Don't trust AI agents
New framework isolates each AI agent in ephemeral containers, preventing data leaks and sandbox escapes.
A viral critique of AI agent security argues developers should treat all agents as potentially malicious by default, highlighting fundamental flaws in popular frameworks. The analysis targets OpenClaw, which runs directly on host machines with optional Docker sandboxing disabled by default, relying instead on application-level checks like allowlists and confirmation prompts. With nearly 500,000 lines of code and 70+ dependencies, OpenClaw's complexity makes comprehensive security review impossible, creating vulnerabilities where normal API calls could trigger risks.
The alternative NanoClaw framework implements a zero-trust architecture where each agent runs in isolated, ephemeral containers on Docker or Apple Container (macOS). Agents operate as unprivileged users with strictly mounted directories, preventing cross-agent data leaks and credential exposure. Sensitive paths like .ssh and .aws are blocked by default via an external allowlist file, while host application code remains read-only. By leveraging Anthropic's Agent SDK instead of reinventing components, NanoClaw maintains a codebase reviewable in one afternoon while providing hermetic security through OS-enforced container boundaries.
- OpenClaw runs on host machines by default with Docker sandboxing optional, relying on vulnerable application-level permission checks
- NanoClaw isolates each agent in separate ephemeral containers with unprivileged users and strict mount allowlists blocking sensitive paths
- Framework complexity matters: OpenClaw's 500K lines vs. NanoClaw's reviewable codebase demonstrates security through simplicity
Why It Matters
As AI agents handle sensitive tasks, proper sandboxing prevents data breaches, credential theft, and unauthorized system access.