NanoClaw — Summary

NanoClaw is a lightweight TypeScript harness that runs Claude agents inside per-session Docker Linux containers, providing OS-level filesystem isolation rather than application-level permission checks. Each registered agent group gets its own container, its own CLAUDE.md, its own memory, and only the filesystem mounts you explicitly allow. The project positions itself as a minimal, forkable alternative to the larger OpenClaw (~500k lines), keeping its own trunk small enough for a single developer to read in one sitting. Channel adapters (Telegram, Discord, WhatsApp, Slack, Gmail, etc.) are installed on-demand via /add-<channel> skills rather than bundled, so each fork stays lean. An SQLite-backed message bus routes inbound messages through the container boundary using two files per session (inbound.db → container → outbound.db) — no IPC, no stdin piping, no cross-mount contention. Optional micro-VM isolation via Docker Sandboxes or Apple Container is an opt-in layer on top of the Docker default. Credential security is delegated to OneCLI's Agent Vault, which injects API keys at request time so agent containers never hold raw credentials.

Differs from seeds: Closest to agent-os in "personal harness for one user" philosophy, but NanoClaw adds true container isolation (vs agent-os's in-place execution), a skill-driven channel marketplace, multi-channel routing (WhatsApp/Telegram/Discord/Slack simultaneously), and scheduled-task support. Unlike claude-flow's hive-mind orchestration, NanoClaw is single-agent-per-conversation with no peer-to-peer coordination. Unlike superpowers, NanoClaw ships zero workflow-methodology skills — its skills are infrastructure primitives (add channel, manage mounts, update harness).

NanoClaw — Overview

Origin

NanoClaw was created as a deliberate minimalist reaction to OpenClaw's complexity. The author's stated motivation (verbatim from README):

"OpenClaw is an impressive project, but I wouldn't have been able to sleep if I had given complex software I didn't understand full access to my life. OpenClaw has nearly half a million lines of code, 53 config files, and 70+ dependencies. Its security is at the application level (allowlists, pairing codes) rather than true OS-level isolation. Everything runs in one Node process with shared memory."

Philosophy (verbatim)

• "Small enough to understand." One process, a few source files and no microservices.
• "Secure by isolation." Agents run in Linux containers and they can only see what's explicitly mounted.
• "Built for the individual user." NanoClaw isn't a monolithic framework; it's software that fits each user's exact needs.
• "Customization = code changes." No configuration sprawl. Want different behavior? Modify the code.
• "AI-native, hybrid by design." The install and onboarding flow is an optimized scripted path. When a step needs judgment, control hands off to Claude Code seamlessly.
• "Skills over features." Trunk ships the registry and infrastructure, not specific channel adapters or alternative agent providers.
• "Best harness, best model." NanoClaw natively uses Claude Code via Anthropic's official Claude Agent SDK.

Target User

Solo developers who want multi-channel AI messaging (WhatsApp, Telegram, Discord, etc.) with genuine security guarantees, without needing to trust a large opaque codebase.

Repo Facts

• GitHub: https://github.com/nanocoai/nanoclaw (canonical; the batch-18 URL qwibitai/nanoclaw redirects here)
• Stars: 29,431 (as of 2026-05-26)
• Language: TypeScript (Bun runtime inside containers)
• License: MIT
• Last commit: 2026-05-26
• v2 rewrite with migration script from v1

NanoClaw — Architecture

Distribution

• Type: Clone-and-configure (standalone repo, fork-it model)
• Install: git clone https://github.com/nanocoai/nanoclaw.git && bash nanoclaw.sh
• Runtime: Node.js 20+ / pnpm 10+ on host; Bun inside agent containers; Docker or Apple Container required
• CLI Binary: ncl (Python-based claw CLI installed via /claw skill)

Message Flow

messaging apps → host process (router) → inbound.db → container (Bun, Claude Agent SDK) → outbound.db → host process (delivery) → messaging apps

• Host Node.js process routes incoming messages via entity model (user → messaging group → agent group → session)
• Writes to session's inbound.db, wakes the container
• Container polls inbound.db, runs Claude Agent SDK, writes to outbound.db
• Host polls outbound.db, delivers back through channel adapter

Key Design Choices

• Two SQLite files per session: each with exactly one writer — no cross-mount contention, no IPC, no stdin piping
• Channels and providers self-register at startup: trunk ships only the registry
• Three-level isolation: see docs/isolation-model.md
  1. Basic Docker container (default)
  2. Docker Sandboxes (micro-VM isolation, optional)
  3. Apple Container (macOS-native micro-VM, optional)

Directory Tree

nanoclaw/
├── src/                    # TypeScript host process
│   ├── index.ts            # Entry point: DB init, channel adapters, delivery polls
│   ├── channels/           # Channel adapter registry
│   ├── container-runner.ts # Docker/Apple Container invocation
│   ├── db/                 # SQLite session state
│   └── cli/                # ncl CLI client
├── container/              # Agent container image (Dockerfile + Bun + Claude SDK)
├── .claude/
│   └── skills/             # 49 skills (add-<channel>, manage, migrate, etc.)
├── docs/                   # architecture.md, isolation-model.md, etc.
├── setup/                  # Interactive setup wizard
├── scripts/                # Utility scripts
├── nanoclaw.sh             # Full install + onboard script
├── migrate-v2.sh           # v1→v2 migration script
├── package.json            # bin: {ncl: "bin/ncl"}
└── .mcp.json               # MCP config (not a bundled server)

Target AI Tools

• Claude Code (via Anthropic Claude Agent SDK) — primary
• Codex (via /add-codex skill)
• OpenCode/OpenRouter (via /add-opencode skill)
• Ollama local models (via /add-ollama-provider skill)

