NanoClaw solves one of OpenClaw's biggest security issues — and it's already powering the creator's biz

Published: 3 days ago (February 11, 2026 at 10:37 AM EST)

7 min read

Source: VentureBeat

OpenClaw’s Rapid Rise and the Security Concerns It Sparked

The viral adoption of Austrian developer Peter Steinberger’s open‑source AI assistant OpenClaw has sent both enterprises and indie developers into a tizzy.

Why the hype?
- Freely available as of November 2025.
- Enables autonomous task completion across a user’s computer, phone, or entire business with natural‑language prompts that spin up swarms of agents.
- Ships with 50+ modules and broad integrations.
The downside – its “permission‑less” architecture raised alarms among developers and security teams, who warned that unrestricted agents could become a security nightmare.

Introducing NanoClaw

Enter NanoClaw, a lighter, more secure alternative that debuted under an MIT license on 31 January 2026. In just over a week it amassed 7 000+ GitHub stars.

Creator: Gavriel Cohen, a former Wix.com engineer (7 years) who built NanoClaw to address the security flaws of non‑sandboxed agent frameworks.
Co‑founders: Gavriel and his brother Lazer Cohen co‑founded Qwibit, an AI‑first go‑to‑market agency, and serve as Vice President and CEO of Concrete Media, a PR firm that frequently works with tech companies covered by VentureBeat.

Gavriel Cohen, creator of NanoClaw, VP of Concrete Media and co‑founder of Qwibit. Credit: Concrete Media

How NanoClaw Tackles the “Permission‑less” Problem

OS‑level isolation – Every agent runs inside an isolated Linux container:
- Apple Containers for high‑performance execution on macOS.
- Docker for Linux environments.
Strict sandboxing – The AI can only interact with directories explicitly mounted by the user.
Reduced blast radius – Even if a prompt injection occurs, the impact is confined to the container and its communication channel.

“I’m not running that on my machine and letting an agent run wild. There’s always a way out if you’re running directly on the host. In NanoClaw, the ‘blast radius’ of a potential prompt injection is strictly confined to the container and its specific communication channel.”
— Gavriel Cohen, technical interview

Key Takeaways

OpenClaw demonstrates the power—and risk—of unrestricted AI agents.
NanoClaw offers a pragmatic, security‑first approach by leveraging containerization and explicit user‑mounted volumes.
For enterprises and developers who need autonomous AI while protecting their infrastructure, sandboxed containers appear to be the most reliable safeguard today.

A More Secure Foundation for Agentic Autonomy

The technical critique at the heart of NanoClaw’s development is one of bloat and auditability. When Cohen first evaluated OpenClaw (formerly Clawbot), he discovered a codebase approaching 400 000 lines with hundreds of dependencies.

In the fast‑moving AI landscape, such complexity is both an engineering hurdle and a potential liability.

“As a developer, every open‑source dependency that we add to our codebase, you vet. You look at how many stars it has, who the maintainers are, and whether it has a proper process in place,” Cohen notes.
“When you have a codebase with half a million lines of code, nobody’s reviewing that. It breaks the concept of what people rely on with open source.”

NanoClaw’s Minimalist Approach

Core logic reduced to roughly 500 lines of TypeScript – see the NanoClaw article.
The entire system—from state management to agent invocation—can be audited by a human (or a secondary AI) in ≈ 8 minutes.

Architecture Highlights

Component	Design Choice	Rationale
Orchestrator	Single‑process Node.js	Simplifies concurrency control and reduces surface area.
Message Queue	Per‑group queue with built‑in concurrency limits	Guarantees orderly processing without external brokers.
Persistence	SQLite + filesystem‑based IPC	Lightweight, transparent, and reproducible; avoids heavyweight distributed brokers.
Agent Swarms	Anthropic Agent SDK integration	Enables parallel, specialized agents while keeping each sub‑agent’s memory context isolated.

