NanoClaw: Security-First AI Agent with Docker Partnership
A security-focused, lightweight AI agent where every conversation runs inside its own container. Built on Anthropic's Agents SDK with an official Docker partnership announced March 2026. 26k stars, MIT license, ~50MB RAM footprint.
By Jose Nobile | 2026-04-20 | 12 min read
What Is NanoClaw?
NanoClaw is a security-focused, lightweight alternative in the AI agent ecosystem. With 26k GitHub stars and an MIT license, it is a TypeScript project created by Gavriel Cohen, a developer with 7 years of experience at Wix. NanoClaw prioritizes container isolation and minimal attack surface above all else. The latest release is v1.2.53 (April 2026), with 20K+ downloads since launch and growing enterprise adoption after the Docker partnership announcement.
The defining feature of NanoClaw is that every agent runs inside its own container with separate memory and filesystem per conversation. This means a compromised agent session cannot access data from other sessions, other users, or the host system. The security model is enforced at the infrastructure level, not just at the application level.
In March 2026, NanoClaw announced an official partnership with Docker, integrating Docker Sandboxes as the default isolation runtime. This partnership signals where enterprise AI agent deployment is heading -- toward hardened, container-isolated execution environments that meet corporate security requirements.
Container Isolation
Per-Conversation Containers
Every agent conversation spawns inside its own container with isolated filesystem, memory, and network namespace. When the conversation ends, the container is destroyed along with all its state. No data leaks between sessions.
Separate Memory per Session
Each conversation gets its own memory allocation within the container. The agent cannot access memory from previous conversations or other users. Persistent memory is explicitly opted into and stored in a controlled, auditable location outside the container.
Docker Runtime (Default)
Docker is the default container runtime, leveraging the Docker Sandboxes integration from the official partnership. The Docker runtime provides proven isolation, wide platform support, and seamless integration with existing Docker infrastructure.
Apple Container (macOS)
On macOS, NanoClaw can use Apple's native container runtime as an alternative to Docker. This provides native-speed isolation without the overhead of a Docker daemon, making it ideal for local development on Mac hardware.
Container isolation is not optional in NanoClaw -- it is the core design principle. Unlike agents that run directly on the host with file system access, NanoClaw treats every agent execution as potentially hostile and contains it accordingly. This makes NanoClaw particularly attractive for enterprise deployments where security compliance is non-negotiable.
Docker Partnership
In March 2026, NanoClaw announced an official integration with Docker Sandboxes. This is not just a "works with Docker" claim -- it is a formal partnership where Docker's team has contributed to NanoClaw's container integration layer, and NanoClaw is listed as an official Docker partner project.
The partnership includes:
- Docker Sandboxes integration -- Purpose-built container profiles optimized for AI agent workloads, with minimal attack surface and pre-configured security policies
- Official Docker images -- Maintained on Docker Hub with automated security scanning and vulnerability patching
- Enterprise deployment guides -- Joint documentation for deploying NanoClaw in corporate environments with Docker Enterprise
This partnership signals an important industry trend: as AI agents gain access to tools, filesystems, and APIs, the security model must be container-grade. NanoClaw and Docker are betting that sandboxed execution will become the standard for production AI agent deployment.
Architecture
Minimal Codebase
NanoClaw's core is approximately hundreds of lines of code -- deliberately minimal. This small surface area makes it easy to audit, understand, and verify for security properties. Less code means fewer bugs and fewer potential vulnerabilities.
Anthropic Agents SDK
Built on Anthropic's official Agents SDK, NanoClaw inherits a well-tested foundation for agent loops, tool execution, and conversation management. The SDK handles the complex agent orchestration while NanoClaw focuses on security and deployment.
Skills via Claude Code
Customization is done through skills, which are defined conversationally using Claude Code rather than through configuration files. This approach makes extending NanoClaw accessible to non-developers while maintaining the security boundary of the container.
~50MB RAM Footprint
NanoClaw runs with approximately 50MB of RAM per instance, making it practical to run multiple isolated agent sessions on a single machine. The minimal memory footprint also enables deployment on resource-constrained environments like small VPS instances.
Channels
NanoClaw supports multiple messaging channels, with WhatsApp as its primary and most mature integration. The channel system is extensible via skills:
WhatsApp (Baileys)
The primary channel, built on the Baileys library for WhatsApp Web protocol integration. Supports text, voice messages, images, and file attachments. The WhatsApp integration was NanoClaw's original focus and is the most polished channel.
Telegram
Full Telegram Bot API integration with support for text, voice, inline keyboards, and group chats. Telegram's native bot infrastructure makes it a natural fit for NanoClaw's container-per-session model.
Slack
Slack integration for team-based AI agent access. Supports channels, direct messages, threads, and Slack's rich message formatting. Each conversation thread in Slack maps to its own isolated container session.
Discord
Discord bot integration supporting text channels, direct messages, and server-level interactions. Discord's threading model maps naturally to NanoClaw's container isolation -- each thread gets its own sandbox.
Gmail
Email-based agent interaction through Gmail integration. The agent can read, respond to, and compose emails. Each email thread is processed in its own container, keeping email context isolated.
Custom Channels via Skills
Additional channels can be added through the skills system. The extensibility model means the community can contribute new channel adapters without modifying the NanoClaw core, preserving the small codebase principle.
Limitations
NanoClaw's security-first, minimal approach comes with trade-offs that are worth understanding before choosing it over alternatives like OpenClaw:
- Originally WhatsApp-only -- NanoClaw started as a WhatsApp-only agent and has been expanding to other channels. While Telegram, Slack, Discord, and Gmail are now supported, the breadth of channel support is narrower than OpenClaw's 20+ channels.
- Originally Claude-only -- The initial release only supported Anthropic's Claude as the AI provider. Support for additional providers is expanding, but the provider ecosystem is smaller than OpenClaw's 30+ provider integrations.
- Smaller community -- At 26k stars, NanoClaw has a strong but smaller community compared to OpenClaw. This means fewer third-party skills, fewer tutorials, and less community-contributed documentation.
- Container overhead -- The per-conversation container model adds startup latency (container spin-up time) and resource overhead. For high-throughput, low-latency use cases, this trade-off may not be acceptable.
These limitations are deliberate design choices, not bugs. NanoClaw trades breadth for security depth. If your primary requirement is enterprise-grade isolation and you work primarily with WhatsApp and Claude, NanoClaw is an excellent choice.
Known Issues
The NanoClaw repository has 157 total issues, but no issues with the "bug" label were found during our review. This is notable given the relatively high total issue count -- it suggests that the maintainers actively triage issues and that most reported items are feature requests or discussions rather than bugs.
The small core codebase (approximately hundreds of lines) makes NanoClaw easier to audit than larger frameworks. The reliance on Anthropic's Agents SDK for the heavy lifting means that many potential bug categories are handled by a well-maintained upstream dependency. Security researchers will find the codebase approachable for review.