Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation

Posted by jimminyx 5 days ago

Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation(github.com)

I’ve been running Clawdbot for the last couple weeks and have genuinely found it useful but running it scares the crap out of me.

OpenClaw has 52+ modules and runs agents with near-unlimited permissions in a single Node process. NanoClaw is ~500 lines of core code, agents run in actual Apple containers with filesystem isolation. Each chat gets its own sandboxed context.

This is not a swiss army knife. It’s built to match my exact needs. Fork it and make it yours.

527 points | 224 commentspage 2

walterbell 5 days ago|

> found it useful but running it scares

https://maordayanofficial.medium.com/the-sovereign-ai-securi...

  At least 42,665 instances are publicly exposed on the internet, with 5,194 instances actively verified as vulnerable through systematic scanning..  The narrative that “running AI locally = security and privacy” is significantly undermined when 93% of deployments are critically vulnerable. Users may lose faith in self-hosted alternatives.. Governments and regulators already scrutinizing AI may use this incident to justify restrictions on self-hosted AI agents, citing security externalities.

srinath693 4 days ago||

The "skills not features" contribution model is the most interesting part of this. Instead of a project that grows into another 52-module beast, contributors teach Claude how to transform the codebase per-user. It's basically contributing build instructions instead of build artifacts. If it actually works in practice, it's a genuinely novel approach to keeping small projects small.

jimminyx 4 days ago|

Thanks! I believe that's where software is going. Just need Karpathy to give it a name so it can take off ;)

reassess_blind 5 days ago||

What’s the difference between this, and just running Claude Code in —dangerously-skip-permissions mode in a container and accessing remotely via ssh?

I’m confused as to what these claw agents actually offer.

randomtoast 5 days ago|

The README.md describes it as:

WhatsApp (baileys) --> SQLite --> Polling loop --> Container (Claude Agent SDK) --> Response

So they basically put a Wrapper around Claude in a Container, which allows you to send messages from WhatsApp to Claude, and act somewhat as if you had a Siri on steriods.

reassess_blind 5 days ago||

Found the spec here: https://github.com/gavrielc/nanoclaw/blob/main/docs/SPEC.md

The scheduled tasks seem like the major functional difference. Pretty cool.

Has anyone tried Anthropic’s “Cowork”? How does that compare?

pulkas 4 days ago||

This violates the Claude Code subscription terms of service, so please be careful.

This project violates Claude Code's Terms of Service by automating Claude to create an unattended chatbot service that responds to third-party messaging platforms (WhatsApp, and what you add ...).

  The exact issues:

  1. Automated, unattended usage - The system runs as a background service (launchd) that automatically responds to WhatsApp
  messages without human intervention (src/index.ts:549-574)

  2. Building a bot service - This creates a persistent bot that monitors messages and responds automatically, which violates restrictions on building derivative services on top of Claude

  3. Third-party platform integration - Connecting Claude to WhatsApp (or other messaging platforms) to create an automated
  assistant service isn't an authorized use case.

  The README itself reveals awareness of this issue at line 41:

  **No ToS gray areas.** Because it uses Claude Agent SDK natively with no hacks or workarounds, using your subscription with your auth token is completely legitimate (I think). No risk of being shut down for terms of service violations
  (I am not a lawyer).

  The defensive tone ("I think", "I am not a lawyer") indicates uncertainty about legitimacy. While using your own credentials doesn't automatically make automated bot services compliant—Anthropic's TOS restricts using their products to build automated chatbot services, regardless of authentication method.

  The core violation: transforming Claude Code into an automated bot service that operates without human intervention, which is explicitly prohibited.

jimminyx 4 days ago|

Interesting. Again, not a lawyer, but all of this is a bit murky and not sure it applies.

1. Usage is not automated and unattended - it only responds to messages that are sent to it with a specific prefix "Andy:"

2. This is not a bot service. It is not crawling twitter and responding to posts. Hard to see how sending it messages through WhatsApp is any different than through ssh via the terminal

3. I don't think a custom piece of software running on my computer that pipes data from a program into the Agents SDK is a third party "platform" integration.

How is this different from running Agents SDK as part of a CI process?

treelover 5 days ago||

Interesting choice to use native Apple Containers over Docker.

