NanoClaw runs agents in isolated Linux containers (Apple Container or Docker) and emphasizes OS-level security over application-level permissions. This document covers hardening network exposure, container isolation boundaries, and important Terms of Service considerations.
| Risk |
Description |
Mitigation |
| WhatsApp ToS |
Using Baileys API may violate Meta’s Terms of Service and could lead to account bans |
Use dedicated test numbers, avoid production accounts |
| Anthropic ToS |
Automated/unattended usage may violate Claude Code subscription terms. Third-party harnesses using Claude subscriptions are prohibited by ToS. The Claude Agent SDK now requires API keys (subscription auth no longer supported) |
Use API keys with appropriate usage limits, review Anthropic’s current ToS |
| Token Consumption |
Can be extreme—reports of 7M+ tokens in 45 minutes, $2k in 48 hours, or $1k+/week in some workflows. Simple single requests can consume 250k+ characters |
Set up token monitoring, usage alerts, and spending limits. Budget accordingly—some users report “unless you can budget $1k a week, this thing is next to useless” |
- OAuth Token Injection: Malicious group members could potentially prompt-inject to share tokens (acknowledged by creator on Hacker News)
- External API Risks: Container isolation protects the host, but external API access (WhatsApp, etc.) still carries risks
- Bind the application to localhost or a private interface by default
- Front external access with an authenticated reverse proxy and HTTPS
- Do not expose admin, swarm-control, or debugging endpoints publicly
- Apply request limits and logging on reverse proxy routes
- Use firewall rules to restrict access to trusted IPs only
NanoClaw’s primary security model is OS-level container isolation:
| Isolation Layer |
Protection |
| Container Sandboxing |
Every agent session runs in an isolated Linux container |
| Filesystem Isolation |
Agents can only access explicitly mounted directories |
| Process Isolation |
Separate process space per container |
| IPC Namespace |
Isolated inter-process communication per group |
| No Ambient Access |
No system access unless explicitly granted |
- Run agents with least privilege inside containers
- Restrict filesystem mounts to only what the task needs
- Separate high-risk agents from general-purpose automation agents
- Audit container templates and startup arguments for privilege escalation paths
- Use Apple Container (macOS) or Docker (Linux) as designed—don’t bypass isolation
¶ 3) Constrain Safe-Bash and Swarm Execution
- Commands run inside containers by default—host is protected by OS isolation
- Define command allowlists/denylists at the application level for defense in depth
- Require human approval for destructive or high-impact commands
- Limit inter-agent handoff permissions in swarm workflows
- Log agent decisions, command invocations, and failures for audit review
¶ 4) Secure Authentication and Secrets
- Store Claude API keys securely (use system keychain or secrets manager)
- Protect WhatsApp/Telegram session data in SQLite database
- Rotate authentication tokens periodically
- Use separate messaging accounts for testing vs. production
- Never commit secrets or session files to version control
NanoClaw’s small codebase (~3,900 LOC across 15 files) enables:
- Full codebase audit in an afternoon
- Security teams can verify every line
- Easier to track and review changes
- Minimal dependencies (<10) reduces supply chain risk
- 🌐 NanoClaw Repository: https://github.com/qwibitai/nanoclaw
- 🌐 NanoClaw Website: https://nanoclaw.dev
- 🌐 OpenClaw (Related Project): https://github.com/openclaw/openclaw
- 📄 Anthropic ToS: Review current terms for automated usage policies
- 📄 Meta Platform ToS: Review WhatsApp API usage policies
Any questions?
Feel free to contact us. Find all contact information on our contact page.