Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation

redfloatplane|28 days ago

I think these days if I’m going to be actively promoting code I’ve created (with Claude, no shade for that), I’ll make sure to write the documentation, or at the very least the readme, by hand. The smell of LLM from the docs of any project puts me off even when I like the idea of the project itself, as in this case. It’s hard to describe why - maybe it feels like if you care enough to promote it, you should care to try and actually communicate, person to person, to the human being promoted at. Dunno, just my 2c and maybe just my own preference. I’d rather read a typo-ridden five line readme explaining the problem the code is there to solve for you and me,the humans, not dozens of lines of perfectly penned marketing with just the right number of emoji. We all know how easy it is to write code these days. Maybe use some of that extra time to communicate with the humans. I dunno.

Edit: I see you, making edits to the readme to make it sound more human-written since I commented ;) https://github.com/gavrielc/nanoclaw/commit/40d41542d2f335a0...

jimminyx|28 days ago

OP here. Appreciate your perspective but I don't really accept the framing, which feels like it's implying that I've been caught out for writing and coding with AI.

I don't make any attempt to hide it. Nearly every commit message says "Co-Authored-By: Claude Opus 4.5". You correctly pointed out that there were some AI smells in the writing, so I removed them, just like I correct typos, and the writing is now better.

I don't care deeply about this code. It's not a masterpiece. It's functional code that is very useful to me. I'm sharing it because I think it can be useful to other people. Not as production code but as a reference or starting point they can use to build (collaboratively with claude code) functional custom software for themselves.

I spent a weekend giving instructions to coding agents to build this. I put time and effort into the architecture, especially in relation to security. I chose to post while it's still rough because I need to close out my work on it for now - can't keep going down this rabbit hole the whole week :) I hope it will be useful to others.

BTW, I know the readme irked you but if you read it I promise it will make a lot more sense where this project is coming from ;)

jofzar|28 days ago

I 100% agree, reading very obviously ai written blogs and "product pages"/readme's has turned into a real ick for me.

Just something that screams "I don't care about my product/readme page, why should you".

To be clear, no issue with using AI to write the actual program/whatever it is. It's just the readme/product page which super turns me off even trying/looking into it.

iterateoften|28 days ago

Project releases with llms have grown to be less about the functionality and more about convincing others to care.

Before the proof of work of code in a repo by default was a signal of a lot of thought going into something. Now this flood of code in these vibe coded projects is by default cheap and borderline meaningless. Not throwing shade or anything at coding assistants. Just the way it goes

101008|28 days ago

I agree 100% with you. It's even worse though. They haven't checked if the Readme has hallucinated it or not (spoiler: it has):

https://news.ycombinator.com/item?id=46850317

muyuu|28 days ago

the main reason I'd want a person to write or at least curate readmes is because models have, at least for the time being, this tendency to make confident and plausible-sounding claims that are completely false (hallucination applied to claims on the stuff they just made)

so long as this is commonplace I'd be extremely sceptical of anything with some LLM-style readmes and docs

the caveats to this is that LLMs can be trained to fool people with human-sounding and imperfectly written readmes, and that although humans can quickly oversee that things compile and seem to produce the expected outputs, there's deeper stuff like security issues and subtle userspace-breaking changes

track-record is going to see its importance redoubled

raahelb|27 days ago

You will definitely like Josh Mock's recent post: https://joshmock.com/post/2026-agents-md-as-a-dark-signal/

pseudony|27 days ago

FWIW, this is a variation of the age-old thing about open source.

It isn’t “have it your way”, he graciously made code available, use it or leave it.

raincole|28 days ago

> I’d rather read a typo-ridden five line readme explaining the problem the code is there to solve for you and me,the humans, not dozens of lines of perfectly penned marketing with just the right number of emoji

Don't worry, bro. If enough people are like you, there will be fully automatic workflow to add typos into AI writing.

swyx|28 days ago

orrrr you could go the other way and read explicitly ai-generated docs that use the code as source of truth https://deepwiki.com/gavrielc/nanoclaw

popcorncowboy|28 days ago

> running it scares the crap out of me

A hundred times this. It's fine until it isn't. And jacking these Claws into shared conversation spaces is quite literally pushing the afterburners to max on simonw's lethal trifecta. A lot of people are going to get burned hard by this. Every blackhat is eyes-on this right now - we're literally giving a drunk robot the keys to everything.

charcircuit|28 days ago

It turns out the lethal trifecta is not so lethal. Should a business avoid hiring employees since technically employees can steal from the cash register. The lethal trifecta is about binary security. Either the data can be taken or it can't. This may be overly cautious. It may be possible that hiring an employee has a positive expected value when when you account for the possibility of one stealing from the cash register.

anabis|28 days ago

Maybe. People have run wildly insecure phpBB and Wordpress plugins, so maybe its the same cycle again.

