NanoClaw partners with Docker to deploy AI agents in secure sandboxes after viral six-week rise

The wild six weeks for NanoClaw's creator that led to a deal with Docker | TechCrunch

About six weeks ago, he introduced NanoClaw on Hacker News as a tiny, open-source, secure alternative to the AI agent-building sensation OpenClaw, after he built it in a weekend coding binge. That post went viral. "I sat down on the couch in my sweatpants," Cohen told TechCrunch, "and just basically melted into [it] the whole weekend, probably almost 48 hours straight." About three weeks ago, an X post praising NanoClaw from famed AI researcher Andrej Karpathy went viral. About a week ago, Cohen closed down his AI marketing startup to focus full-time on NanoClaw and launch a company around it called NanoCo. The attention from Hacker News and Karpathy had translated into 22,000 stars on GitHub, 4,600 forks (people building new versions off the project), and over 50 contributors. He's already added hundreds of updates to his project with hundreds more in the queue. Now, on Friday, Cohen announced a deal with Docker -- the company that essentially invented the container technology NanoClaw is built on, and counts millions of developers and nearly 80,000 enterprise customers -- to integrate Docker Sandboxes into NanoClaw. It all started when Cohen launched an AI marketing startup with his brother, Lazer Cohen, a few months ago. The startup offered marketing services like market research, go-to-market analysis, and blog posts through a small team of people using AI agents. The agency started booking customers, and was on track to hit $1 million in annual recurring revenue, the brothers told TechCrunch. "It was going really well, great traction. I'm a huge believer in that business model of AI-native service companies that have margins and operate like a software company but are actually providing services," said Cohen, a computer programmer who previously worked for website hosting company Wix. He had built the agents the startup was using, largely using Claude Code, each designed to do specific tasks. But there was "a piece" missing, he said. The agent could do work when prompted, but the humans couldn't pre-schedule work, or connect agents to team communication tools like WhatsApp and assign tasks that way. (WhatsApp is to most of the world what Slack is to corporate America.) Cohen heard about OpenClaw, the popular AI agent tool whose creator now works for OpenAI. Cohen used it to build out those final interfaces, and loved it. "There was this big aha moment of: this is the piece that connects all of these separate workflows that I've been building," he said and immediately decided, "I want more of them: on R& D, on product, on client management," one for every task the startup had to handle. But then OpenClaw scared the bejesus out of him. In researching a hiccup with performance, he stumbled across a file where the OpenClaw agent had downloaded all of his WhatsApp messages and stored them in plain, unencrypted text on his computer. Not just the work-related messages it was given explicit access to, but all of them, his personal messages too. OpenClaw has been widely panned as a "security nightmare" because of the way it accesses memory and account permissions. It is difficult to limit its access to data on a machine once it has been installed. That issue will likely improve over time, given the project's popularity, but Cohen had another concern: the sheer size of OpenClaw. As he researched security options for it, he saw all the packages that had been bundled into it. It included an "obscure" open source project he himself had written a few months earlier for editing PDFs using a Google image editing model. He had no idea it was there -- he wasn't even actively maintaining that project. He realized there was no way for him to validate all OpenClaw's code and its dependencies, which, by some estimates, sprawled across 800,000 lines of code. So he built his own in just 500 lines of code, intended to be used for his company, and shared it. He based it on Apple's new container tech, which creates isolated environments that prevent software from accessing any data on a machine beyond what it is explicitly authorized to use At 4 a.m., a couple of weeks after sharing it on Hacker News, his phone started ringing non-stop. A friend had seen Karpathy's post and was urging Cohen to wake up and start tweeting, which he did, setting off a public discussion with the well-known AI researcher. Attention to NanoClaw followed like a landslide. More tweets, YouTube reviews from programmers, and news stories. A domain squatter even snagged a NanoClaw website URL. The correct one is nanoclaw.dev. Then Oleg Selajev, a developer who works for Docker reached out. Selajev saw the buzz and modified NanoClaw to replace Apple's container technology with Docker's competing alternative, Sandboxes. Cohen had no hesitation about pushing support for Sandboxes out as part of the main NanoClaw project. "This is no longer my own personal agent that I'm running on my Mac Mini," he recalled thinking. "This now has a community around it. There are thousands of people using it. Yeah, I said, I'm going to move over to the standard." For all the changes these weeks have brought Cohen and his brother Lazer, now CEO and president of NanoCo respectively, one area still needs to be figured out: how NanoCo will make money. NanoClaw is free and open source and, as these things go, the Cohens vow it always will be. They know they would be strung up as villains if they ever betrayed the open source community by changing that. Currently the Cohens are living on a friends-and-family fundraising round, they said. While they are cautious about announcing their commercial plans yet -- in large part because they haven't had a chance to fully formulate them -- VCs are already calling, they say. The game plan is to build a fully supported commercial product with services including so-called forward deployed engineers -- specialists embedded directly with client companies to help them build and manage their systems. This will likely focus on assisting companies in building and maintaining secure agents. That is, however, a crowded field growing more crowded by the hour. But given the giant community of developers that NanoClaw just unlocked with Docker, we're sure to hear more about this soon.

