Key takeaways
- Container isolation by design — agents run in Docker containers (moved from Apple Container in February 2026), not behind permission checks
- The OpenClaw security crisis (RCE and command-injection CVEs in early 2026) drove adoption — stars roughly tripled from ~10K to ~30K
- Now a company: creator Gavriel Cohen formed NanoCo and landed a Docker partnership in March 2026; funding is friends-and-family, not institutional
- Multi-channel is now built in — WhatsApp, Telegram, Slack, Discord, and Gmail, up from WhatsApp-only at launch
- AI-native philosophy — Claude Code handles setup, debugging, and customization
FAQ
How does NanoClaw differ from OpenClaw on security?
OpenClaw uses application-level security (allowlists, pairing codes) with everything in one Node process. NanoClaw runs agents in actual Linux containers with filesystem isolation.
What chat platforms does NanoClaw support?
As of mid-2026, WhatsApp, Telegram, Slack, Discord, and Gmail are supported in the main repo. Further platforms can be added via skills that transform your fork.
What are Agent Swarms?
Teams of specialized Claude agents that collaborate on complex tasks. NanoClaw was the first personal AI assistant to support this Claude Code feature.
Is NanoClaw a company now?
Yes. Creator Gavriel Cohen formed NanoCo (his brother Lazer Cohen is CEO) and announced a Docker partnership in March 2026. The open-source project remains MIT licensed; a commercial product is planned.
Overview
NanoClaw is a security-focused OpenClaw alternative built around a core insight: why does an AI assistant need direct host access? Just run it in a container.[1]
While OpenClaw uses application-level security (allowlists, pairing codes) with everything running in one Node process with shared memory, NanoClaw enforces OS-level isolation. Agents execute in actual Linux containers — Docker by default since February 2026, when the project moved off Apple Container as part of a Docker partnership.[2]
The bet paid off when it mattered. The OpenClaw security crisis in early 2026 — including a remote code execution CVE (CVE-2026-25253, severity 8.8) and a command-injection CVE rooted in OpenClaw's unsandboxed skill execution — sent security-conscious users looking for alternatives, and NanoClaw's container-first pitch was waiting for them.[3] As of June 2026 the repo sits at roughly 29,800 GitHub stars and 12,900 forks, up from ~10K stars in February.[1]
Key Stats
| Metric | Value (as of June 2026) |
|---|---|
| GitHub Stars | ~29.8K (was ~10K in Feb 2026) |
| Forks | ~12.9K |
| Language | TypeScript/Node.js |
| Latest Release | v2.0.64 (May 18, 2026) |
| Platforms | WhatsApp, Telegram, Slack, Discord, Gmail |
| Container | Docker (Docker Sandboxes partnership) |
| License | MIT |
Philosophy
NanoClaw is explicitly not a framework. It's working software designed for a single user's exact needs.
Core principles:
- Small enough to understand — One process, a few source files, no microservices
- Secure by isolation — Agents in containers, not behind permission checks
- Built for one user — Fork it and customize for your exact needs
- Customization = code changes — No configuration sprawl
- AI-native — Claude Code guides setup, debugging, and modification
- Skills over features — Contributors add transformation skills, not features
Installation
git clone https://github.com/nanocoai/nanoclaw.git
cd nanoclaw
claude
Then run /setup. Claude Code handles dependencies, authentication, container setup, and service configuration.
No installation wizard. No configuration files. Claude Code walks you through everything.
Architecture
WhatsApp (baileys) → SQLite → Polling loop → Container (Claude Agent SDK) → Response
Key files:
| File | Purpose |
|---|---|
src/index.ts | Orchestrator: state, message loop, agent invocation |
src/channels/whatsapp.ts | WhatsApp connection, auth, send/receive |
src/container-runner.ts | Spawns streaming agent containers |
src/task-scheduler.ts | Scheduled task execution |
src/db.ts | SQLite operations |
groups/*/CLAUDE.md | Per-group memory |
Single Node.js process. Agents execute in isolated Linux containers with mounted directories. Per-group message queue with concurrency control. IPC via filesystem.
Features
- Multi-Channel I/O — WhatsApp, Telegram, Slack, Discord, and Gmail (WhatsApp-only at launch)[1]
- Isolated Group Context — Each group has own CLAUDE.md, filesystem, container
- Main Channel — Private channel for admin control
- Scheduled Tasks — Recurring jobs that run Claude and message you
- Web Access — Search and fetch content
- Container Isolation — Docker Sandboxes (Docker partnership, March 2026)
- Agent Swarms — First personal AI to support multi-agent collaboration
- OneCLI Agent Vault — Adopted as the default credential setup in March 2026
Agent Swarms
NanoClaw was the first personal AI assistant to support Claude Agent Swarms — teams of specialized agents that collaborate on complex tasks.
This is a Claude Code feature that NanoClaw exposes through its architecture. Spin up multiple agents in your chat that work together on problems.