Required Runtime

• Node.js >= 20, pnpm >= 10 (host)
• Docker Desktop (macOS/Windows) or Docker Engine (Linux)
• macOS or Linux (WSL2 for Windows)
• Claude Code for skill installation and error recovery

NanoClaw — Components

Skills (49 total, in .claude/skills/)

Infrastructure / Setup

• setup — Initial NanoClaw install; delegates to nanoclaw.sh
• init-first-agent — Creates first agent group, promotes operator to owner, verifies delivery
• init-onecli — Registers Anthropic credential with OneCLI Agent Vault
• customize — Guided code-change workflow for personalizing the fork
• debug — Diagnose and fix NanoClaw issues
• update-nanoclaw — Pull latest changes and rebuild
• update-skills — Update skills directory
• migrate-nanoclaw — In-place NanoClaw migration
• migrate-from-v1 — v1 → v2 data migration
• migrate-from-openclaw — OpenClaw → NanoClaw migration

Channel Adapters (install-on-demand)

• add-telegram — Add Telegram channel
• add-discord — Add Discord channel
• add-whatsapp — Add WhatsApp (official Cloud API)
• add-whatsapp-cloud — WhatsApp Cloud API variant
• add-slack — Add Slack channel
• add-gmail-tool — Gmail integration
• add-gcal-tool — Google Calendar integration
• add-gchat — Google Chat channel
• add-imessage — iMessage channel
• add-matrix — Matrix channel
• add-macos-statusbar — macOS menu bar channel
• add-emacs — Emacs integration
• add-github — GitHub integration
• add-linear — Linear integration
• add-deltachat — Delta Chat channel
• add-atomic-chat-tool — Atomic Chat tool

Provider Adapters (alternate LLM backends)

• add-codex — OpenAI Codex provider
• add-opencode — OpenCode / OpenRouter / Google / DeepSeek provider
• add-ollama-provider — Local Ollama provider
• add-ollama-tool — Ollama as a tool (not provider)

Channel Management

• manage-channels — Wire channels to agent groups, manage isolation levels
• manage-mounts — Control filesystem mounts per agent container

Specialized Tools

• claw — Install the claw Python CLI for terminal-to-container access
• add-parallel — Parallel agent execution
• convert-to-apple-container — Switch from Docker to Apple Container runtime
• use-native-credential-proxy — OneCLI credential proxy setup
• add-mnemon — Memory tool integration
• add-karpathy-llm-wiki — Karpathy LLM wiki tool
• add-dashboard — Web dashboard for monitoring
• add-macos-statusbar — macOS status bar
• get-qodo-rules — Fetch Qodo AI rules
• qodo-pr-resolver — PR review with Qodo
• x-integration — X (Twitter) integration

CLI Binaries

• ncl — NanoClaw client CLI (bin/ncl, TypeScript/Node)
• claw — Agent container invocation CLI (Python, installed via skill)

Container Image

• nanoclaw-agent:latest — Bun + Claude Agent SDK + tool dependencies
• Built via ./container/build.sh
• Alpine Linux base

Database

• data/v2.db — SQLite: agent_groups, messaging_groups, messaging_group_agents, user_roles, scheduled_tasks
• Per-session: inbound.db, outbound.db (one writer each)

Config Files

• .env — API keys, channel tokens (never exposed to containers)
• CLAUDE.md / CLAUDE.local.md — Per-agent-group instructions
• .mcp.json — MCP server configuration (not bundled)

NanoClaw — Uniqueness & Positioning

differs_from_seeds

NanoClaw is closest to agent-os in its "personal harness for one individual" philosophy, but diverges architecturally on every major dimension: where agent-os writes files in-place with no isolation, NanoClaw wraps every agent session in a Docker Linux container (with optional micro-VM upgrade). Where agent-os ships 5 commands for writing markdown standards files, NanoClaw ships 49 skills for adding messaging channels and managing container infrastructure. NanoClaw's skill library is exclusively infrastructure primitives — it ships zero workflow methodology. Unlike claude-flow's hive-mind with 305 MCP tools and consensus protocols, NanoClaw is deliberately single-threaded per conversation. Unlike ccmemory's persistent Neo4j graph, NanoClaw stores state in SQLite with explicit mount-based memory isolation per agent group.

Distinctive Positioning

1. Isolation as the primary value proposition: NanoClaw is explicitly built around the claim that OS-level container isolation > application-level permission checks. This is rare in the corpus.

2. Fork-it model: NanoClaw is designed to be forked and customized via code changes, not configured. The README explicitly says "No configuration sprawl. Want different behavior? Modify the code."

3. Skills as infrastructure primitives: 49 skills are all infrastructure (add channel, migrate, manage mounts) — not productivity tools. This is the inverse of superpowers/BMAD.

4. Multi-channel routing as first-class: Channel routing (WhatsApp → agent-group-A, Telegram → agent-group-B) with three isolation modes (same-session / shared / separate-agent) is uniquely developed in this corpus.

5. OneCLI credential vault integration: Credential injection at the proxy layer (never in container) is a security primitive not seen in other frameworks.

Observable Failure Modes

• Requires Docker + Node.js — install complexity is real (multi-step, platform-dependent)
• Channel adapters are on separate branches, not trunk — users must know to run /add-telegram etc.
• v2 is a major rewrite; v1 users need migration
• No structured audit log — debugging relies on SQLite queries
• No out-of-the-box web UI (must install via skill)
• Not portable: deeply tied to Claude Code + Anthropic Claude Agent SDK (other providers are add-ons)