On the one hand, I feel a bit conflicted pointing out the recognised security issues with OpenClaw, even as serious AI thought leaders are naming their agents “Arnold” and shouting orders at them. I feel duty-bound to take their enthusiasm seriously, while also stressing that this whole area remains problematic.Enter NanoClaw. And it’s more than just a very small claw.Firstly, NanoClaw can isolate each agent in its own container. So the agentic loop starts with no knowledge of other agents, and only knows about the resources you tell it about.The other intriguing thing is that the app isn’t a large configuration file talking to a monolith; it is just the code you need (and the appropriate Claude skills) — with Claude hacking itself as needed. Given that code is “cheap” now, and Claude editing is reliable, this does make sense. And it does keep the code size down.WhatsApp? No thanks.My first question was… how does a bot get access to WhatsApp? This is the preferred contact choice of most OpenClaw users (and NanoClaw). The problem here is that unless you have a business account, you surely don’t own enough stake in the platform to host an arbitrary new user. On closer inspection, it appears that the WhatsApp connection relies on a module called Baileys that scans WhatsApp Web’s WebSocket-based data, which Meta strongly discourages. In fact, accounts using unauthorised methods to connect to WhatsApp are actively monitored and restricted.I’m hardly going to encourage using such a method, but fortunately, we don’t have to. I do pay for a Slack workspace, and while connecting to Slack is a little painful, it is at least fully accounted for.InstallingI have Claude installed, of course, connected to a “Pro” account. With the instructions, I do the usual thing:git clone https://github.com/qwibitai/nanoclaw.gitThen I ran Claude within the new directory with /setup:I have Docker Desktop installed, as this part requires:On a Mac, you will see the familiar Docker icon in the Menu Bar if you didn’t start it yourself.Then we move to how you are connecting to Claude:Usually, I have to remember to turn the API key off because it’s more expensive than a subscription. This is the first time I’ve seen the two options mentioned side by side—a good sign.Then we get to the contentious bit:As I’ve indicated, I don’t think WhatsApp is appropriate, so I’ll be using Slack.Then we were given the great Slack sidequest:I now have to find two tokens, but not with my sword and trusty shield, but with the Slack API. I only recommend this campaign for an experienced adventurer. Onwards.Generating the tokens in SlackFortunately, there are some good instructions on the Slack skill, and Claude is patient. First, we need to generate the tokens and scopes.On Slack, I found the appropriate dialog:We need to turn on Socket Mode:Then we need to subscribe to a set of bot events:And add scopes for OAuth – these limit what the NanoClaw App can do in the account:And finally, you get to install your new app and fetch the final dungeon key token:I have slain the dragon / found the treasure / defeated the Rocketeer. Well, not quite.Claude crashed. But I quickly got back to where I was, and Claude appears to fix the errant Slack script, and accept my two tokens for its .env file:Then it was a case of introducing NanoClaw into my Slack channel.I suspected we were done with Slack itself, but we needed to give it access to my server folders. Remember, this is what we did with Claude Cowork to give it real power:A nicer way to select the folders would be cool, but I added the folders I was happy for NanoClaw to see:And then I was able to communicate with NanoClaw on my Slack channel, after getting the correct Claude auth token:My initial attempt to confirm that NanoClaw could see my folders on my Mac failed:This is both good and bad. It proved that the agent is sitting in a container and not part of a single app. And of course, I asked Claude to fix itself. I had been tailing the log, so I could relay all the problems back to Claude, which eventually mapped the folders in a way that the NanoClaw agent could understand:Note how it refers to “the agent” as a separate entity. So I had a back-and-forth between the NanoClaw agent and Claude. I’m still very much the engineer here – but the separation of control is fine. The errors were the ones we all make, not understanding what Linux wants. No one understands what Linux wants.Eventually, it fixed its internal database and restarted what it needed to for the container. And with the new mapping, I could see my Documents folder:To check, I added a new file to check it really was mapped live to the directory. Eventually, it did reflect that the file was there.“I like the fact that Claude thought of the agent sitting in the container as quite separate from itself, and overall this is certainly a much more sensible and secure setup if you really want to be a ‘power user’ who really just needs a secretary to yell at.”Now this isn’t running on a Mac Mini under my cupboard, but on my laptop. So I won’t be asking for a research document based on a report in my inbox at 2 a.m. while out for a jog, but if I were into that sort of thing, NanoClaw can clearly provide this fairly safely.While I did need to play engineer to get everything working, in reality, I was telling Claude my problems, and Claude fixed them. For that, I got a direct connection from my mobile Slack app to my server. I like the fact that Claude thought of the agent sitting in the container as quite separate from itself, and overall, this is certainly a much more sensible and secure setup if you really want to be a “power user” who really needs a secretary to yell at.The post NanoClaw can stuff each AI agent into its own Docker container to deal with OpenClaw’s security mess appeared first on The New Stack.