Skip to main content

NanoClaw Configuration and Security

1. The core config mindset​

NanoClaw is unusual because it explicitly resists configuration sprawl. The project prefers:

  • a small codebase,
  • clear mounts,
  • container boundaries,
  • and code-level customization.

That means the real configuration surface is not only a file. It is also the combination of:

  • installed skills,
  • provider choice,
  • channel wiring,
  • mount policy,
  • and per-group workspace structure.

2. Security comes from isolation​

The README is very direct on this point:

agents run in containers and only see what is mounted for them

That is the heart of NanoClaw's trust model.

3. Credentials and provider safety​

NanoClaw routes credentials through OneCLI's Agent Vault instead of handing raw keys to containers. That is an important distinction because it reduces how much secret material the agent runtime can directly see.

4. Safe operating habits​

Use these defaults:

  • one agent and one channel first,
  • minimal mounts,
  • low-risk folders,
  • review custom skills before installation,
  • only broaden provider and channel surfaces deliberately.

5. Practical rollout advice​

NanoClaw is best rolled out as a controlled personal or small-team assistant environment first. Once the isolation model is trusted, broader channel expansion becomes much easier to justify.