TacticalCoder|28 days ago

I understand that things can go wrong and there can be security issues, but I see at least two other issues:

1. what if, ChadGPT style, ads are added to the answers (like OpenAI said it'd do, hence the new "ChadGPT" name)?

2. what if the current prices really are unsustainable and the thing goes 10x?

Are we living some golden age where we can both query LLMs on the cheap and not get ad-infected answers?

I read several comments in different threads made by people saying: "I use AI because search results are too polluted and the Web is unusable"

And I now do the same:

"Gemini, compare me the HP Z640 and HP Z840 workstations, list the features in a table" / "Find me which Xeon CPU they support, list me the date and price of these CPU when they were new and typical price used now".

How long before I get twelve ads along with paid vendors recommendations?

p0nce|27 days ago

If you peruse molthub and moltbook you'll see the agents have already built six or seven such social networks. It is terrifying.

esskay|27 days ago

Stupid stuff openclaw did for me:

- Created its own github account, then proceeded to get itself banned (I have no idea what it did, all it said was it created some new repos and opened issues, clearly it must've done a bit more than that to get banned)

- Signed up for a Gmail account using a pay as you go sim in an old android handset connected with ADB for sms reading, and again proceeded to get itself banned by hammering the crap out of the docs api

- Used approx $2k worth of Kimi tokens (Thankfully temporarily free on opencode) in the space of approx 48hrs.

Unless you can budget $1k a week, this thing is next to useless. Once these free offers end on models a lot of people will stop using it, it's obscene how many tokens it burns through, like monumentally stupid. A simple single request is over 250k chars every single time. That's not sustainable.

hitsmaxft|26 days ago

This kind of automated task, if not properly optimized, is basically a waste-of-money garbage software. Any bug can cause it to loop until all the money is spent.

andai|27 days ago

I installed it last night. Burned 7M tokens in 45 minutes. I don't even know how. There's no way to see what it's actually doing, as far as I can tell.

amircs|27 days ago

What was the task you asked it to do that it decided to do these?

ljm|27 days ago

YOLO is a bit of an understatement for this

arccy|27 days ago

filing spam issues can easily get the account banned if it annoys the wrong maintainers.

FergusArgyll|27 days ago

Did you give it your credit card?

Wouldn't a crypto wallet with a small amount deposited be smarter?

swordsith|27 days ago

> and again proceeded to get itself banned by hammering the crap out of the docs api

> Used approx $2k worth of Kimi tokens

Holy shit dude you really should rethink your life decisions this is NUTS

theptip|28 days ago

> AI-native. No installation wizard; Claude Code guides setup. No monitoring dashboard; ask Claude what's happening. No debugging tools; describe the problem, Claude fixes it.

> Skills over features. Contributors shouldn't add features (e.g. support for Telegram) to the codebase. Instead, they contribute claude code skills like /add-telegram that transform your fork.

I’m interested to see how this model pans out. I can see benefits (don’t carry complexity you don’t need) and costs (how do I audit the generated code?).

But it seems pretty clear that things will move in this direction in ‘26 with all the vibe coding that folks are enjoying.

I do wonder if the end state is more like a very rich library of composable high-order abstractions, with Skills for how to use them - rather than raw skills with instructions for how to lossily reconstruct those things.

charcircuit|28 days ago

I think the more interesting question is were tools the right abstraction. What is the implication of having only a single "shell" tool. Should the infinite possibilities to few happen by the AI having limited tools or should whatever the shell calls have the limitations applied there. Tools in a way are redundant.

thepoet|28 days ago

One of the things that makes Clawdbot great is the allow all permissions to do anything. Not sure how those external actions with damaging consequences get sandboxed with this.

Apple containers have been great especially that each of them maps 1:1 to a dedicated lightweight VM. Except for a bug or two that appeared in the early releases, things seem to be working out well. I believe not a lot of projects are leveraging it.

