Over the past year, early adopters of autonomous AI agents have been forced to play an ambiguous game of chance: Put the agent in a faceless sandbox or give it the keys to the kingdom and hope it doesn’t cause a catastrophic disaster. "delete all" Permission.
To unlock an agent’s true usefulness—scheduling meetings, triaging email, or managing cloud infrastructure—users have to give these models raw API keys and broad permissions, increasing the risk of their systems being disrupted by an accidental agent mistake.
That agreement expires today. The creators of the open source sandboxed NanoClaw agent framework – now known under their new private startup called NanoCo – have announced a landmark partnership with Vercel and OneCLI to launch a standardized, infrastructure-level approval system.
By integrating Vercel’s Chat SDK and OneCLI’s open source credential vault, NanoClaw 2.0 ensures that no sensitive action occurs without explicit human consent, delivered natively through the messaging apps where users already live.
The specific use cases that benefit most are high-consequence "Write" action. That is, in DevOps, an agent can propose cloud infrastructure changes that go live only after a senior engineer taps them "approve" In Slack.
For finance teams, an agent can generate batch payments or invoice triaging, requiring a human signature via WhatsApp card for final disbursement.
Technology: Security by Isolation
The fundamental change in NanoClaw 2.0 is to move away from "application level" to safety "infrastructure-level" Enforcement. In traditional agent frameworks, the model is often responsible for asking for permissions – a flow that Nanoco co-founder Gavriel Cohen says is inherently flawed.
"The agent may be potentially malicious or compromised," Cohen noted in a recent interview. "If the agent is designing the UI for approval requests, it may trick you by swapping the ‘Approve’ and ‘Reject’ buttons."
NanoClaw solves this by running agents in tightly isolated Docker or Apple containers. The agent never sees the actual API key; Instead, it uses "placeholder" keys. When the agent attempts an outbound request, the request is intercepted by the OneCLI Rust gateway. The gateway checks a set of policies defined by the user (for example, "Read-only access is fine, but sending emails requires approval").
If the action is sensitive, the gateway blocks the request and triggers a notification to the user. Only after the user approves does the gateway inject the real, encrypted credentials and allow the request to access the service.
Product: Bringing the ‘human’ into the loop
While security is the engine, Vercel’s Chat SDK is the dashboard. Integrating with different messaging platforms is extremely difficult because each app—Slack, Teams, WhatsApp, Telegram—uses different APIs for interactive elements like buttons and cards.
By leveraging Vercel’s integrated SDK, Nanoclaw can now deploy to 15 different channels from a single TypeScript codebase. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. "Approval appears as a rich, native card directly inside Slack or WhatsApp or Teams, and the user taps once to approve or decline," Cohen said. it "seamless ux" This is what makes human-in-the-loop inspection practical rather than a productivity bottleneck.
The full list of 15 supported messaging apps/channels includes many favored by enterprise knowledge workers, including:
- Loose
-
WhatsApp
-
Telegram
-
Microsoft Teams
-
discord
-
google chat
-
iMessage
-
Facebook Messenger
-
Instagram
-
X (Twitter)
-
GitHub
-
linear
-
matrix
-
email
-
webex
Background on Nanocla
NanoClaw launched on January 31, 2026 as a minimalist and security-focused response "security nightmare" Complex, non-sandboxed agents rooted in the framework.
Created by former Wix.com engineer Cohen and marketed by his brother Lazar, CEO of B2B tech PR firm Concrete Media, the project was designed to solve the auditability crisis found in competing platforms like OpenClaw, which grew to nearly 400,000 lines of code.
In contrast, NanoClaw summarized its basic logic in about 500 lines of TypeScript – a size that, according to VentureBeat, allows the entire system to be audited by a human or secondary AI in about eight minutes.
The primary technical security of the platform is the use of operating system-level isolation. Each agent is housed inside a separate Linux container – using Apple Containers for high performance on macOS or Docker for Linux – to ensure that the AI only interacts with directories explicitly mounted by the user.
As noted in VentureBeat’s reporting on the project’s infrastructure, this approach is limited "blast radius" Potential instant injection should be used strictly for the container and its specific communication channel.
In March 2026, NanoClaw further matured this security posture through an official partnership with software container firm Docker to run agents in "docker sandbox".
It uses MicroVM-based isolation to provide an enterprise-ready environment for integration agents who, by their nature, must change their environment by installing packages, modifying files, and launching processes – actions that typically break traditional container immutability assumptions.
Operationally, Nanoclaw rejects traditional "well equipped" Software model in favor of A "skills over features" Visit. Instead of maintaining a bloated main branch with dozens of unused modules, the project encourages users to contribute "Skill"-Modular instructions that teach the local AI assistant how to change and adapt the codebase to specific needs, such as adding Telegram or Gmail support.
This method, as described on NanoClaw’s website and in VentureBeat interviews, ensures that users only maintain the exact code needed for their specific implementation.
Furthermore, the framework natively supports "agent swarm" Through the Anthropic Agent SDK, specialized agents are allowed to collaborate in parallel while maintaining separate memory contexts for different business tasks.
Licensing and open source strategy
Nanoclaw is strongly committed to the open source MIT License, which encourages users to fork the project and adapt it to their needs. it’s quite the opposite "unbroken" Structures.
NanoClaw’s codebase is remarkably small, consisting of only 15 source files and approximately 3,900 lines of code compared to the hundreds of thousands of lines found in competitors such as OpenClaw.
It also highlights the power of partnership "open source avengers" alliance.
Combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that modular, open-source tools can outperform proprietary labs in building application layers for AI.
community reactions
As shown on the NanoClaw website, the project has collected over 27,400 stars on GitHub and maintains an active Discord community.
One of the main claims on the NanoClaw site is that the codebase is small enough to understand "8 minutes," A feature targeted at security-conscious users who want to audit their assistant.
In an interview, Cohen said that iMessage support through Vercell’s Photon project addresses a common community hurdle: Previously, users often had to maintain a separate Mac Mini to connect agents to an iMessage account.
Enterprise Perspective: Should You Adopt?
For enterprises, NanoClaw 2.0 represents a shift from speculative experimentation to secure operations.
Historically, IT departments have blocked agent access "all or nothing" Nature of credential access. By separating the agent from the mystery, NanoClaw provides a middle ground that mirrors existing corporate security protocols—specifically, the principle of least privilege.
Enterprises should consider this framework if they require high-auditability and require strict compliance regarding data intrusions. According to Cohen, many businesses are unwilling to give agents access to calendars or email due to security concerns. This framework ensures that the agent structurally cannot act without permission.
Enterprises will particularly benefit from use cases associated with "high stakes" action. As shown in the OneCLI dashboard, a user can set a policy where an agent can freely read emails but must trigger a manual approval dialog. "delete" Or "Send" One.
Since NanoClaw runs as a single Node.js process with isolated containers, it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms AI from an uncontrolled operator to a supervised junior employee, providing the productivity of autonomous agents without giving up executive control.
Ultimately, NanoClaw is a recommendation for organizations that want productivity without autonomous agents. "black box" Risk of traditional LLM wrappers. This transforms the AI from a potentially rogue operator into a highly capable junior employee who always asks permission before attacking. "Send" Or "Purchase" button.
As AI-native setups become the norm, this partnership creates a blueprint for how trust will be managed in the era of the autonomous workforce.
<a href