NanoClaw is in your Docker sandbox now - can this restrain AI agents from running amok?

NanoClaw and Docker announce a formal partnership.The AI agentic will be integrated into Docker Sandboxes.The move highlights the importance of AI isolation. NanoClaw and Docker have announced a partnership to enable integration of the open-source AI agent platform with Docker containers. Also: Want to try OpenClaw? NanoClaw is a simpler, potentially safer AI agent The integration will allow NanoClaw builds to be deployed within Docker's MicroVM-based sandbox infrastructure, according to the joint announcement made Friday by NanoClaw's development group, NanoCo, and developer platform Docker This will be the first time a claw-based AI agent can be deployed in this manner, and according to the two organizations, it will take only one command to launch. If a user summons NanoClaw, each agent task is isolated in a Docker container running with Docker Sandboxes. NanoClaw is a new AI agent developed by Gavriel Cohen as an alternative to OpenClaw, which, while powerful, is also a security nightmare for cybersecurity professionals. Also: AI agents of chaos? New research shows how bots talking to bots can go sideways fast Compared to OpenClaw's codebase of over 400,000 lines, NanoClaw is tiny, supported by fewer than 4,000 lines of code. Built on top of Anthropic's Claude code, NanoClaw can be adapted to suit a user's needs through skill integration. It's also open source, allowing anyone to examine its code for errors and security issues. The partnership makes sense as NanoClaw was originally programmed to run in containers rather than directly on an operating system. By implementing this control from the start, it has access only to what has been deliberately mounted, rather than to software, apps, and functions across the entire system. At the time of writing, NanoClaw has over 21,000 stars on GitHub and approximately 3,800 forks. It's a smart move. By teaming up with Docker, NanoClaw's developers are not only promoting the AI agent by making it easily accessible to Docker users, but are also highlighting the difference between OpenClaw and NanoClaw builds. The former has, arguably, far too many open security issues to allow for trust, whereas the latter has been coded with AI isolation at its core. The partnership is likely to capture enterprise interest, too, since companies can experiment with NanoClaw without directly loading a "claw" build onto a host machine -- a risk that can lead to issues such as accidental deletion, damage, security vulnerabilities, and prompt injection attacks. Also: This viral AI agent is evolving fast - and it's nightmare fuel for security pros According to NanoClaw, agents run in MicroVM-based, disposable isolation zones within Docker Sandboxes; therefore, if an agent tried to escape by exploiting a vulnerability, it would remain contained. "Every organization wants to put AI agents to work, but the barrier is control: what those agents can access, where they can connect, and what they can change," said Docker president Mark Cavage. "Docker Sandboxes provide the secure execution layer for running agents safely, and NanoClaw shows what's possible when that foundation is in place." The key is isolation. If you want to try out OpenClaw, NanoClaw, or any number of claw forks out there, you need to remember that when skills are enabled, and permission has been granted, these agents can deploy and run code on your behalf, access credentials, communicate for you, make purchases, and more -- depending on the abilities you have granted your AI assistant. While powerful, this can also be extremely dangerous without containment. Boundaries have to be established to retain control of your accounts, information, and potentially, your online identity. Also: Is Perplexity's new Computer a safer version of OpenClaw? How it works It is recommended that you only use this technology in a container or sandbox environment, as there's no other secure option at the moment. "A single compromised agent can access credentials, read session histories, and reach data belonging to entirely separate agents," NanoClaw's team noted. "Application-level permission checks don't offer sufficient protection. What is required is OS-enforced isolation: each agent in its own safe environment, with its own filesystem and session history, invisible to every other agent running alongside it."

