Over the past year, early adopters of autonomous AI agents have had to play a dark game of chance: keep the agent in a useless sandbox, or give it the keys to the kingdom and hope it doesn’t hallucinate disaster. "delete all" command.
To unlock the agent’s true utility—scheduling meetings, checking email, or managing cloud infrastructure—users had to give these models raw API keys and extensive permissions, increasing the risk of their systems being compromised by a random agent error.
This exchange ends today. Open source creators are sandboxed NanoClaw agent framework – now known for its new private startup called NanoCo – has announced a landmark partnership Vercel and OneCLI implement a standardized, infrastructure-level approval system.
By combining Vercel’s Chat SDK and OneCLI’s open-source credential store, NanoClaw 2.0 ensures that no sensitive action takes place without explicit human consent delivered natively through the messaging apps users already live with.
The specific use cases that benefit the most are those related to high output "write" events. That is, in DevOps, an agent can suggest a cloud infrastructure change that is implemented only after a senior engineer taps it. "Confirm it" In Slack.
For financial groups, the agent can prepare bulk payments or invoices, while the final payment requires a human signature via WhatsApp card.
Technology: safety with insulation
The main change in NanoClaw 2.0 is to move away from it "application level" for safety "at the infrastructure level" execution In traditional agent frameworks, the model itself is often responsible for asking for permission—something NanoCo co-founder Gavriel Cohen describes as inherently flawed.
"The agent is potentially harmful or compromised," Cohen said in a recent interview. "If the agent creates a UI for the approval request, it can trick you by changing the “Accept” and “Decline” buttons."
NanoClaw solves this by running agents in strictly isolated Docker or Apple Containers. The agent never sees the real API key; uses instead "placeholder" keys. When an agent attempts an outbound request, the request is intercepted by the OneCLI Rust Gateway. The gateway checks a set of user-defined policies (for example, "Read-only access is fine, but sending email requires confirmation").
If the action is sensitive, the gateway stops the request and sends a notification to the user. Only after the user authenticates does the gateway inject real, encrypted credentials and allow the request to reach the service.
Product: Brings the ‘human’ into the loop
While security is the engine, Vercel’s Chat SDK is the dashboard. Integration with different messaging platforms is quite difficult because each app (Slack, Teams, WhatsApp, Telegram) uses different APIs for interactive elements like buttons and cards.
Using Vercel’s unified SDK, NanoClaw can now deploy to 15 different channels from a single TypeScript codebase. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. "Approval appears as a rich, native card inside Slack or WhatsApp or Teams, and the user taps once to approve or decline," Cohen said. This "flawless UX" rather than a productivity bottleneck, this is what makes circulating human control practical.
The full list of 15 supported messaging apps/channels includes many favorites of enterprise knowledge workers, including:
-
Peace
-
WhatsApp
-
Telegram
-
Microsoft Teams
-
Controversy
-
Google Chat
-
iMessage
-
Facebook Messenger
-
Instagram
-
X (Twitter)
-
GitHub
-
Linear
-
Matrix
-
E-mail
-
Webex
Background on NanoClaw
NanoClaw was launched on January 31, 2026 as a minimalistic and security-oriented answer. "a security nightmare" specific to complex, non-sandboxed agent frameworks.
It was founded by Cohen, a former Wix.com engineer, and developed by his brother Lazer, the CEO of a B2B tech public relations firm. Concrete mediathe project was intended to address the auditability crisis found in competing platforms such as OpenClaw, which grew to around 400,000 lines of code.
In contrast, NanoClaw crammed its core logic into about 500 lines of TypeScript—a size that would allow the entire system to be checked by a human or secondary AI in about eight minutes, according to VentureBeat.
The main technical defense of the platform is its use of isolation at the operating system level. Each agent is deployed inside an isolated Linux container—using Apple Containers for high performance on macOS or Docker for Linux—to ensure that the AI only interacts with directories explicitly installed by the user.
In detail VentureBeat’s report on the project’s infrastructurethis approach is limiting "blast radius" potentially operational injections into the container and its dedicated communication channel.
In March 2026, NanoClaw further developed this security position official partnership with software container firm Docker running agents inside "Docker Sandboxes".
This integration uses MicroVM-based isolation to provide an enterprise-ready environment for agents who, by their very nature, must modify their environment by installing packages, modifying files, and running processes—actions that typically violate traditional container immutability assumptions.
Operationally, the NanoClaw defies the conventional "is rich in features" program model in favor of a "Skills over traits" philosophy. Instead of maintaining a bloated master branch with dozens of unused modules, the project encourages users to contribute. "Skills"— modular tutorials that teach you how to convert and customize the codebase for specific needs, such as adding Telegram or Gmail support to your native AI assistant.
As described on the NanoClaw website and in VentureBeat interviews, this methodology ensures that users keep only the exact code required for their specific application.
In addition, the framework supports native "Agent Swarms" Through the Anthropic Agent SDK, it enables specialized agents to collaborate in parallel while maintaining isolated storage contexts for different business functions.
Licensing and open source strategy
NanoClaw adheres to the open source MIT License, encouraging users to take the project apart and customize it for their own needs. This is completely contradictory "monolithic" frames.
NanoClaw’s codebase is quite slim, with only 15 source files and about 3,900 lines of code, compared to the hundreds of thousands of lines found in competitors like OpenClaw.
The partnership also underscores his strength "Open source Avengers" coalition.
By combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that modular, open-source tools can outperform dedicated labs in building an application layer for AI.
Community reactions
As shown on the NanoClaw website, the project has amassed over 27,400 stars on GitHub and maintains an active Discord community.
The main claim on the NanoClaw website is that the code base is small enough to understand "8 minutes," a feature designed for security-conscious users who want to check their assistant.
In the interview, Cohen noted that iMessage support through Vercel’s Photon project solves a common community hurdle: previously, users often had to keep a separate Mac Mini to connect agents to their iMessage account.
Enterprise Perspective: Should You Adopt?
For enterprises, NanoClaw 2.0 represents a transition from speculative practice to secure exploitation.
Historically, IT departments have blocked the use of agents "all or nothing" the nature of the access to the credential. By separating the agent from the secret, NanoClaw provides a middle ground that reflects existing enterprise security protocols, particularly the principle of least privilege.
Enterprises should consider this framework when they need high auditability and have strict compliance requirements related to data mining. According to Cohen, many businesses are unwilling to give agents access to calendars or emails. This framework ensures that the agent is structurally unable to act without permission.
Enterprises stand to benefit in particular use cases "high stakes" events. As shown in the OneCLI dashboard, a user can set a policy to allow an agent to freely read emails, but must manually trigger a confirmation dialog to do so. "delete it" or "send" one.
Because NanoClaw runs as a single Node.js process with isolated containers, it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms AI from an unsupervised operator into a controlled mini-worker and enables the productivity of autonomous agents without escaping executive control.
Finally, NanoClaw is recommended for organizations that want the productivity of independent agents. "black box" risk of traditional LLM dressings. He transforms his AI from a potentially rogue operator into a highly skilled little worker who always asks for permission before striking. "send" or "get" button.
As on-premises installations with artificial intelligence become the standard, this partnership creates a blueprint for how to manage trust in the era of the autonomous workforce.