A general code execution sandbox for AI code or otherwise that used Apple containers is https://github.com/instavm/coderunner It can be hooked to Claude code and others.

jckahn|28 days ago

> One of the things that makes Clawdbot great is the allow all permissions to do anything.

Is this materially different than giving all files on your system 777 permissions?

sheepscreek|28 days ago

That was my line to the CS lab supervisor for handing me the superuser password. Guess what? He didn’t budge. Probably a good thing.

Lesson - never trust a sophomore who can’t even trust themselves (to get overly excited and throw caution to the wind).

Clawdbot is a 100 sophomores knocking on your door asking for the keys.

renewiltord|28 days ago

To be honest, when I see many vibecoded apps, I just build my own duplicate with Claude Code. It's not that useful to use someone else's vibecode. The idea is enough, or the evidence that it works for someone else means I can just build it myself with Claude Code and I can make it specific to my needs.

sanex|28 days ago

Yes exactly! Even non vibe coded libraries I think are losing their value as the cost of writing and maintaining your code goes to zero. Supply chain attacks are gone, no risk of license changes. No bloat from code you don't use. The code is the documentation and the configuration. The vibes are the package manager. That's why I like this version over openclaw. I can fork it as a starting point or just give it to Claude for inspiration but either way I'm getting something tailored exactly to me.

narmiouh|28 days ago

I feel like a lot of non technical people who are vibe coding or vibe using these models, focus on hallucinations and believe that as the hallucinations are reduced in benchmarks, and over estimate their ability to create safe prompts that will keep these models in line.

I think most people fail to estimate the real threat that malicious prompts can cause because it is not that common, its like when credit cards were launched, cc fraud and the various ways it could be perpetrated followed not soon after. The real threats aren’t visible yet but rest assured there are actors working to take advantage and many unfortunate examples will be seen before general awareness and precaution will prevail….

dceddia|28 days ago

This look nice! I was curious about being allowed to use a Claude Pro/Max subscription vs an API key, since there's been so much buzz about that lately, so I went looking for a solid answer.

Thankfully the official Agent SDK Quickstart guide says that you can: https://platform.claude.com/docs/en/agent-sdk/quickstart

In particular, this bit:

"After installing Claude Code onto your machine, run claude in your terminal and follow the prompts to authenticate. The SDK will use this authentication automatically."

joshstrange|28 days ago

But their docs also say:

> Unless previously approved, Anthropic does not allow third party developers to offer claude.ai login or rate limits for their products, including agents built on the Claude Agent SDK. Please use the API key authentication methods described in this document instead.

Which I have interpreted means that you can’t use your Claude code subscription with the agent SDK, only API tokens.

I really wish Anthropic would make it clear (and allow us to use our subscriptions with other tools).

jimminyx|28 days ago

OP here. Yes! This was a big motivation for me to try and build this. Nervous Anthropic is gonna shut down my account for using Clawdbot.

This project uses the Agents SDK so it should be kosher in regards to terms of service. I couldn't figure out how to get the SDK running inside the containers to properly use the authenticated session from the host machine so I went with a hacky way of injecting the oauth token into the container environment. It still should be above board for TOS but it's the one security flaw that I know about (malicious person in a WhatsApp group with you can prompt inject the agent to share the oauth key).

If anyone can help out with getting the authenticated session to work properly with the agents running in containers it would be much appreciated.

redfloatplane|28 days ago

Wow, thanks for posting that, news to me! In this case I don’t understand why there was a whole brouhaha with OpenClaw and the like - I guess they were invoking it without the official SDK? Because this makes it seem like if you have the sub you can build any agentic thing you like and still use your subscription, as long as you can install and login to Claude code on the machine running it.

redfloatplane|23 days ago

Ha. 4 days later it no longer says that and that doesn't appear to be supported anymore. Now the SDK requires an API key.

evrenesat|27 days ago

> No daemons, no queues, no complexity.

Last time I checked, having a continuously running background process considered as a daemon. Using SQLite as back-end for storing the jobs also doesn't make it queueless.

/nit

mark_l_watson|28 days ago

I like the idea of a smaller version of OpenClaw.

Minor nitpick, it looks like about 2500 lines of typescript (I am on a mobile device, so my LOC estimate may be off). Also, Apple container looks really interesting.

walterbell|28 days ago

> found it useful but running it scares

https://maordayanofficial.medium.com/the-sovereign-ai-securi...

