They may seem like small details, but I think a couple novel design decisions are going to prove to be widely adopted and revolutionary.
The biggest one (as Karpathy notes) is having skills for how to write a (slack, discord, etc) integration, instead of shipping an implementation for each.
Call it “Claude native development” if you will, but “fork and customize” instead of batteries-included platforms/frameworks is going to be a big shift when it percolates through the ecosystem.
A bunch of things you need to figure out, eg how do you ship a spec for how to test and validate the thing, make it secure, etc.
How long before OSs start evolving in this way? You can imagine Auto research-like sharing and promotion upstream of good fixes/approaches, but a more heterogenous ecosystem could be more resistant to attacks if each instance had a strong immune system.
The strength of open source software is collaboration. That many people have tried it, read it, submitted fixes and had those fixes reviewed and accepted.
We've all seen LLMs spit out garbage bugs on the first few tries. I've written garbage bugs on my first try too. We all benefit from the review process.
I would rather have a battle tested base to start customizing from than having to stumble through the pitfalls of a buggy or insecure AI implementation.
I have thought of this ship a spec concept. What is we are just trading markdown files instead of code files to implement some feature into our system?
I like NanoClaw a lot. I found OpenClaw to be a bloated mess, NanoClaw implementation is so much tighter.
It's also the first project I've used where Claude Code is the setup and configuration interface. It works really well, and it's fun to add new features on a whim.
Straightforward is ambiguous. To replicate NanoClaw would probably only take about a day of work and testing and refining in Claude Code, but that's a day I didn't have to spend to get NanoClaw.
You must explicitly state what your threat model is when writing about security tooling, isolation, and sandboxing.
This threat model is concerned with running arbitrary code generated by or fetched by an AI agent on host machines which contain secrets, sensitive files, and/or exfoliate data, apps, and systems which should not be lost.
What about the threat model where an agent deletes your entire inbox? Or sends your calendar events to a server after prompt injection? Bank transfers of the wrong amount to the wrong address etc. all these are allowed under the sandboxing model.
We need fine grained permissions per-task or per-tool in addition to sandboxing. For example: "this request should only ever read my gmail and never write, delete, or move emails".
Sandboxes do not solve permission escalation or exfiltration threats.
You mean like the section which goes into the threat model?
The Security Model: Design for Distrust
I wrote about this in Don’t Trust AI Agents: when you’re building with AI agents, they should be treated as untrusted and potentially malicious. Prompt injection, model misbehavior, things nobody’s thought of yet. The right approach is architecture that assumes agents will misbehave and contains the damage when they do…
My posts about these aspects of agent security get zero engagement (not even a salty "vibe slop" comment, lol), so ironically security is the thing everyone's talking about, but most people don't know enough to understand what they need.
Docker sandboxes sound exactly like what Apple is doing with their `container` framework. It's missing several Docker features still, but if I were to pick a minimal, native runtime, it would probably be that, not the multi-gigabyte monster that is Docker for macOS.
On Linux, however, I absolutely don't want a hypervisor on my quite underpowered single-board server. Linux namespaces are enough for what I want from them (i.e. preventing one of these agent harnesses to hijack my memory, disk, or CPU). I wonder why neither OpenClaw nor NanoClaw seem to offer a sanely configured, prebuilt, and frequently updated Docker image?
Docker sandboxes are a neat way to contain AI agents. It spins a dedicated microVM and its Docker daemon for each agent container together with a flexible egress proxy to go with it. I've spent some time reverse engineering it and it's an interesting piece of implementation.
What I found interesting is nanoclaw isn’t a working product out of the box. You must use a coding agent to complete it with features you want. For example add iMessage support, etc.
The main issue is not so much if it needs to run inside a container or not (and to be honest there are even better isolation models, why not firecracker vm). The main issue is what are you going to do with it.
It does not really matter.
IMHO, until you figure out useful ways to spend tokens to do useful tasks the runtime should be a second thought.
As far as security goes, running LLM in a container in just simply not enough. What matters is not what files it can edit on your machine but what information it can access. And the access in this case as far as these agents are concerned is basically everything. If this does not scare you you should not be thinking about containers.
