- Authors
- Name
- 오늘의 바이브
What It Means to Run an AI Agent on Your MacBook
Local AI agents are convenient, but they come with serious risk. You are handing over terminal access, which means one wrong move by the agent and your entire file system is exposed. Platforms like OpenClaw try to solve this with application-level security — allowlists, pairing codes, and the like. But when 52+ modules share memory inside a single Node.js process, it is hard to be confident about security boundaries without reading every line of code.
NanoClaw takes a different approach to this problem.
What Is NanoClaw
gavrielc/nanoclaw — a personal AI agent that connects the Claude Agent SDK to WhatsApp. The core logic is roughly 500 lines of TypeScript, and it runs agents in isolation using Apple Containers on macOS.
The architecture is straightforward:
WhatsApp (baileys) → SQLite → Polling Loop → Container (Claude Agent SDK) → Response
Four files. That is all:
src/index.ts— WhatsApp connection, message routing (~700 lines)src/container-runner.ts— Container creation and agent executionsrc/task-scheduler.ts— Recurring task scheduler (cron, interval, once)src/db.ts— SQLite persistence
Security: OS-Level, Not App-Level
The core of NanoClaw is Apple Container. Introduced in macOS Tahoe, this technology runs lightweight Linux VMs on Apple Silicon. This is not Docker's namespace isolation — it is actual hypervisor-backed VM isolation.
A fresh container spins up every time the agent runs. Each container only has the relevant group's workspace folder mounted; everything else is inaccessible. Even if the agent gains root inside the container, it cannot reach the host file system. The hypervisor blocks it.
On top of that, a mount allowlist (~/.config/nanoclaw/mount-allowlist.json) explicitly blocks sensitive directories like .ssh, .gnupg, and .aws. Non-main groups get read-only access only.
Compared to OpenClaw
| OpenClaw | NanoClaw | |
|---|---|---|
| Codebase | 52+ modules, tens of thousands of lines | ~500 lines of core logic |
| Execution | Single Node.js process, shared memory | Isolated container per agent (Apple Container) |
| Channels | Telegram, Discord, Slack, etc. (15+) | WhatsApp only |
| Models | Multiple providers (Gemini, Claude, etc.) | Claude Agent SDK only |
| Security | Allowlist, app-level permission management | OS-level VM isolation |
| Extension | Plugin system | Skill files (fork and modify) |
| Configuration | JSON config files | Edit the code directly |
| Target | Multi-channel, multi-user | Personal, single channel |
OpenClaw wins on versatility by a wide margin. Multiple channels, multiple models, plugin extensibility. NanoClaw deliberately sacrifices versatility to focus on security and simplicity.
The Skill System: Contributing Transformations, Not Features
NanoClaw has an unusual extension model. Instead of merging features via PRs, contributors submit Claude Code Skill files. Say you want to add Telegram support — you create .claude/skills/add-telegram/SKILL.md, and when a user runs /add-telegram in their fork, Claude Code transforms the code directly.
This way the main codebase always stays at 500 lines. Only each user's fork diverges as needed.
Tech Stack
| Layer | Technology | Purpose |
|---|---|---|
| Runtime | Node.js 20+ | Host process |
| Container | Apple Container / Docker | Agent isolation |
| Messaging | @whiskeysockets/baileys | WhatsApp connection |
| DB | better-sqlite3 | Messages, schedules, logs |
| AI | Claude Agent SDK | Agent execution |
| Validation | zod | Runtime type checking |
Limitations
Let's be honest — NanoClaw has significant constraints.
- WhatsApp only. If you want Telegram or Discord, you need to fork and modify the code yourself.
- macOS only. Apple Container requires macOS Tahoe + Apple Silicon. (There is a Docker fallback.)
- Claude only. If you want Gemini or GPT, this is not an option.
- No multi-user support. It is strictly personal.
When to Choose NanoClaw
- You are concerned about an AI agent having file system access
- You want to run an agent only after reading and understanding the entire codebase
- WhatsApp is your primary messenger, you use Claude, and you are on a Mac
- You prefer editing code directly over tweaking config files
On the flip side, if you need multiple channels, want to use models like Gemini, or need to run things at team scale, OpenClaw is the right call.
The Question 500 Lines Raises
What NanoClaw proves is not so much that "500 lines is enough" — it is more the question of "why have our agents gotten this complicated?" As AI agent frameworks keep growing in size and complexity, an approach that delivers OS-level security with minimal code is a direction worth thinking about.
GitHub: gavrielc/nanoclaw