Isolation & Data Safety

NanoClaw’s isolation extends beyond the filesystem:

Each sub‑agent in a swarm receives its own memory context, preventing sensitive data from leaking between chat groups or business functions.
The use of simple primitives (SQLite, file‑based IPC) ensures the system remains transparent and easily reproducible.

By embracing minimalism and clear boundaries, NanoClaw offers a more secure, auditable foundation for building autonomous AI agents.

The Product Vision: Skills Over Features

One of the most radical departures in NanoClaw is its rejection of the traditional “feature‑rich” software model. Cohen describes NanoClaw as “AI‑native” software—a system designed to be managed and extended primarily through AI interaction rather than manual configuration.

Skills, Not Features

The project explicitly discourages contributors from submitting PRs that add broad features (e.g., Slack or Discord support) to the main branch.
Instead, contributors are encouraged to add “Skills.”
- Skills are modular instructions stored in the directory /.claude/skills/.
- They teach a developer’s local AI assistant how to transform the code.

“If you want Telegram, rip out the WhatsApp and put in Telegram. Every person should have exactly the code they need to run their agent. It’s not a Swiss Army knife; it’s a secure harness that you customize by talking to Claude Code.” – Cohen

How It Works

A user can run a command such as:

/add-telegram

/add-gmail

The AI then rewrites the local installation to integrate the new capability while keeping the codebase lean. This methodology ensures that if a user only needs a WhatsApp‑based assistant, they aren’t forced to inherit the security vulnerabilities of fifty other unused modules.

Real‑world utility in an AI‑native agency

Cohen brothers aren’t just running a thought experiment. Their new AI go‑to‑market agency Qwibit uses a NanoClaw instance—nicknamed “Andy”—to run internal operations.

“Andy manages our sales pipeline for us. I don’t interact with the sales pipeline directly,” Cohen explained.

Daily workflow

Briefings: Andy delivers a Sunday‑through‑Friday briefing at 9:00 AM, summarising lead statuses and assigning tasks to the team.
Data capture: Throughout the day, Lazer and Gavriel forward messy WhatsApp notes or email threads to their admin group.
Parsing & storage: Andy parses these inputs, updates the relevant files in an Obsidian vault or SQLite database, and sets automated follow‑up reminders.

Technical capabilities

Because Andy has access to the codebase, it can also be tasked with recurring technical jobs, such as:

Reviewing git history for “documentation drift.”
Refactoring its own functions to improve ergonomics for future agents.

Concrete Media CEO Lazer Cohen, co‑founder of Qwibit. Credit: Concrete Media

Strategic Evaluation for the Enterprise

As the pace of change accelerates in early 2026, technical decision‑makers face a fundamental choice: convenience vs. control. For AI engineers focused on rapid deployment, NanoClaw offers what Cohen calls the “best harness” for the “best model”.

Why NanoClaw Matters

Built on Claude Agent SDK – Leverages state‑of‑the‑art models (e.g., Opus 4.6) within a framework a lean engineering team can actually maintain and optimize.
Container‑first approach – Enables advanced AI technologies—including autonomous swarms—without the resource constraints and technical debt of 400 k‑line legacy systems.

Benefits by Role

Role	Key Advantage
Orchestration Engineers	Simplicity is the greatest asset for building scalable, reliable pipelines. Traditional, bloated frameworks introduce budget‑draining overhead through complex microservices and message queues.
Security Leaders	A 500‑line auditable core is far safer than a generic system trying to support every use case. It addresses the “multiple responsibilities” of incident response and organizational protection.
AI Engineers	Rapid deployment of cutting‑edge models with minimal operational overhead.

“I recommend you send the repository link to your security team and ask them to audit it,” Cohen advises. “They can review it in an afternoon—not just read the code, but whiteboard the entire system, map out the attack vectors, and verify it’s safe.”

The Strategic Shift

NanoClaw represents a shift in the AI developer mindset: as AI becomes more powerful, the software that hosts it should become simpler. In the race to automate the enterprise, the winners may not be those who adopt the most features, but those who build upon the most transparent and secure foundations.