Discussion

Run NanoClaw in Docker Sandboxes with One Command

jryio: You must explicitly state what your threat model is when writing about security tooling, isolation, and sandboxing.This threat model is concerned with running arbitrary code generated by or fetched by an AI agent on host machines which contain secrets, sensitive files, and/or explosive to data, apps, and systems which should not be lost.What about the threat model where an agent deletes your entire inbox? Or sends your calendar events to a server after prompt injection? Bank transfers of the wrong amount to the wrong address etc.For example: "this request should only ever read my gmail and never write, delete, or move emails".Sandboxes do not solve permission or exfiltration threats. We need fine grained permissions per-task or per-tool in addition to sandboxing.

MartiCarmona: Does getviktor use NanoClaw?

worldsayshi: What are the most obvious use cases for Nano/Open-Claw. I can't imagine anything obvious that I'd want to use it for. Is it supposed to run your digital life for you?

jdgoesmarching: Hooking it up to your todo app and texting your bot to manage things. Assuming you’re a heavy todo app person that could benefit from such things.

theptip: They may seem like small details, but I think a couple novel design decisions are going to prove to be widely adopted and revolutionary.The biggest one (as Karpathy notes) is having skills for how to write a (slack, discord, etc) integration, instead of shipping an implementation for each.Call it “Claude native development” if you will, but “fork and customize” instead of batteries-included platforms/frameworks is going to be a big shift when it percolates through the ecosystem.A bunch of things you need to figure out, eg how do you ship a spec for how to test and validate the thing, make it secure, etc.How long before OSs start evolving in this way? You can imagine Auto research-like sharing and promotion upstream of good fixes/approaches, but a more heterogenous ecosystem could be more resistant to attacks if each instance had a strong immune system.

primer42: I get the appeal but I disagreeThe strength of open source software is collaboration. That many people have tried it, read it, submitted fixes and had those fixes reviewed and accepted.We've all seen LLMs spit out garbage bugs on the first few tries. I've written garbage bugs on my first try too. We all benefit from the review process.I would rather have a battle tested base to start customizing from than having to stumble through the pitfalls of a buggy or insecure AI implementation.

strickjb9: The non-answer is anything you want.For me, it's my diet and workout buddy. It knows my goals, keeps me on track, does meal planning for me, gives me grocery lists, logs what I eat, when I exercise... anything I want so I don't slack off.I've enhanced Nanoclaw quite a bit. Moved it to Apple containers (shipped with this Skill already). Then I wrote an API for Nanoclaw to use (food log, workouts, etc), then implemented long-term memory using LanceDB (because I was tired of repeating myself!).

Drupon: I love how NanoClaw looks, but I simply can't bring myself to give Israeli software like this access to any of my systems.

eli: Troubleshooting "works on my machine" issues most be fun when no two people have exactly the same implementation.Also seems like this will further entrench the top 2 or 3 models. Use something else and your software stack looks different.

behrlich: I've been working on a similar idea to the "claws" but rather than integrating with messaging apps, just make the TUI available e2e encrypted where-ever you are. https://wingthing.ai/ / https://github.com/ehrlich-b/wingthingI've been thinking about how docker support would work, so I'll check this out!

jbstack: What do you mean by "manage things"? If you mean adding/updating/completing tasks, why not just do that directly in the app? Or do you mean that it will take your tasks and perform them for you?

0cf8612b2e1e: You mean like the section which goes into the threat model? The Security Model: Design for Distrust I wrote about this in Don’t Trust AI Agents: when you’re building with AI agents, they should be treated as untrusted and potentially malicious. Prompt injection, model misbehavior, things nobody’s thought of yet. The right approach is architecture that assumes agents will misbehave and contains the damage when they do…

croes: Don‘t you see the contradiction?I don’t trust the agent so I sandbox it before I gave it the access data to my mail and bank accounts

jryio: Correct

causal: I like NanoClaw a lot. I found OpenClaw to be a bloated mess, NanoClaw implementation is so much tighter.It's also the first project I've used where Claude Code is the setup and configuration interface. It works really well, and it's fun to add new features on a whim.

LaurensBER: Amen, my OpenClaw instance broke last week.Some update broke the OpenRouter integration and I haven't been able to fix the issue. I took a quick look at the code, hoping to narrow it down and it's pretty much exactly what you would expect, there's hidden configuration files everywhere and in general it's just a lot of code for what's effectively a for loop with Whatsapp integration (in my case :)).Not to mention that their security model doesn't match my deployment (rootless and locked down Kubernetes container) so every Openclaw update seemed to introduce some "fix" for a security issue that broke something else to solve a problem I do not have in the first place :)I've switched to https://github.com/nullclaw/nullclaw instead. Mostly because Zig seems very interesting so if I have to debug any issues with Nullclaw at least I'll be learning something new :)

andlima: It would be interesting to have nanoclaw adapted to the Pi coding agent rather than Claude Code, which would combine two minimalist approaches.

systemerror: what workflows do you implement in Nanoclaw that wouldn't be straightforward to build in Claude?

causal: Straightforward is ambiguous. To replicate NanoClaw would probably only take about a day of work and testing and refining in Claude Code, but that's a day I didn't have to spend to get NanoClaw.

pigeons: yes but then what do you use nanoclaw for, that's its a better fit for than claude code.

Eggpants: What I found interesting is nanoclaw isn’t a working product out of the box. You must use a coding agent to complete it with features you want. For example add iMessage support, etc.In other words, Claude is the compiler.

Eggpants: I’m old enough to remember when one checked the assembly a compiler generated because early on they produced terrible assembly. Eventually they got good enough to not needing to check.Coding agents are not close to that yet, but it’s interesting watching history repeat itself.This narrative of the coding agents being so much better now over the last few months seems VERY exaggerated. I’m still spending a lot of time telling Claude: No, that didn’t fix the problem. Again. Can you handle this task or do I have to give it to codex?

ryanrasti: > We need fine grained permissions per-task or per-tool in addition to sandboxing. For example: "this request should only ever read my gmail and never write, delete, or move emails".Yes 100%, this is the critical layer that no one is talking about.And I'd go even further: we need the ability to dynamically attenuate tool scope (ocap) and trace data as it flows between tools (IFC). Be able to express something like: can't send email data to people not on the original thread.