NanoClaw solves one of OpenClaw's biggest security issues — and it's already powering the creator's biz
The rapid viral adoption of Austrian developer Peter Steinberger's open source AI assistant OpenClaw in recent weeks has sent enterprises and indie developers into a tizzy.
It's easy to easy why: OpenClaw is freely available now and offers a powerful means of autonomously completing work and performing tasks across a user's entire computer, phone, or even business with natural language prompts that spin up swarms of agents. Since its release in November 2025, it's captured the market with over 50 modules and broad integrations — but its "permissionless" architecture raised alarms among developers and security teams.
Enter NanoClaw, a lighter, more secure version which debuted under an open source MIT License on January 31, 2026, and achieved explosive growth—surpassing 7,000 stars on GitHub in just over a week.
Created by Gavriel Cohen—an experienced software engineer who spent seven years at website builder Wix.com—the project was built to address the "security nightmare" inherent in complex, non-sandboxed agent frameworks. Cohen and his brother Lazer are also co-founders of Qwibit, a new AI-first go-to-market agency, and vice president and CEO, respectively, of Concrete Media, a respected public relations firm that often works with tech businesses covered by VentureBeat.
NanoClaw’s immediate solution to this architectural anxiety is a hard pivot toward operating system-level isolation. The project places every agent inside isolated Linux containers—utilizing Apple Containers for high-performance execution on macOS or Docker for Linux environments.
This creates a strictly "sandboxed" environment where the AI only interacts with directories explicitly mounted by the user.
While other frameworks build internal "safeguards" or application-level allowlists to block certain commands, Gavriel maintains that such defenses are inherently fragile.
"I'm not running that on my machine and letting an agent run wild," Cohen explained during a recent technical interview. "There's always going to be a way out if you’re running directly on the host machine. In NanoClaw, the 'blast radius' of a potential prompt injection is strictly confined to the container and its specific communication channel."
A more secure foundation for agentic autonomy
The technical critique at the heart of NanoClaw’s development is one of bloat and auditability. When Cohen first evaluated OpenClaw (formerly Clawbot), he discovered a codebase approaching 400,000 lines with hundreds of dependencies.
In the fast-moving AI landscape, such complexity is an engineering hurdle and a potential liability.
"As a developer, every open source dependency that we added to our codebase, you vet. You look at how many stars it has, who are the maintainers, and if it has a proper process in place," Cohen notes. "When you have a codebase with half a million lines of code, nobody's reviewing that. It breaks the concept of what people rely on with open source".
NanoClaw counters this by reducing the core logic to roughly 500 lines of TypeScript. This minimalism ensures that the entire system—from the state management to the agent invocation—can be audited by a human or a secondary AI in roughly eight minutes.
The architecture employs a single-process Node.js orchestrator that manages a per-group message queue with concurrency control.
Instead of heavy distributed message brokers, it relies on SQLite for lightweight persistence and filesystem-based IPC. This design choice is intentional: by using simple primitives, the system remains transparent and reproducible.
Furthermore, the isolation extends beyond just the filesystem. NanoClaw natively supports Agent Swarms via the Anthropic Agent SDK, allowing specialized agents to collaborate in parallel. In this model, each sub-agent in a swarm can be isolated with its own specific memory context, preventing sensitive data from leaking between different chat groups or business functions.
The product vision: Skills over features
One of the most radical departures in NanoClaw is its rejection of the traditional "feature-rich" software model. Cohen describes NanoClaw as "AI-native" software—a system designed to be managed and extended primarily through AI interaction rather than manual configuration.
The project explicitly discourages contributors from submitting PRs that add broad features like Slack or Discord support to the main branch. Instead, they are encouraged to contribute "Skills"—modular instructions housed in .claude/skills/ that teach a developer's local AI assistant how to transform the code.
"If you want Telegram, rip out the WhatsApp and put in Telegram," Cohen says. "Every person should have exactly the code they need to run their agent. It’s not a Swiss Army knife; it’s a secure harness that you customize by talking to Claude Code".
This "Skills over Features" model means that a user can run a command like /add-telegram or /add-gmail, and the AI will rewrite the local installation to integrate the new capability while keeping the codebase lean. This methodology ensures that if a user only needs a WhatsApp-based assistant, they aren't forced to inherit the security vulnerabilities of fifty other unused modules.
Real-world utility in an AI-native agency
This isn't merely a theoretical experiment for the Cohen brothers. Their new AI go-to-market agency Qwibit uses NanoClaw—specifically a personal instance named "Andy"—to run its internal operations.
"Andy manages our sales pipeline for us. I don't interact with the sales pipeline directly," Cohen explained.
The agent provides Sunday-through-Friday briefings at 9:00 AM, detailing lead statuses and assigning tasks to the team.
The utility lies in the friction-less capture of data. Throughout the day, Lazer and Gavriel forward messy WhatsApp notes or email threads into their admin group.
Andy parses these inputs, updates the relevant files in an Obsidian vault or SQLite database, and sets automated follow-up reminders.
Because the agent has access to the codebase, it can also be tasked with recurring technical jobs, such as reviewing git history for "documentation drift" or refactoring its own functions to improve ergonomics for future agents.
Strategic evaluation for the enterprise
As the pace of change accelerates in early 2026, technical decision-makers are faced with a fundamental choice between convenience and control. For AI engineers focused on rapid deployment, NanoClaw offers a blueprint for what Cohen calls the "best harness" for the "best model".
By building on top of the Claude Agent SDK, NanoClaw provides a pathway to leverage state-of-the-art models (like Opus 4.6) within a framework that a lean engineering team can actually maintain and optimize.
From the perspective of orchestration engineers, NanoClaw’s simplicity is its greatest asset for building scalable, reliable pipelines.
Traditional, bloated frameworks often introduce budget-draining overhead through complex microservices and message queues.
NanoClaw’s container-first approach allows for the implementation of advanced AI technologies—including autonomous swarms—without the resource constraints and "technical debt" associated with 400,000-line legacy systems.
Perhaps most critically, for security leaders, NanoClaw addresses the "multiple responsibilities" of incident response and organizational protection.
In an environment where prompt injection and data exfiltration are evolving daily, a 500-line auditable core is far safer than a generic system trying to support every use case.
"I recommend you send the repository link to your security team and ask them to audit it," Cohen advises. "They can review it in an afternoon—not just read the code, but whiteboard the entire system, map out the attack vectors, and verify it’s safe".
Ultimately, NanoClaw represents a shift in the AI developer mindset. It is an argument that as AI becomes more powerful, the software that hosts it should become simpler. In the race to automate the enterprise, the winners may not be those who adopt the most features, but those who build upon the most transparent and secure foundations.