NanoClaw solves one of OpenClaw's biggest security issues — and it's already powering the creator's biz

Izzo What if I told you someone just solved the biggest problem with AI agents?

Izzo You're listening to Exploring Next, episode one-ninety. I'm Izzo, and with me as always is Boone. And today we're talking about NanoClaw—a project that's basically calling BS on the entire AI agent security model.

Boone Yeah, and Izzo, this isn't just some academic exercise. The creator is literally running his business on this thing. We're talking about a complete rethink of how you sandbox AI agents.

Izzo Right, so here's why this matters right now. OpenClaw went viral—fifty thousand developers downloaded this thing that can basically control your entire computer with natural language. But then security teams started asking the obvious question: what happens when it goes rogue?

Boone And the answer was... not great. OpenClaw runs directly on your host machine with essentially no isolation. It's like giving a stranger root access and hoping their intentions stay pure.

Izzo Enter Gavriel Cohen, who took one look at OpenClaw's four hundred thousand line codebase and said 'absolutely not.' Boone, break down what NanoClaw actually does differently.

Boone So the core insight is moving from application-level safeguards to OS-level isolation. Every single agent runs inside its own Linux container—or Apple Containers on macOS. The AI can only touch directories you explicitly mount.

Izzo That's... actually brilliant. Instead of building internal allowlists that can be bypassed, you're using the operating system itself as the security boundary.

Boone Exactly. And Cohen's point about blast radius is spot on. Even if you get prompt-injected, the damage is contained to that specific container and its communication channel. No escaping to the host.

Izzo But here's what gets me excited from a product perspective—this isn't just more secure, it's also way simpler. We're talking five hundred lines of TypeScript versus four hundred thousand.

Boone Which is insane when you think about it. The entire system—state management, agent invocation, message queuing—can be audited by a human in eight minutes. Try doing that with a half-million line codebase.

Izzo And that auditability is huge for enterprise adoption. I can actually send this to my security team and they can whiteboard the entire attack surface in an afternoon.

Boone The architecture is really elegant too. Single-process Node.js orchestrator, SQLite for persistence, filesystem-based IPC. No heavy message brokers, no distributed complexity. Just simple primitives that actually work.

Izzo OK but here's where it gets really interesting—the 'Skills over Features' model. Instead of shipping with Slack and Discord and fifty other integrations...

Boone You teach the AI how to add them. So you run something like /add-telegram and Claude literally rewrites your local codebase to integrate Telegram support.

Izzo Which means you only get the code—and the security vulnerabilities—for stuff you actually use. That's a complete inversion of how we normally think about software distribution.

Boone And it makes so much sense for AI-native software. Why maintain compatibility with every possible integration when you can just generate the exact code you need on demand?

Izzo The Cohen brothers are actually eating their own dog food here. Their agency Qwibit runs entirely on a NanoClaw instance they call 'Andy' that manages their sales pipeline, parses messy WhatsApp threads, updates their Obsidian vault...

Boone That's the real test, right? When the creators are trusting it with their actual business operations. And because Andy has access to the codebase itself, it can refactor its own functions and review git history for documentation drift.

Izzo I'm giving this whole approach a solid A-minus. The only question mark for me is adoption—convincing developers to think about AI software this differently.

Boone Fair point. But honestly, after seeing what can go wrong with permissionless agents, I think the market's ready for this level of paranoia. Better safe than explaining to your CISO why an AI agent just exfiltrated your customer database.

Izzo True. And seven thousand GitHub stars in a week suggests people are hungry for this approach.

Boone Definitely adding this to the weekend project list. The container isolation alone is worth experimenting with.

Izzo Alright, if you want to get hands-on with this—first, clone the NanoClaw repo and audit those five hundred lines yourself. Second, try the Skills system by running /add-gmail or /add-telegram on a test instance.

Boone And third, if you're running any AI agents in production, seriously consider how you're handling isolation. Even if you don't use NanoClaw, the container-first approach is the right mental model.

Izzo The future of AI agents isn't more features—it's better boundaries. We'll see you next time on Exploring Next.