Over the past year, early adopters of autonomous AI agents have been forced to play a murky game of chance: keep the agent in a useless sandbox or give it the keys to the kingdom and hope it doesn’t suffer a catastrophic hallucination. "delete everything" domain.
To unlock the true utility of an agent—scheduling meetings, sorting emails, or managing cloud infrastructure—users have had to grant these models raw API keys and broad permissions, increasing the risk of their systems being disrupted by an accidental agent error.
That compensation ends today. The creators of the open source sandbox NanoClaw Agent Framework – now known under its new private startup called NanoCo – has announced a historic partnership with Vercel and A CLI introduce a standardized approval system at the infrastructure level.
By integrating Vercel’s Chat SDK and OneCLI’s open source credentials vault, NanoClaw 2.0 ensures that no sensitive actions occur without explicit human consent, delivered natively through the messaging apps where users already live.
The specific use cases that will benefit the most are those that involve high consequences. "write" behavior. That is, in DevOps, an agent could propose a change to the cloud infrastructure that only goes live once a senior engineer touches "Approve" in slack.
For finance teams, an agent could prepare batch payments or invoice sorting, and the final disbursement would require a human signature via a WhatsApp card.
Technology: security by isolation
The fundamental change in NanoClaw 2.0 is the move away from "application level" security for "infrastructure level" application. In traditional agent frameworks, the model itself is typically responsible for asking for permission, a flow that Gavriel Cohen, co-founder of NanoCo, describes as inherently flawed.
"The agent could be potentially malicious or compromised," Cohen noted in a recent interview. "If the agent generates the UI for the approval request, you could trick it by swapping the “Accept” and “Reject” buttons."
NanoClaw solves this by running agents in strictly isolated Docker or Apple containers. The agent never sees an actual API key; instead, use "placeholder" keys. When the agent attempts an outbound request, OneCLI Rust Gateway intercepts the request. The gateway checks a set of user-defined policies (e.g. "Read-only access is fine, but sending an email requires approval").
If the action is confidential, the gateway pauses the request and triggers a notification to the user. Only after the user approves does the gateway inject the actual encrypted credential and allow the request to reach the service.
Product: incorporate the ‘human’ into the circuit
While security is the engine, Vercel’s Chat SDK is the dashboard. Integration with different messaging platforms is very difficult because each application (Slack, Teams, WhatsApp, Telegram) uses different APIs for interactive elements such as buttons and cards.
By leveraging Vercel’s unified SDK, NanoClaw can now deploy to 15 different channels from a single TypeScript codebase. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. "The approval appears as a rich native card within Slack, WhatsApp, or Teams, and the user taps once to approve or reject." Cohen said. This "perfect user experience" This is what makes human supervision practical and not a productivity bottleneck.
The full list of 15 supported messaging apps/channels contains many preferred by enterprise knowledge workers, including:
-
Loose
-
WhatsApp
-
Telegram
-
Microsoft Teams
-
Discord
-
Google Chat
-
iMessage
-
Facebook messenger
-
instagram
-
X (Twitter)
-
GitHub
-
Linear
-
Matrix
-
Email
-
webex
NanoClaw Background
NanoClaw launched on January 31, 2026 as a minimalist, security-focused answer to "security nightmare" inherent to complex and non-isolated agent frameworks.
Created by Cohen, a former Wix.com engineer, and marketed by his brother Lazer, CEO of the B2B technology PR firm. concrete mediaThe project was designed to solve the auditability crisis found in competing platforms such as OpenClaw, which had grown to almost 400,000 lines of code.
By contrast, NanoClaw condensed its core logic into about 500 lines of TypeScript, a size that VentureBeat says allows the entire system to be audited by a human or secondary AI in about eight minutes.
The main technical defense of the platform is the use of isolation at the operating system level. Each agent is placed inside an isolated Linux container (using Apple containers for high performance on macOS or Docker for Linux) to ensure that the AI only interacts with directories explicitly mounted by the user.
As detailed in VentureBeat reports on the project’s infrastructure.This approach limits the "explosion radius" of possible immediate injections strictly to the container and its specific communication channel.
In March 2026, NanoClaw further matured this security posture through an official partnership with software container company Docker to run agents inside "Docker sandboxes".
This integration uses MicroVM-based isolation to provide an enterprise-ready environment for agents that, by their nature, must mutate their environments by installing packages, modifying files, and starting processes—actions that typically break traditional assumptions of container immutability.
Operationally, NanoClaw rejects the traditional "feature rich" software model in favor of a "Features Skills" philosophy. Instead of maintaining a bloated master branch with dozens of unused modules, the project encourages users to contribute "Skills"—Modular instructions that teach a local AI assistant how to transform and customize the code base for specific needs, such as adding support for Telegram or Gmail.
This methodology, as described on the NanoClaw website and in VentureBeat interviews, ensures that users only maintain the exact code required for their specific implementation.
Additionally, the framework natively supports "Agent swarms" through the Anthropic Agent SDK, allowing specialized agents to collaborate in parallel while maintaining isolated memory contexts for different business functions.
Licensing and open source strategy
NanoClaw remains firmly committed to the MIT open source license, encouraging users to fork the project and customize it to their own needs. This contrasts sharply with "monolithic" frames.
NanoClaw’s code base is remarkably simple, consisting of only 15 source files and approximately 3,900 lines of code, compared to hundreds of thousands of lines found in competitors such as OpenClaw.
The association also highlights the strength of the "open source avengers" coalition.
By combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that open source modular tools can outperform proprietary labs in building the application layer for AI.
Community reactions
As shown on the NanoClaw website, the project has amassed over 27,400 stars on GitHub and maintains an active Discord community.
A central claim on the NanoClaw site is that the code base is small enough to understand in detail. "8 minutes," a feature aimed at security-conscious users who want to audit their assistant.
In an interview, Cohen noted that iMessage support through Vercel’s Photon project addresses a common community hurdle: Previously, users often had to keep a separate Mac Mini to connect agents to an iMessage account.
The business perspective: should you adopt it?
For businesses, NanoClaw 2.0 represents a shift from speculative experimentation to secure operationalization.
Historically, IT departments have blocked the use of agents due to the "all or nothing" nature of access to credentials. By decoupling the agent from secrecy, NanoClaw provides a middle ground that reflects existing corporate security protocols, specifically the principle of least privilege.
Companies should consider this framework if they require high auditability and have strict compliance needs regarding data exfiltration. According to Cohen, many companies have been unwilling to give agents access to calendars or emails for security reasons. This framework addresses that by ensuring that the agent structurally cannot act without permission.
Companies will specifically benefit in use cases that involve "high stakes" behavior. As illustrated in the OneCLI dashboard, a user can set a policy where an agent can freely read emails but must trigger a manual approval dialog to "delete" either "send" one.
Because NanoClaw runs as a single Node.js process with isolated containers, it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms AI from an unsupervised operator to a supervised junior employee, providing the productivity of autonomous agents without giving up executive control.
Ultimately, NanoClaw is a recommendation for organizations that want the productivity of autonomous agents without the "black box" risk of traditional LLM wrappers. It turns the AI from a potentially dishonest operator into a highly capable junior staff member who always asks for permission before attacking. "send" either "buy" button.
As native AI configurations become the standard, this partnership sets the blueprint for how trust will be managed in the era of the autonomous workforce.