As an aside, app descriptions that just say "a lightweight alternative to X" are very unhelpful. That tells me nothing if I don't know what X does, and I don't want to have to go down a rabbit hole just to understand your product. It's particularly bad in this case, because even OpenClaw's Github page doesn't clearly tell me what it actually does; just that it's some kind of assistant that I can communicate with via WhatsApp etc. I appreciate that many people are already familiar with OpenClaw, but you shouldn't assume.
It's better if your app's description just tells me what it does in a direct way using plain language. It's fine to tell me it's an alternative to something, but that should be in addition to rather than instead of your own description.
What are the most obvious use cases for Nano/Open-Claw. I can't imagine anything obvious that I'd want to use it for. Is it supposed to run your digital life for you?
For me, it's my diet and workout buddy. It knows my goals, keeps me on track, does meal planning for me, gives me grocery lists, logs what I eat, when I exercise... anything I want so I don't slack off.
I've enhanced Nanoclaw quite a bit. Moved it to Apple containers (shipped with this Skill already). Then I wrote an API for Nanoclaw to use (food log, workouts, etc), then implemented long-term memory using LanceDB (because I was tired of repeating myself!).
All the sandboxing stuff is neat but the weakest link in these claw setups is not root access on the machine but root access to your life (Gmail, calendar, etc)
why give it root access to your life? i don't use these tools but it seems like you should never give anything that access. if a claw needs email, set up a google account just for it and forward relevant stuff to it. share your calendar with it. whatever, just don't let it "be" you.
access control, provisioning, and delegation have been solved for a very long time now.
They may seem like small details, but I think a couple novel design decisions are going to prove to be widely adopted and revolutionary.
The biggest one (as Karpathy notes) is having skills for how to write a (slack, discord, etc) integration, instead of shipping an implementation for each.
Call it “Claude native development” if you will, but “fork and customize” instead of batteries-included platforms/frameworks is going to be a big shift when it percolates through the ecosystem.
A bunch of things you need to figure out, eg how do you ship a spec for how to test and validate the thing, make it secure, etc.
How long before OSs start evolving in this way? You can imagine Auto research-like sharing and promotion upstream of good fixes/approaches, but a more heterogenous ecosystem could be more resistant to attacks if each instance had a strong immune system.
I get the appeal but I disagree
The strength of open source software is collaboration. That many people have tried it, read it, submitted fixes and had those fixes reviewed and accepted.
We've all seen LLMs spit out garbage bugs on the first few tries. I've written garbage bugs on my first try too. We all benefit from the review process.
I would rather have a battle tested base to start customizing from than having to stumble through the pitfalls of a buggy or insecure AI implementation.
Troubleshooting "works on my machine" issues most be fun when no two people have exactly the same implementation.
Also seems like this will further entrench the top 2 or 3 models. Use something else and your software stack looks different.
I have thought of this ship a spec concept. What is we are just trading markdown files instead of code files to implement some feature into our system?
I've been working on a similar idea to the "claws" but rather than integrating with messaging apps, just make the TUI available e2e encrypted where-ever you are. https://wingthing.ai/ / https://github.com/ehrlich-b/wingthing
I've been thinking about how docker support would work, so I'll check this out!
I like NanoClaw a lot. I found OpenClaw to be a bloated mess, NanoClaw implementation is so much tighter.
It's also the first project I've used where Claude Code is the setup and configuration interface. It works really well, and it's fun to add new features on a whim.
what workflows do you implement in Nanoclaw that wouldn't be straightforward to build in Claude?
Straightforward is ambiguous. To replicate NanoClaw would probably only take about a day of work and testing and refining in Claude Code, but that's a day I didn't have to spend to get NanoClaw.
You must explicitly state what your threat model is when writing about security tooling, isolation, and sandboxing.
This threat model is concerned with running arbitrary code generated by or fetched by an AI agent on host machines which contain secrets, sensitive files, and/or exfoliate data, apps, and systems which should not be lost.
What about the threat model where an agent deletes your entire inbox? Or sends your calendar events to a server after prompt injection? Bank transfers of the wrong amount to the wrong address etc. all these are allowed under the sandboxing model.
We need fine grained permissions per-task or per-tool in addition to sandboxing. For example: "this request should only ever read my gmail and never write, delete, or move emails".
