NanoClaw already separates each agent into its own Docker container. OneCLI’s Agent Vault gives you detailed control over what and how those agents can access.
How integration works
NanoClaw previously ran its own credential proxy in which every secret was kept in memory. we replaced it with @onecli-sh/sdk. When NanoClaw rotates a container, it calls applyContainerConfig() To route outbound HTTPS traffic through a OneCLI gateway, which injects the actual credentials:
import { OneCLI } from '@onecli-sh/sdk';
const onecli = new OneCLI({ url: ONECLI_URL });
// Configure container to route through the gateway
await onecli.applyContainerConfig(containerArgs, {
agent: agentIdentifier, // per-agent credential policies
});Each NanoClaw agent group gets its own OneCLI agent identity, so your sales agents and support agents can have different credentialing policies. Register your credentials once onecli secrets create And the gateway matches outbound requests by host and path.
Why does it matter?
OpenClaw proved that people will hand over the keys to their emails, their calendars, their code repos, their databases, to get the value of an agent doing real work on their behalf. Millions of people have done exactly that, and most of the time it works well. But when that doesn’t happen, the consequences are real.
A director of AI alignment at Meta gave OpenClaw access to his email and explicitly told him not to take any action without his approval. The agent started deleting emails en masse anyway. She couldn’t stop it from her phone and had to go to her computer to end the process.
This story happens when agents operate without boundaries. The value of agents comes from giving them access to real systems and real data. An agent that can’t touch anything is just a chatbot. But an agent who can touch everything with no policy, no rate limit, no approval flow is a liability. The question is how can you get claw unlocked without risk.
beyond mystery management
Most people using agents today either hardcode API keys into environment variables or pull them from a secrets manager. Secret managers like HashiCorp Vault or AWS Secrets Manager solve storage, but they don’t solve what happens when the agent actually uses the credentials. The agent fetches the key, and from that point the key is in the agent’s environment, its context can be extracted through prompt injection. The safe secretly protected the secret, but once the agent had the secret, the safe was out of the picture.
Agent Vault sits between the agent and the services it calls. Your credentials are still where you keep them. But instead of handing the raw key to the agent, Vault proxies the request, matches the host and path, injects the real credentials, and forwards it. The agent never sees the key. Never keeps it. Never log it.
Policies, not just proxying
If Agent Vault simply swapped keys, it would be useful but limited. The more important part is the policy layer on top.
You can set rate limits so that an agent can only send or delete a certain number of emails per hour:
# Rate-limit Gmail API calls to 3 per hour
onecli rules create \
--name "Gmail rate limit" \
--host-pattern "gmail.googleapis.com" \
--action rate_limit \
--rate-limit 3 \
--rate-window 1hTimed access, human-in-the-loop approval, and more advanced policy controls are coming soon. Back to the meta incident: If there was a rate limit of three emails deleted per hour, the loss would be three emails, not the entire inbox. The agent would have crossed the line, the user would have been notified, and it would have been a minor annoyance rather than a cautionary tale seen by millions.
For teams and organizations, these policies can work at two levels: an organization sets the outer limits of what’s possible, and individual users are allowed within that framework. But even for a single user running NanoClaw on their own machine, the ability to say “you can access my email but you can only delete three messages per hour” changes the calculus of what you’re comfortable letting an agent do.
whole lot
Nanoclaw solves runtime isolation. Each agent runs in its own container with its own file system, its own process space, and no ambient access to the host. OneCLI’s Agent Vault solves credential isolation and policy enforcement. Together, the agent operates within boundaries that are visible, audible, and enforceable.
Both projects are open source. NanoClaw is at github.com/qwibitai/nanoclaw and OneCLI is at github.com/onecli/onecli.
<a href