NanoClaw latches onto Docker Sandboxes for safer AI agents

exclusive NanoClaw, an open source agent platform, can now run inside Docker Sandboxes, furthering the project's commitment to security. NanoClaw, as we noted recently, followed from an effort to address the security holes opened by OpenClaw, which attracted widespread attention earlier this year as a way to empower AI models to roam about the web and operate applications on users' behalf and without many constraints. NanoClaw already runs inside of containers, which makes it safer than running agent software on a local machine. Through a partnership with Docker, users can now install NanoClaw into a Docker Sandbox, a kind of micro VM that is more secure than a container because it's isolated from the host system. A container is an isolated process on a shared kernel; micro VMs have their own kernel. "With Docker Sandboxes, that boundary is now two layers deep," explained Gavriel Cohen, co-founder of NanoClaw, in a blog post provided to The Register ahead of publication. "Each agent runs in its own container (can't see other agents' data), and all containers run inside a micro VM (can't touch your host machine). If a hallucination or a misbehaving agent can cause a security issue, the security model is broken. Security has to be enforced outside the agentic surface, not depend on the agent behaving correctly." Docker Sandboxes are supported on macOS (Apple Silicon) and Windows (x86), with Linux support due in a few weeks. Mark Cavage, COO of Docker, told The Register in an interview, "Docker Sandboxes are a new primitive that has the ergonomics of Docker and what I describe as the ethos of Docker. But it's fundamentally a different primitive. It's actually a micro VM and it actually has true isolation with its own dedicated kernel and its own dedicated hardware space." As a tagline to describe Sandboxes, he suggested "You can put YOLO in a box" - a reference to the risky "You only live once" setting (since renamed "auto-run") available in the Cursor AI IDE to allow agents to perform a series of automated actions without seeking permission. Cavage said the problem most people have with coding agents is they can generate all sorts of code, but developers must still click "Okay" over and over to use it. Developers, he said, frequently want to disable that protection and just go for it. "But the problem is it can wipe out your file system and do very, very bad things," he said. Docker introduced Sandboxes last November to prevent possible problems. Cavage said after the launch of NanoClaw, Cohen got in touch and after some discussion integrated Sandboxes into the code base. Cavage said that the essence of Docker is portability, isolation, and simplicity. But containers, he said, assume some degree of immutability. "You start something and Kubernetes will restart anything that looks like it's drifted, and security teams have scanners to flag writable root file systems and so on," he said. "But agents fundamentally are different and they violate that primitive from day one. You launch the agent and the very first thing it wants to do is look at the environment, install new packages, write some files, spin up databases that are mocked. It just wants to do stuff." Docker Sandboxes, he said, are more of a true process jail that enforces isolation. What Docker and NanoClaw are doing is trying to reconcile fundamentally opposed ideas - the deterministic nature of computers with the non-deterministic nature of AI models. Mixing systems predicated on predictability with unpredictable AI models, Cavage admits, is not a solved problem and is something that will occupy the industry for a while. Docker is an AI-native company at this point. We use it in every facet of the business "The reality is at least we have a reasonable bounding box as the foundational part of the stack and the very first thing that you need," he said. "There's clearly going to have to be a governance primitive and things that map in the middle of how the natural language system that has intelligence and wants to go off and do something can be bounded down to something that is ultimately deterministic from a capabilities perspective." Docker, said Cavage, is already sold on AI. "We use it. It's an AI-native company at this point. We use it in every facet of the business." Docker, he said, is using its Sandbox primitive to cage AI agents but everyone still has to build layers on top of that to orchestrate workflows. The key to making this happen, he argues, is "put YOLO in a box." "Once you get there, then the developers all of a sudden go from effectively babysitting the agent to just letting it run for minutes or hours or longer at a time," he said. "That's the huge productivity unlock." ®

NanoClaw and Docker partner to make sandboxes the safest way for enterprises to deploy AI agents

