The rapid viral adoption of Austrian developer Peter Steinberger’s open source AI assistant OpenClaw in recent weeks have been sent businesses and indie developers into a tizzy.

It’s easy to see why: OpenClaw is free to use today and offers a powerful way to autonomously complete work and perform tasks across a user’s computer, phone, or even business with natural speech prompts that activate swarms of agents. Since its release in November 2025, it has captured the market with more than 50 modules and extensive integration – but the "without permission" The architecture raised alarms among developers and security teams.

entry NanoClawa lighter, more secure version debuted under an open source MIT License on January 31, 2026, and has achieved rapid growth—surpassing 7,000 stars on GitHub in just one week.

Created by Gavriel Cohen—an experienced software engineer who spent seven years at website builder Wix.com—the project was created to address the "security nightmare" inherent in complex, non-sandboxed agent frameworks. Cohen and his brother Lazer are also co-founders of the Qwibita new AI-first go-to-market agency, and vice president and CEO, respectively, of Concrete Mediais a respected public relations firm that often works with tech businesses covered by VentureBeat.

NanoClaw’s immediate solution to this architectural concern was a hard pivot toward isolation at the operating system level. The project places each agent inside isolated Linux containers—using Apple Containers for high-performance execution on macOS or Docker for Linux environments.

This creates a strict "sandboxed" environment where AI interacts only with directories that are explicitly mounted by the user.

While other structures build internally "safeguards" or application-level permissions to block certain commands, Gavriel maintains that such defenses are inherently weak.

"I did not run that on my machine and ran an agent," Cohen explained in a recent technical interview. "There is always a way out if you are running directly on the host machine. In NanoClaw, the ‘blast radius’ of a potential quick injection is strictly limited to the container and the specific communication channel."

A more secure foundation for agent autonomy

The technical criticism at the heart of NanoClaw’s development is one of bloat and auditability. When Cohen first evaluated OpenClaw (formerly Clawbot), he discovered a code base of nearly 400,000 lines with hundreds of dependencies.

In the fast-moving AI landscape, such complexity is an engineering hurdle and a potential liability.

"As a developer, every open source dependency we add to our codebase, you review. You look at how many stars it has, who the maintainers are, and if it has the right processes in place," Cohen’s notes. "If you have a codebase with half a million lines of code, no one is reviewing that. It destroys the concept of what people trust with open source".

NanoClaw counters this by reducing the core logic to almost 500 lines of TypeScript. This minimalism ensures that the entire system—from state management to agent calls—can be audited by a human or a secondary AI in roughly eight minutes.

The architecture uses a single-process Node.js orchestrator that manages each group’s message queue with integration control.

Instead of heavy distributed message brokers, it relies on SQLite for lightweight persistence and filesystem-based IPC. This design choice is intentional: by using simple primitives, the system remains transparent and modifiable.

Additionally, isolation extends beyond the filesystem. NanoClaw natively supports Agent Swarms via Anthropic Agent SDKwhich allows specialized agents to work together in parallel. In this model, each sub-agent of a host can be isolated in its own specific memory context, preventing sensitive data from leaking between different chat groups or business functions.

The product vision: Competencies in parts

One of NanoClaw’s most radical departures is its rejection of the traditional "full of features" software model. Cohen describes the NanoClaw as "Native AI" software—a system designed to be managed and expanded primarily through AI interaction rather than manual configuration.

The project clearly prevents contributors from submitting PRs that add more features like Slack or Discord support to the main branch. Instead, they are encouraged to contribute "Skills"—modular instructions available in .claude/skills/ that teach the developer’s local AI assistant how to modify the code.

"If you like Telegram, delete WhatsApp and install Telegram," Cohen said. "Each person should have the exact code they need to run their agent. This is not a Swiss Army knife; it’s a secure harness that you customize by talking to the Claude Code".

it "Skills over Features" The model means that a user can run a command like /add-telegram or /add-gmail, and the AI ​​will rewrite the local installation to integrate the new capability while keeping the codebase stable. This approach ensures that if a user only needs a WhatsApp-based assistant, they will not be forced to inherit the security vulnerabilities of fifty unused modules.

Real-world use of an agency’s native AI

This was not just a theoretical experiment for the Cohen brothers. Their new AI go-to-market agency Qwibit uses NanoClaw — specifically a personal instance named "Andy"- to run its internal operations.

"Andy manages our sales pipeline for us. I don’t directly interact with the sales pipeline," Cohen explained.

The agent gives briefings from Sunday to Friday at 9:00 a.m., detailing lead statuses and assigning tasks to the team.

The utility is in frictionless data retrieval. Throughout the day, Lazer and Gavriel forward chaotic WhatsApp notes or email threads to their admin group.

Andy parses these inputs, updates relevant files in an Obsidian vault or SQLite database, and sets automated follow-up reminders.

Since the agent has access to the codebase, it can also be tasked with repetitive technical jobs, such as reviewing the git history for "documentation drift" or refactoring its own functions to improve ergonomics for future agents.

Strategic evaluation for business

As the pace of change accelerates in early 2026, technical decision makers are faced with a fundamental choice between convenience​​​​​​ and control. For AI engineers focused on rapid deployment, NanoClaw offers a blueprint for what Cohen calls "best harness" for "best model".

By building on top of the Claude Agent SDK, NanoClaw provides a way to use state-of-the-art models (such as Opus 4.6) within a framework that a lean engineering team can actually maintain and optimize.

From the perspective of orchestral engineers, NanoClaw’s simplicity is its greatest asset for building scalable, reliable pipelines.

Traditional, bloated frameworks often introduce draining overhead budgets through complex microservices and message queues.

NanoClaw’s container-first approach allows for the implementation of advanced AI technologies—including autonomous swarms—without resource constraints and "technical debt" associated with 400,000-line legacy systems.

Perhaps most critically, for security leaders, NanoClaw addresses the "many responsibilities" in incident response and organizational protection.

In an environment where rapid injection and data exfiltration are evolving daily, a 500-line auditable core is more secure than a generic system that tries to support every use case.

"I recommend that you send the repository link to your security team and ask them to audit it," Cohen advises. "They can review it in an afternoon—not just read the code, but whiteboard the entire system, map out attack vectors, and verify that it’s secure.".

Ultimately, NanoClaw represents a shift in the AI ​​developer mindset. It’s an argument that as AI becomes more powerful, the software that hosts it must become simpler. In the business automation race, the winners may not be those who adopt the most features, but those who build the most transparent and secure foundations.

Source link