDK) → Response
Key files:
| File | Purpose |
|---|---|
src/index.ts | Orchestrator: state, message loop, agent invocation |
src/channels/whatsapp.ts | WhatsApp connection, auth, send/receive |
src/container-runner.ts | Spawns streaming agent containers |
src/task-scheduler.ts | Scheduled task execution |
src/db.ts | SQLite operations |
groups/*/CLAUDE.md | Per-group memory |
Single Node.js process. Agents execute in isolated Linux containers with mounted directories. Per-group message queue with concurrency control. IPC via filesystem.
Features
- WhatsApp I/O — Message Claude from your phone
- Isolated Group Context — Each group has own CLAUDE.md, filesystem, container
- Main Channel — Private channel for admin control
- Scheduled Tasks — Recurring jobs that run Claude and message you
- Web Access — Search and fetch content
- Container Isolation — Apple Container (macOS) or Docker
- Agent Swarms — First personal AI to support multi-agent collaboration
Agent Swarms
NanoClaw is the first personal AI assistant to support Claude Agent Swarms — teams of specialized agents that collaborate on complex tasks.
This is a Claude Code feature that NanoClaw exposes through its architecture. Spin up multiple agents in your chat that work together on problems.
Security Model
| Layer | Protection |
|---|---|
| Container Isolation | Apple Container / Docker |
| Filesystem | Only explicitly mounted directories visible |
| Bash Commands | Execute inside container, not on host |
| Per-Group Isolation | Separate container per group |
| Memory Isolation | Per-group CLAUDE.md and state |
Agents can only see what's explicitly mounted. Even with bash access, commands run inside the sandbox.
Skills System
NanoClaw uses a skills-based contribution model. Instead of adding features to the codebase, contributors add skills that transform your fork.
Requested skills (RFS):
| Skill | Purpose |
|---|---|
/add-telegram | Add Telegram as channel |
/add-slack | Add Slack |
/add-discord | Add Discord |
/setup-windows | Windows via WSL2 + Docker |
/add-clear | Conversation compaction command |
Run a skill on your fork and get clean code that does exactly what you need — not a bloated system supporting every use case.
Strengths
- True Isolation — Container-level, not application-level security
- Minimal Codebase — Understand in 8 minutes, modify safely
- Agent Swarms — First personal AI with multi-agent support
- AI-Native UX — Claude Code handles everything
- Fork-Friendly — Designed to be customized, not configured
- Per-Group Isolation — Each conversation in its own sandbox
Weaknesses / Considerations
- WhatsApp Only — Other platforms require skills/code changes
- No Plugin Ecosystem — Skills are transformations, not plugins
- Docker Required — Full security needs container runtime
- Single Maintainer — Individual creator, not a company
- Node.js Runtime — Higher memory than Go/Rust alternatives
- Opinionated — "Fork and customize" may not suit everyone
Who Built It
Individual creator (qwibitai). The project is explicitly not a framework or company product — it's personal software shared for others to fork and adapt.
Ideal User
- Security-focused individuals who need container isolation
- Claude Code users comfortable with AI-guided setup
- WhatsApp users (primary supported platform)
- Developers willing to fork and customize code
- Teams exploring Agent Swarms for multi-agent workflows
Bottom Line
NanoClaw makes a clear trade: feature breadth for security guarantees. While OpenClaw offers 52+ modules and 15 channel providers, NanoClaw offers WhatsApp and containers.
The container isolation model is genuinely different from application-level security. When an agent runs in Docker/Apple Container with only explicitly mounted directories visible, "the AI went rogue" has bounded blast radius.
The Agent Swarms support is unique — no other personal AI assistant exposes this Claude Code feature. For teams exploring multi-agent collaboration, this is currently the only option.
For users who need maximum security and are willing to customize code (or have Claude Code do it), NanoClaw delivers. For users who want plug-and-play multi-platform support, look elsewhere.