I assume this is to keep the footprint minimal on a Mac Mini without the overhead of the Docker VM, but does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

garblegarble 4 days ago||

>does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

Slightly counterintuitively, Apple Containers spawns linux VMs.

There doesn't appear to be any way to spawn a native macOS container... which is a pity, it'd be nice to have ultra-low-overhead containers on macOS (but I suspect all the interesting macOS stuff relies on a bunch of services/gui access that'd make it not-lightweight anyway)

FYI: it's easy enough to install GNU tools with homebrew; technically there's a risk of problems if applications spawn commandline tools and expect the BSD args/output but I've not run into any issues in the several years I've been doing it).

selkin 5 days ago|||

Not sure if it's intended, but Apple Container is a microvm, providing mich better isolation than containers (while retaining the familiar interface)

TheDong 5 days ago||

"much better isolation than containers"

If you've got an exploit for docker / linux containers, please share it with the class.

What I'm saying is that in practice, containers and VMs have both been quite secure.

Also, you can configure docker to run microvms too https://github.com/firecracker-microvm/firecracker-container...

selkin 4 days ago||

We want to protect against the unknown, not the known. The less surface area, the better, and containers have much wider surface area than VMs. Both had their faults, of course.

ohyoutravel 5 days ago|||

[flagged]

reassess_blind 5 days ago||

What makes you think it's an AI comment?

yomismoaqui 5 days ago||

Maybe what you are responding to is the AI comment? Or am I?

cadamsdotcom 5 days ago||

If only there were some way to answer your own question. Maybe with some kind of engine that searches.

avaer 5 days ago||

  Quick Start
  git clone https://github.com/anthropics/nanoclaw.git

Is this an official Anthropic project? Because that repo doesn't exist.

Or is this just so hastily thrown together that the Quick Start is a hallucination?

That's not a facetious question, given this project's declared raison d'etre is security and the subtle implication that OpenClaw is an insecure unreviewed pile of slop.

jimminyx 5 days ago||

Fixed, thanks. Claude Code likes to insert itself and anthropic everywhere.

If it somehow wasn't abundantly clear: this is a vibe coded weekend project by a single developer (me).

It's rough around the edges but it fits my needs (talking with claude code that's mounted on my obsidian vault and easily scheduling cron jobs through whatsapp). And I feel a lot better running this than a +350k LOC project that I can't even begin to wrap my head around how it works.

This is not supposed to be something other people run as is, but hopefully a solid starting point for creating your own custom setup.

kklisura 5 days ago|||

Claude hallucinated that repo here in this commit https://github.com/gavrielc/nanoclaw/commit/dbf39a9484d9c66b...

mcintyre1994 5 days ago||

I like that Claude's hypothesis was that Anthropic created openclaw and this anti-openclaw :)

> This is the anti-[OpenClaw](https://github.com/anthropics/openclaw).

raybb 5 days ago||

Seems to be fixed now

eskaytwo 5 days ago||

Thanks! Was hoping someone would do something more sane like this.

Openclaw is very useful, but like you I share the sentiment of it being terrifying, even before you introduce the social network aspect.

My Mac mini is currently literally switched off for this very reason.

prophesi 5 days ago||

Am I correct that after cloning down the project, you open the directory in Claude Code, then "execute" a markdown file instructing a nondeterministic LLM to set everything up for you in natural language?

Spacemolte 4 days ago||

The premise of the project is he doesn't want to run code he doesn't know + in an insecure way, so having the setup step to install dependencies etc, done by an LLM seems like an odd choice. Like what part about the setup step is so fluffy and different per environment, that using an LLM for it makes sense?

te_chris 5 days ago||

Posthog is doing this now for project setup

nsonha 5 days ago||

Not sure if this is meant to be sarcastic but isn't Posthog patient zero of Sha1-Hulud 2.0?

prophesi 5 days ago||

It's certainly a good time to get into cybersecurity.

hitsmaxft 3 days ago||

https://github.com/gavrielc/nanoclaw/commit/22eb5258057b49a0... Is this inserting an advertisement into the agent prompt?

sothatsit 5 days ago|

The idea of avoiding config files, and having the config be getting your agent to modify its own codebase, is fascinating.

My gut reaction says that I don't like it, but it is such an interesting idea to think about.

More comments...