NanoClaw
Quick Facts
- Category
- Agent runtime (not a model)
- Language
- Python
- Agent loop
- Anthropic Claude Agent SDK
- Sandbox
- Per-tool-call container (Docker / Firecracker)
- Channels
- Slack · Discord · WhatsApp · Gmail
- Security layer
- FrawdBot inline + container capability restrictions
- Target hardware
- Linux VPS, on-prem Linux, Kubernetes
- License
- Open source (see Claw ecosystem on GitHub)
Summary
NanoClaw is the security-forward member of the Claw family. Where OpenClaw optimizes for breadth of integrations and operator experience on Mac hardware, NanoClaw optimizes for isolation — a defensive posture suited to multi-tenant deployments, untrusted input (public channels, customer chat), and regulated environments where a misbehaving tool call must not be able to touch anything it shouldn't.
Every tool execution is a fresh container. The container ships with the minimal rootfs the tool needs, network egress allow-listed to the specific endpoints the tool should reach, and the filesystem scoped to a per-call workspace that's destroyed after the tool returns. Inference happens outside the sandbox; the sandbox only contains the tool-call side effects.
Architecture
- Agent loop — Anthropic Claude Agent SDK. The loop, tool protocol, and memory model follow Claude Code conventions.
- Sandbox — per-tool-call container. Docker in the basic tier; Firecracker microVMs for stronger isolation. Tool inputs and outputs cross the boundary as JSON.
- Channels — Slack, Discord, WhatsApp, Gmail via unified adapter layer. Channel context (user identity, thread, channel permissions) is carried into the agent loop.
- Security layer — FrawdBot runs inline on every tool call for behavioral analysis. Container-level capability restrictions provide defense-in-depth against FrawdBot misses.
- Observability — OTEL traces, Langfuse traces, container audit logs. Sandbox escape attempts are logged as distinct events.
- Provider — Claude by default (via Agent SDK); provider abstraction allows routing to GPT, Bedrock, or self-hosted endpoints.
When to Choose NanoClaw
NanoClaw is the right choice when any of the following dominate: multi-tenant deployment where one tenant's agent must not affect another's; user-facing chat surfaces where untrusted prompts reach tool calls; regulated environments where sandbox proofs are a compliance requirement; or workloads where the set of tools includes shell / code-execution / file-writing capabilities.
Tradeoffs vs. OpenClaw
- Latency. Container startup adds overhead per tool call. Firecracker mitigates but does not eliminate it. For latency-sensitive internal workloads, OpenClaw is faster.
- Integration breadth. OpenClaw's 50+ first-party integrations are designed for direct access. NanoClaw's equivalents all cross the sandbox boundary, which adds a small serialization cost and sometimes restricts what a tool can do.
- Operator experience. OpenClaw's Claude Code Slack control plane is optimized for a small operator team. NanoClaw supports similar patterns but is often deployed headless behind a chat channel.
- Hardware target. NanoClaw assumes Linux with container tooling. Mac hosts are possible but not the primary target.
Related
- OpenClaw — flagship runtime, breadth-first.
- MicroClaw — multi-channel chat-native runtime.
- Claude — the default model behind the Agent SDK.