NanoClaw, the open-source AI agent platform created by Gavriel Cohen, is partnering with the containerized development platform Docker to let teams run agents inside Docker Sandboxes, a move aimed at one of the biggest obstacles to enterprise adoption: how to give agents room to act without giving them room to damage the systems around them. The announcement matters because the market for AI agents is shifting from novelty to deployment. It is no longer enough for an agent to write code, answer questions or automate a task. For CIOs, CTOs and platform leaders, the harder question is whether that agent can safely connect to live data, modify files, install packages and operate across business systems without exposing the host machine, adjacent workloads or other agents. That is the problem NanoClaw and Docker say they are solving together. A security argument, not just a packaging update NanoClaw launched as a security-first alternative in the rapidly growing "claw" ecosystem, where agent frameworks promise broad autonomy across local and cloud environments. The project's core argument has been that many agent systems rely too heavily on software-level guardrails while running too close to the host machine. This Docker integration pushes that argument down into infrastructure. "The partnership with Docker is integrating NanoClaw with Docker Sandboxes," Cohen said in an interview. "The initial version of NanoClaw used Docker containers for isolating each agent, but Docker Sandboxes is the proper enterprise-ready solution for rolling out agents securely." That progression matters because the central issue in enterprise agent deployment is isolation. Agents do not behave like traditional applications. They mutate their environments, install dependencies, create files, launch processes and connect to outside systems. That breaks many of the assumptions underlying ordinary container workflows. Cohen framed the issue in direct terms: "You want to unlock the full potential of these highly capable agents, but you don't want security to be based on trust. You have to have isolated environments and hard boundaries." That line gets at the broader challenge facing enterprises now experimenting with agents in production-like settings. The more useful agents become, the more access they need. They need tools, memory, external connections and the freedom to take actions on behalf of users and teams. But each gain in capability raises the stakes around containment. A compromised or badly behaving agent cannot be allowed to spill into the host environment, expose credentials or access another agent's state. Why agents strain conventional infrastructure Docker president and COO Mark Cavage said that reality forced the company to rethink some of the assumptions built into standard developer infrastructure. "Fundamentally, we had to change the isolation and security model to work in the world of agents," Cavage said. "It feels like normal Docker, but it's not." He explained why the old model no longer holds. "Agents break effectively every model we've ever known," Cavage said. "Containers assume immutability, but agents break that on the very first call. The first thing they want to do is install packages, modify files, spin up processes, spin up databases -- they want full mutability and a full machine to run in." That is a useful framing for enterprise technical decision-makers. The promise of agents is not that they behave like static software with a chatbot front end. The promise is that they can perform open-ended work. But open-ended work is exactly what creates new security and governance problems. An agent that can install a package, rewrite a file tree, start a database process or access credentials is more operationally useful than a static assistant. It is also more dangerous if it is running in the wrong environment. Docker's answer is Docker Sandboxes, which use MicroVM-based isolation while preserving familiar Docker packaging and workflows. According to the companies, NanoClaw can now run inside that infrastructure with a single command, giving teams a more secure execution layer without forcing them to redesign their agent stack from scratch. Cavage put the value proposition plainly: "What that gets you is a much stronger security boundary. When something breaks out -- because agents do bad things -- it's truly bounded in something provably secure." That emphasis on containment rather than trust lines up closely with NanoClaw's original thesis. In earlier coverage of the project, NanoClaw was positioned as a leaner, more auditable alternative to broader and more permissive frameworks. The argument was not just that it was open source, but that its simplicity made it easier to reason about, secure and customize for production use. Cavage extended that argument beyond any single product. "Security is defense in depth," he said. "You need every layer of the stack: a secure foundation, a secure framework to run in, and secure things users build on top." That is likely to resonate with enterprise infrastructure teams that are less interested in model novelty than in blast radius, auditability and layered control. Agents may still rely on the intelligence of frontier models, but what matters operationally is whether the surrounding system can absorb mistakes, misfires or adversarial behavior without turning one compromised process into a wider incident. The enterprise case for many agents, not one The NanoClaw-Docker partnership also reflects a broader shift in how vendors are beginning to think about agent deployment at scale. Instead of one central AI system doing everything, the model emerging here is many bounded agents operating across teams, channels and tasks. "What OpenClaw and the claws have shown is how to get