NanoClaw is betting that software-based agent security is a fantasy. On March 13, the open-source agent runtime announced a partnership with Docker to run agent workloads inside Docker Sandboxes — lightweight micro VMs that wrap each agent in two distinct layers of hardware-enforced isolation. The project has 22,800 GitHub stars.
Written by Gavriel Cohen, the <a href="/news/2026-03-14-nanoclaw-docker-partnership-six-weeks-after-open-source-launch">announcement</a> details how each NanoClaw agent runs in its own container with its own filesystem, memory, and tool access, nested inside a hypervisor-level VM boundary. The practical implication: even if an agent escapes its container, it still cannot reach the host machine, user credentials, or other applications. The integration launches with a single shell command on macOS (Apple Silicon) and Windows via WSL, with Linux support coming in the weeks ahead.
Cohen calls the underlying philosophy "design for distrust" — treating AI agents as inherently untrusted and potentially malicious by default. The post draws a pointed contrast with competitor OpenClaw, which runs agents directly on the host machine with all agents sharing a common environment even in its opt-in sandbox mode. NanoClaw's argument is that security enforced at the OS and hypervisor level is categorically different from security that depends on model instructions — a distinction the blog frames as the difference between genuine containment and security theater. Cohen's earlier essay, "Don't Trust AI Agents," is cited as the philosophical foundation.
The roadmap extends well beyond sandboxing. NanoClaw plans controlled cross-team context sharing, letting agent teams pass information selectively across boundaries rather than offering all-or-nothing access. Other planned capabilities include persistent agent identity and lifecycle management — agents that survive between sessions and accumulate expertise over time — fine-grained per-tool permissions (read-but-not-send access to email, for instance), and human approval flows for irreversible actions. Cohen invokes Anthropic CEO Dario Amodei's "country of geniuses in a data center" framing to situate the work within the infrastructure challenge of running agents at enterprise scale.
Hacker News commentary added useful grounding. Commenter jryio noted that sandboxing alone does not address permission escalation or data exfiltration — scenarios like prompt injection leading to unauthorized data leaks, or destructive actions within the agent's permitted scope. The per-tool permissions and human approval gates on NanoClaw's roadmap address exactly that gap: hard VM boundaries solve the containment problem but say nothing about what a contained agent is authorized to do. Other commenters praised NanoClaw's lean implementation and its <a href="/news/2026-03-15-axe-go-binary-toml-llm-agents-unix-pipes">'skills'-based fork-and-customize design pattern</a>, a model Andrej Karpathy has also flagged as a meaningful direction for agent architecture.