NanoClaw's Security Model for AI Agents: Container Isolation and Minimal Code

NanoClaw's Security Architecture for Untrusted AI Agents
The NanoClaw blog argues that AI agents should be treated as untrusted and potentially malicious, advocating for architectural containment rather than application-level permission checks. The system is built on the principle that agents will misbehave and focuses on limiting damage when they do.
Container Isolation as Core Security
NanoClaw runs each agent in its own container using Docker or Apple Container on macOS. These containers are ephemeral - created fresh per invocation and destroyed afterward. Agents run as unprivileged users and can only access directories explicitly mounted in. This contrasts with OpenClaw's default approach where agents run directly on the host machine with an opt-in Docker sandbox mode that most users never enable.
The container boundary provides hermetic security enforced by the OS, preventing agents from escaping regardless of configuration. Each agent gets its own container, filesystem, and Claude session history, preventing information leakage between agents that are supposed to access different data.
Mount Allowlist and Default Protections
A mount allowlist at ~/.config/nanoclaw/mount-allowlist.json acts as defense-in-depth, preventing users from accidentally mounting sensitive paths. Sensitive directories like .ssh, .gnupg, .aws, .env, private_key, and credentials are blocked by default. The allowlist lives outside the project directory so compromised agents can't modify their own permissions.
Host application code is mounted read-only, ensuring nothing an agent does can persist after container destruction. Non-main groups are untrusted by default, preventing cross-group messaging, task scheduling, or data viewing to protect against prompt injection from group members.
Minimal, Reviewable Codebase
NanoClaw maintains a deliberately minimal codebase of one process and a handful of files, contrasting with OpenClaw's approximately 400,000 lines of code, 53 config files, and over 70 dependencies. The system relies heavily on Anthropic's Agent SDK for session management, memory compaction, and other functionality instead of reinventing components.
This design allows a competent developer to review the entire codebase in an afternoon. Contribution guidelines accept only bug fixes, security fixes, and simplifications. New functionality comes through skills - instructions with full working reference implementations that coding agents merge into codebases after review.
Each installation ends up as a few thousand lines of code tailored to the owner's specific needs, avoiding the complexity where vulnerabilities typically hide.
📖 Read the full source: HN LLM Tools
👀 See Also

OpenClaw's External Content Wrapper for Prompt Injection Defense
OpenClaw uses an external content wrapper that automatically tags web search results, API responses, and similar content with warnings that it's untrusted, priming the LLM to be skeptical and more likely to refuse malicious instructions.

Fake Claude Code site served trojan — detected by Windows Defender as Trojan:Win32/Kepavll!rfn
A typosquatting or ad-based site mimicking the official Claude Code website delivered a trojan detected as Trojan:Win32/Kepavll!rfn by Windows Defender. Reddit user warns others to verify URLs before running PowerShell install commands.

LLM-Assisted Exploit: Anthropic's Mythos Preview Helped Build First Public macOS Kernel Exploit on Apple M5 in Five Days
Using Anthropic's Mythos Preview, security firm Calif built the first public macOS kernel memory corruption exploit on Apple's M5 silicon in five days—breaking MIE hardware security that took Apple five years to develop.

U of T Researchers Demonstrate AI Worm Powerable by Free Open-Weight Models
Researchers at the University of Toronto demonstrated the first AI-powered worm that adapts its spreading strategy using publicly accessible open-weight models, targeting any online device.