Security Model
| Layer | Protection |
|---|---|
| Container Isolation | Docker (Docker Sandboxes) |
| Filesystem | Only explicitly mounted directories visible |
| Bash Commands | Execute inside container, not on host |
| Per-Group Isolation | Separate container per group |
| Memory Isolation | Per-group CLAUDE.md and state |
Agents can only see what's explicitly mounted. Even with bash access, commands run inside the sandbox.[4]
Skills System
NanoClaw uses a skills-based contribution model. Instead of adding features to the codebase, contributors add skills that transform your fork.
The early requested-skills list (Telegram, Slack, Discord) has largely graduated into the main repo — those channels now ship by default. Skills today follow a registry-branch install model for further customization.[1]
Run a skill on your fork and get clean code that does exactly what you need — not a bloated system supporting every use case.
Strengths
- True Isolation — Container-level, not application-level security
- Minimal Codebase — Still small enough to read, even as channels grew
- Agent Swarms — First personal AI with multi-agent support
- AI-Native UX — Claude Code handles everything
- Fork-Friendly — Designed to be customized, not configured
- Per-Group Isolation — Each conversation in its own sandbox
- Active Development — 50+ contributors, commits daily, v2.x release cadence[1]
Weaknesses / Considerations
- Build-It-Yourself Expectation — Fewer capabilities than OpenClaw out of the box; you're expected to build your own features on top, and community members note your fork can end up as buggy as what you left[5]
- No Plugin Ecosystem — Skills are transformations, not plugins
- Docker Required — Full security needs container runtime
- Young Company — NanoCo formed in early 2026 on friends-and-family money; commercial direction still unproven[2]
- Node.js Runtime — Higher memory than compiled-language alternatives
- Opinionated — "Fork and customize" may not suit everyone
What Developers Say
Community reception on Hacker News has been strongly positive on the architecture, more skeptical on the capability trade-off:
- "I'm running half my company with Nanoclaw." — atonse, Hacker News, April 2026[5]
- "NanoClaw's architecture is a masterclass in doing less." — Jonno (jonno.nz), April 2026[6]
- "nanoclaw has a lot fewer capabilities than openclaw, with the expectation that you'll essentially build your own features on top of it." — BeetleB, Hacker News, April 2026[5]
- "I'd like to know if there's a selling point that I'm missing" — turbocon, Hacker News, April 2026, questioning the isolation benefit when agents still get real API keys[5]
Who Built It
Gavriel Cohen, a former Wix engineer, built NanoClaw after discovering OpenClaw had downloaded all of his WhatsApp messages — personal ones included — in unencrypted text without authorization.[2] The Show HN launch went viral (533 points), an Andrej Karpathy endorsement followed, and within six weeks Cohen had closed his AI marketing startup to go full-time.[2]
The project is now stewarded by NanoCo (GitHub org nanocoai), with Cohen's brother Lazer Cohen as CEO. Funding is friends-and-family; no institutional round has been publicly disclosed. A March 2026 partnership integrated Docker Sandboxes as the container runtime, and a commercial product with forward-deployed engineers is planned.[2] The open-source project remains MIT licensed and free.
Ideal User
- Security-focused individuals who need container isolation
- Claude Code users comfortable with AI-guided setup
- WhatsApp/Telegram/Slack/Discord users (now all supported in-repo)
- Developers willing to fork and customize code
- Teams exploring Agent Swarms for multi-agent workflows
Bottom Line
NanoClaw made a clear trade — feature breadth for security guarantees — and the OpenClaw security crisis vindicated it. When RCE and command-injection CVEs hit OpenClaw's unsandboxed skill model in early 2026, NanoClaw's container-first design was the obvious refuge; stars roughly tripled to ~30K and Docker signed on as a partner.[3][2]
The container isolation model is genuinely different from application-level security. When an agent runs in a Docker sandbox with only explicitly mounted directories visible, "the AI went rogue" has bounded blast radius. And the original gap — WhatsApp-only — has closed: Telegram, Slack, Discord, and Gmail now ship in the main repo.
Recommended for: security-conscious users who want a personal agent with OS-level isolation, and developers happy to fork and shape their own copy with Claude Code's help.
Not recommended for: users who want OpenClaw's breadth of integrations out of the box, or anyone unwilling to run Docker and treat their assistant as code they own.
Outlook: the strongest position in the OpenClaw-alternative field — real momentum (daily commits, 50+ contributors, v2.x cadence), a Docker partnership, and a company forming around it. The open question is whether NanoCo can monetize without compromising the minimal, fork-it ethos that made the project work.
Sources
- [1] NanoClaw GitHub Repository
- [2] TechCrunch: The wild six weeks for NanoClaw's creator that led to a deal with Docker
- [3] The Argus Report: The OpenClaw security crisis
- [4] NanoClaw Security Documentation
- [5] Hacker News: Show HN — NanoClaw
- [6] NanoClaw's architecture is a masterclass in doing less
- [7] The New Stack: NanoClaw can stuff each AI agent into its own Docker container