Interview Ideally, you shouldn’t have to defend yourself against your own AI agent. But we don’t live in an ideal world and an unrestrained agent can cause a ton of damage.
OpenClaw, an open source agent platform, made that obvious as its popularity surged over the past month and security incidents followed.
Consider the case of Summer Yue, director of alignment at Meta Superintelligence Labs, who posted last week about OpenClaw running amok and deleting her inbox. It’s clear that AI agents cannot be trusted.
Gavriel Cohen, a software engineer based in Israel, hopes to change that with a more secure, more constrained agent platform called NanoClaw.
He started coding it at the end of January with the help of Anthropic’s Claude Code. And a few weeks later, Andrej Karpathy, an influential AI researcher, took notice amid his musing about how OpenClaw and other “claws” have become the orchestration layer for agents – LLMs given access to other software tools for task automation.
“… NanoClaw looks really interesting in that the core engine is ~4000 lines of code (fits into both my head and that of AI agents, so it feels manageable, auditable, flexible, etc.) and runs everything in containers by default,” Karpathy wrote in a social media post about a week ago. “I also love their approach to configurability – it’s not done via config files, it’s done via skills!”
Cohen in an interview with The Register said that NanoClaw’s use of containers and its small codebase are what set the project apart from OpenClaw.
“They’re running bare metal with some application level checks to try to prevent it from accessing things it shouldn’t access,” he explained. “NanoClaw, each agent runs in its own container. And that’s really important. If you take the whole instance of OpenClaw and put it in a container, that doesn’t really help you because you’ve connected it to so many different things that are all in that container with the agent.
“With NanoClaw, the agent is running in a container where inside that container it’s just the agentic loop. It’s just the [Anthropic] Agent SDK. And if you’re connecting it to your WhatsApp, that agent doesn’t see all of your WhatsApp data. It only has the group that that specific agent has been connected to and the messages from the group that it should be seeing.”
With regard to the difference in codebase size between OpenClaw and NanoClaw, Cohen said that it’s unlikely that anyone has reviewed the 400,000 lines of code in OpenClaw, which undermines one of the assumptions about open source – that the community will catch and fix bugs.
NanoClaw, he said, consists of a few thousand lines of code.
“Anybody could review it, understand it, ask Claude a few questions if you need and get the sense of what’s the security model, what’s the architecture, how does it work, what are the sensitive points that I need to be careful when I’m touching,” he said.
Cohen said security concerns about OpenClaw led him to look for a better approach. A few months ago, he explained, he and his brother Lazer were building an AI-focused digital marketing agency. He’d set up a way for other people on the marketing team to access sales pipeline data from WhatsApp using Clawdbot (before the name became OpenClaw) to surface Obsidian vault data and Kanban scheduling details.
“In the beginning, it was OpenClaw as our chief of staff of sales,” Cohen explained. “It manages the sales pipeline. So we give it updates and it gives us tasks and we ask it to remind us and it reminds us. And it asks for status updates on deals.”
Cohen said the agent went from asking questions to doing work and really filling the role of a sales chief.
“The issue was, as soon as I set it up, I started to see massive security issues with OpenClaw,” he explained. “I mean I just saw issue after issue after issue and we were getting a ton of value from it, but it’s burning a hole in my subconscious, in the back of my head, knowing I have it running on my machine.”
He had OpenClaw running on a separate Mac mini but using a browser that was signed into his Chrome profile, and logged into his social media account.
“It’s a dedicated machine, but it was like literally keeping me up at night,” he said. “But at the same time, I have this conflict because I’m like, I wanna set up eight more of these agents to do other things with other jobs and other titles.”
About three weeks ago, when the OpenClaw machine network known as Moltbook began attracting broad attention, he said he realized he didn’t need the entire OpenClaw setup.
“All I need is agents that run in containers with isolation so that all the different groups with their different agents aren’t all in the same environment,” he said. “So I can give it full bash access, and it can install tools and run them and let it go wild, but only within the container and each one only accessing the data I wanted it to access.
“And I don’t need three thousand integrations. I only need like three things.”
Rather than building NanoClaw on the Pi coding agent that’s the basis for OpenClaw, he chose to build around Claude Code because that’s his preferred AI coding tool.
“So I sat down and I built it and it took me a weekend to build what’s needed around Claude Code, but it very heavily uses Claude Code’s capabilities and is not trying to reinvent the wheel and build things that already exist,” Cohen said.
If that sounds a bit like vibe coding, well, that’s fair to say. But it’s worth noting that since around November 2025, with the release of Anthropic’s Claude Opus 4.5 and Google’s Gemini 3, and the subsequent release of OpenAI’s GPT-5.2 in December 2025, many developers have noticed that the code produced by AI models has gotten quite good.
Vibe coding in other words is starting to look like just coding, without the pejorative adjective attached. A year after coining the term “vibe coding,” Karpathy this week described a sea change in the developer community.
“It is hard to communicate how much programming has changed due to AI in the last two months: not gradually and over time in the ‘progress as usual’ way, but specifically this last December,” he said. “There are a number of asterisks but [in my opinion] coding agents basically didn’t work before December and basically work since – the models have significantly higher quality, long-term coherence and tenacity and they can power through large and long tasks, well past enough that it is extremely disruptive to the default programming workflow.”
We asked Cohen how he would quantify the business value of his AI sales chief, citing the concern that many companies have about the potential for damage from unruly software agents.
“What we saw when we connected it to our sales pipeline was that it was doing the work of an employee,” he said. And doing it better than an employee would. I think a lot of people have made this point, but the comparison isn’t one hundred percent accuracy – that’s not what we’re weighing it against. When you work with a colleague, a teammate, an employee, they don’t get everything right. Things fall through the cracks as well.”
That’s the level of reliability, Cohen said, that he’s seen from leading commercial AI models like Opus 4.6 or GPT-5.3 if you have a good “harness” or wrapper (e.g Claude Code or Codex) that gives the model access to tools and allows it to function as an agent.
NanoClaw builds on work that Anthropic has done with its Agent SDK, and Cohen said it benefits a lot from the kinds of optimizations the company put in place.
And with NanoClaw’s sudden popularity, Cohen said that he and his brother have shifted their focus from AI marketing to building the NanoClaw platform.
“I think that what we’re building can be the orchestration layer that a lot of people are talking about that you need on top of agents,” he said. “That right kind of abstraction nudges people towards using pre-built solid pieces instead of trying to build their own agents. I think it can unlock a lot of value for a lot of businesses, including enterprises that are extremely security conscious.”
Cohen added that he hopes the open source community continues to help with NanoClaw. “The project is open source,” he said. “It’s going to stay open source. We’re going to keep developing it and building it and making it a great foundation that people can build products and businesses on top of.” ®
