Or keep drowning in half a million lines of agent framework you'll never understand. Your call.
The problem
You wanted a personal AI agent. Something that talks to you on WhatsApp, remembers your shit, runs tasks on a schedule, and doesn't go rogue because some intern forgot a permission check.
So what did you do? You cloned some massive open-source agent framework with 434,453 lines of code, 53 config files, 70+ dependencies, and a setup process that requires a PhD in YAML archaeology. You spent two weeks just understanding the folder structure. You still don't know what half the services do.
Congratulations. You played yourself.
The numbers
Not 15 modules with 50 files each. Fifteen. Files. Total. You can read the whole codebase during one standup meeting.
| NanoClaw | The Other Thing | |
|---|---|---|
| Source files | 15 | 3,680 |
| Lines of code | ~3,900 | 434,453 |
| Dependencies | <10 | 70+ |
| Config files | 0 | 53 |
| Time to understand | 8 minutes | 1–2 weeks |
| Security model | OS containers | Permission checks & prayers |
That's not a tradeoff. That's a rescue operation.
Security
Most agent frameworks "sandbox" your AI with application-level permission checks. One missed edge case and your agent is reading your SSH keys, emailing your ex, and rewriting your .bashrc to alias rm to rm -rf /.
NanoClaw runs every agent group in a real OS-level container. Docker on Linux. Apple Container on macOS. Each group gets its own filesystem, its own IPC namespace, its own Claude session. The agent can only touch what you explicitly mount.
That's not a policy. That's physics.
The vault
You know what everybody does? They dump their Gmail API key in an .env file, hand it to an agent, and pray. The agent fetches the key once, and from that moment on it's sitting in the context window like a loaded gun. One prompt injection and your credentials are gone.
You know what happened to a director of AI alignment at Meta? She told her agent "confirm before acting." The agent speedran deleting her entire inbox anyway. She couldn't stop it from her phone. She had to physically run to her computer to kill the process.
That's not a hypothetical. That's a real person, with a real job title that literally includes the word "alignment," getting fucked by an agent with no guardrails.
NanoClaw now ships with OneCLI's Agent Vault as the default credential layer. Here's the deal: your agent never sees a single API key. Ever. The vault sits between the agent and every external service it calls. It proxies the request, injects the real credential on the way out, and the agent doesn't even know what the key looks like.
But the part that actually matters is policies. Each agent group gets its own vault identity. Your sales agent and your support agent don't share shit. And you can rate-limit any service call:
$ onecli rules create \
--name "Gmail rate limit" \
--host-pattern "gmail.googleapis.com" \
--action rate_limit \
--rate-limit 3 \
--rate-window 1h
Three deletions per hour. That's it. If that Meta incident had this rule, the damage would've been three emails instead of an entire career's worth of inbox. The difference between "huh, that's annoying" and a viral horror story.
Time-bound access, human-in-the-loop approvals, and per-action permissions are coming. Container isolation keeps the agent from touching your system. The vault keeps it from going rogue on your services.
Two layers of "absolutely fucking not." That's the architecture.
Quick start
$ gh repo fork qwibitai/nanoclaw --clone $ cd nanoclaw $ claude # then type /setup — Claude does the rest
/setup doesn't hand you a fucking questionnaire. It reads your machine — detects your git config, finds your fork's upstream remote, figures out your container runtime, checks your OS. Then it just handles it.
Dependencies. Auth. Container config. Vault setup. Service initialization. All of it. No YAML. No Terraform. No Docker Compose file that looks like it was written by a committee of angry sysadmins.
You literally talk to your setup process. It's Claude Code underneath, which means you're not running some janky install script — you're having a conversation with the most capable coding agent on the planet, and it's configuring your shit for you.
Built on the Claude Agent SDK. Ships with Claude Code as the default. But if you want to point it at a different model — Ollama, Together AI, whatever — set two env vars and you're done. Best harness in the game, your choice of brain.
What it does
WhatsApp, Telegram, Discord, Slack, Gmail. Run one or all simultaneously. Add more with a single slash command.
Docker or Apple Container. Each group gets its own filesystem and IPC namespace. Not a policy — physics.
Each group gets a CLAUDE.md file. It's markdown. You can cat it, edit it, understand it. No opaque vector databases.
Teams of specialized agents that collaborate on complex tasks. Built in, not bolted on.
Cron, interval, one-shot. Morning briefings, weekly reviews. All in one file you can read in 90 seconds.
Modular functionality via slash commands. The core stays small. Everything else is a skill you opt into.
Agents never see raw API keys. OneCLI proxies every request with rate limits, policies, and per-group credential isolation.
Search, fetch, browse. Your agent can reach the internet when it needs to, contained when it doesn't.
Change behavior in plain English or modify the code directly. 3,900 lines — you can hold it all in your head.
Built on Claude Agent SDK and Claude Code. Swap to any compatible endpoint with two env vars. Best harness, your choice of model.
Be honest
If you need enterprise SSO, role-based access control, and a Kubernetes operator — NanoClaw isn't for you. Go use the big thing. Bring snacks for the config file reading party.
But if you want a personal AI agent that you actually own, actually understand, and can actually trust — one that runs on your machine, in real containers, with a codebase you can audit in a single sitting?
Just fucking use NanoClaw.
3,900 lines. 15 files. Real containers. Your agent.