tremendous value from coding agents and general-purpose agents that are available today," Cohen said. "Every team is going to be managing a team of agents." He pushed that idea further in the interview, sketching a future closer to organizational systems design than to the consumer assistant model that still dominates much of the AI conversation. "In businesses, every employee is going to have their personal assistant agent, but teams will manage a team of agents, and a high-performing team will manage hundreds or thousands of agents," Cohen said. That is a more useful enterprise lens than the usual consumer framing. In a real organization, agents are likely to be attached to distinct workflows, data stores and communication surfaces. Finance, support, sales engineering, developer productivity and internal operations may all have different automations, different memory and different access rights. A secure multi-agent future depends less on generalized intelligence than on boundaries: who can see what, which process can touch which file system, and what happens when one agent fails or is compromised. NanoClaw's product design is built around that kind of orchestration. The platform sits on top of Claude Code and adds persistent memory, scheduled tasks, messaging integrations and routing logic so agents can be assigned work across channels such as WhatsApp, Telegram, Slack and Discord. The release says this can all be configured from a phone, without writing custom agent code, while each agent remains isolated inside its own container runtime. Cohen said one practical goal of the Docker integration is to make that deployment model easier to adopt. "People will be able to go to the NanoClaw GitHub, clone the repository, and run a single command," he said. "That will get their Docker Sandbox set up running NanoClaw." That ease of setup matters because many enterprise AI deployments still fail at the point where promising demos have to become stable systems. Security features that are too hard to deploy or maintain often end up bypassed. A packaging model that lowers friction without weakening boundaries is more likely to survive internal adoption. An open-source partnership with strategic weight The partnership is also notable for what it is not. It is not being positioned as an exclusive commercial alliance or a financially engineered enterprise bundle. "There's no money involved," Cavage said. "We found this through the foundation developer community. NanoClaw is open source, and Docker has a long history in open source." That may strengthen the announcement rather than weaken it. In infrastructure, the most credible integrations often emerge because two systems fit technically before they fit commercially. Cohen said the relationship began when a Docker developer advocate got NanoClaw running in Docker Sandboxes and demonstrated that the combination worked. "We were able to put NanoClaw into Docker Sandboxes without making any architecture changes to NanoClaw," Cohen said. "It just works, because we had a vision of how agents should be deployed and isolated, and Docker was thinking about the same security concerns and arrived at the same design." For enterprise buyers, that origin story signals that the integration was not forced into existence by a go-to-market arrangement. It suggests genuine architectural compatibility. Docker is also careful not to cast NanoClaw as the only framework it will support. Cavage said the company plans to work broadly across the ecosystem, even as NanoClaw appears to be the first "claw" included in Docker's official packaging. The implication is that Docker sees a wider market opportunity around secure agent runtime infrastructure, while NanoClaw gains a more recognizable enterprise foundation for its security posture. The bigger story: infrastructure catching up to agents The deeper significance of this announcement is that it shifts attention from model capability to runtime design. That may be where the real enterprise competition is heading. The AI industry has spent the last two years proving that models can reason, code and orchestrate tasks with growing sophistication. The next phase is proving that these systems can be deployed in ways security teams, infrastructure leaders and compliance owners can live with. NanoClaw has argued from the start that agent security cannot be bolted on at the application layer. Docker is now making a parallel argument from the runtime side. "The world is going to need a different set of infrastructure to catch up to what agents and AI demand," Cavage said. "They're clearly going to get more and more autonomous." That could turn out to be the central story here. Enterprises do not just need more capable agents. They need better boxes to put them in. For organizations experimenting with AI agents today, the NanoClaw-Docker integration offers a concrete picture of what that box might look like: open-source orchestration on top, MicroVM-backed isolation underneath, and a deployment model designed around containment rather than trust. In that sense, this is more than a product integration. It is an early blueprint for how enterprise agent infrastructure may evolve: less emphasis on unconstrained autonomy, more emphasis on bounded autonomy that can survive contact with real production systems.