Sandboxes do not solve permission escalation or exfiltration threats.
You mean like the section which goes into the threat model?
Don‘t you see the contradiction?
I don’t trust the agent so I sandbox it before I gave it the access data to my mail and bank accounts
I built an agent framework designed from the ground up around policy control (https://github.com/sibyllinesoft/smith-core) and I'm in the process of extracting the gateway from it so people can provide that same policy gated security to whatever agent they want (https://github.com/sibyllinesoft/smith-gateway).
My posts about these aspects of agent security get zero engagement (not even a salty "vibe slop" comment, lol), so ironically security is the thing everyone's talking about, but most people don't know enough to understand what they need.
Docker sandboxes sound exactly like what Apple is doing with their `container` framework. It's missing several Docker features still, but if I were to pick a minimal, native runtime, it would probably be that, not the multi-gigabyte monster that is Docker for macOS.
On Linux, however, I absolutely don't want a hypervisor on my quite underpowered single-board server. Linux namespaces are enough for what I want from them (i.e. preventing one of these agent harnesses to hijack my memory, disk, or CPU). I wonder why neither OpenClaw nor NanoClaw seem to offer a sanely configured, prebuilt, and frequently updated Docker image?
Docker sandboxes are a neat way to contain AI agents. It spins a dedicated microVM and its Docker daemon for each agent container together with a flexible egress proxy to go with it. I've spent some time reverse engineering it and it's an interesting piece of implementation.
What I found interesting is nanoclaw isn’t a working product out of the box. You must use a coding agent to complete it with features you want. For example add iMessage support, etc.
In other words, Claude is the compiler.
The main issue is not so much if it needs to run inside a container or not (and to be honest there are even better isolation models, why not firecracker vm). The main issue is what are you going to do with it.
It does not really matter.
IMHO, until you figure out useful ways to spend tokens to do useful tasks the runtime should be a second thought.
As far as security goes, running LLM in a container in just simply not enough. What matters is not what files it can edit on your machine but what information it can access. And the access in this case as far as these agents are concerned is basically everything. If this does not scare you you should not be thinking about containers.
Docker sandboxes uses a MicroVM as an additional isolation layer - its not just containers (as also mentioned in the nanoclaw post)
As an aside, app descriptions that just say "a lightweight alternative to X" are very unhelpful. That tells me nothing if I don't know what X does, and I don't want to have to go down a rabbit hole just to understand your product. It's particularly bad in this case, because even OpenClaw's Github page doesn't clearly tell me what it actually does; just that it's some kind of assistant that I can communicate with via WhatsApp etc. I appreciate that many people are already familiar with OpenClaw, but you shouldn't assume.
It's better if your app's description just tells me what it does in a direct way using plain language. It's fine to tell me it's an alternative to something, but that should be in addition to rather than instead of your own description.
What are the most obvious use cases for Nano/Open-Claw. I can't imagine anything obvious that I'd want to use it for. Is it supposed to run your digital life for you?
Hooking it up to your todo app and texting your bot to manage things. Assuming you’re a heavy todo app person that could benefit from such things.
The non-answer is anything you want.
For me, it's my diet and workout buddy. It knows my goals, keeps me on track, does meal planning for me, gives me grocery lists, logs what I eat, when I exercise... anything I want so I don't slack off.
I've enhanced Nanoclaw quite a bit. Moved it to Apple containers (shipped with this Skill already). Then I wrote an API for Nanoclaw to use (food log, workouts, etc), then implemented long-term memory using LanceDB (because I was tired of repeating myself!).
Does getviktor use NanoClaw?
All the sandboxing stuff is neat but the weakest link in these claw setups is not root access on the machine but root access to your life (Gmail, calendar, etc)
why give it root access to your life? i don't use these tools but it seems like you should never give anything that access. if a claw needs email, set up a google account just for it and forward relevant stuff to it. share your calendar with it. whatever, just don't let it "be" you.
access control, provisioning, and delegation have been solved for a very long time now.
This is true, but the attack surface on your life is decreased by better security around the entire setup.
But I fundamentally agree that there is just too much overlap between what makes claws useful and what makes them insecure.
I love how NanoClaw looks, but I simply can't bring myself to give Israeli software like this access to any of my systems.