  At least 42,665 instances are publicly exposed on the internet, with 5,194 instances actively verified as vulnerable through systematic scanning..  The narrative that “running AI locally = security and privacy” is significantly undermined when 93% of deployments are critically vulnerable. Users may lose faith in self-hosted alternatives.. Governments and regulators already scrutinizing AI may use this incident to justify restrictions on self-hosted AI agents, citing security externalities.

reassess_blind|27 days ago

What’s the difference between this, and just running Claude Code in —dangerously-skip-permissions mode in a container and accessing remotely via ssh?

I’m confused as to what these claw agents actually offer.

randomtoast|27 days ago

The README.md describes it as:

WhatsApp (baileys) --> SQLite --> Polling loop --> Container (Claude Agent SDK) --> Response

So they basically put a Wrapper around Claude in a Container, which allows you to send messages from WhatsApp to Claude, and act somewhat as if you had a Siri on steriods.

pulkas|27 days ago

This violates the Claude Code subscription terms of service, so please be careful.

This project violates Claude Code's Terms of Service by automating Claude to create an unattended chatbot service that responds to third-party messaging platforms (WhatsApp, and what you add ...).

  The exact issues:

  1. Automated, unattended usage - The system runs as a background service (launchd) that automatically responds to WhatsApp
  messages without human intervention (src/index.ts:549-574)

  2. Building a bot service - This creates a persistent bot that monitors messages and responds automatically, which violates restrictions on building derivative services on top of Claude

  3. Third-party platform integration - Connecting Claude to WhatsApp (or other messaging platforms) to create an automated
  assistant service isn't an authorized use case.

  The README itself reveals awareness of this issue at line 41:

  **No ToS gray areas.** Because it uses Claude Agent SDK natively with no hacks or workarounds, using your subscription with your auth token is completely legitimate (I think). No risk of being shut down for terms of service violations
  (I am not a lawyer).

  The defensive tone ("I think", "I am not a lawyer") indicates uncertainty about legitimacy. While using your own credentials doesn't automatically make automated bot services compliant—Anthropic's TOS restricts using their products to build automated chatbot services, regardless of authentication method.

  The core violation: transforming Claude Code into an automated bot service that operates without human intervention, which is explicitly prohibited.

jimminyx|27 days ago

Interesting. Again, not a lawyer, but all of this is a bit murky and not sure it applies.

1. Usage is not automated and unattended - it only responds to messages that are sent to it with a specific prefix "Andy:"

2. This is not a bot service. It is not crawling twitter and responding to posts. Hard to see how sending it messages through WhatsApp is any different than through ssh via the terminal

3. I don't think a custom piece of software running on my computer that pipes data from a program into the Agents SDK is a third party "platform" integration.

How is this different from running Agents SDK as part of a CI process?

srinath693|27 days ago

The "skills not features" contribution model is the most interesting part of this. Instead of a project that grows into another 52-module beast, contributors teach Claude how to transform the codebase per-user. It's basically contributing build instructions instead of build artifacts. If it actually works in practice, it's a genuinely novel approach to keeping small projects small.

jimminyx|26 days ago

Thanks! I believe that's where software is going. Just need Karpathy to give it a name so it can take off ;)

hitsmaxft|26 days ago

https://github.com/gavrielc/nanoclaw/commit/22eb5258057b49a0... Is this inserting an advertisement into the agent prompt?

treelover|28 days ago

Interesting choice to use native Apple Containers over Docker.

I assume this is to keep the footprint minimal on a Mac Mini without the overhead of the Docker VM, but does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

garblegarble|27 days ago

>does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

Slightly counterintuitively, Apple Containers spawns linux VMs.

There doesn't appear to be any way to spawn a native macOS container... which is a pity, it'd be nice to have ultra-low-overhead containers on macOS (but I suspect all the interesting macOS stuff relies on a bunch of services/gui access that'd make it not-lightweight anyway)

FYI: it's easy enough to install GNU tools with homebrew; technically there's a risk of problems if applications spawn commandline tools and expect the BSD args/output but I've not run into any issues in the several years I've been doing it).

selkin|28 days ago

Not sure if it's intended, but Apple Container is a microvm, providing mich better isolation than containers (while retaining the familiar interface)

ohyoutravel|28 days ago

[deleted]

cadamsdotcom|28 days ago

If only there were some way to answer your own question. Maybe with some kind of engine that searches.

avaer|28 days ago

  Quick Start
  git clone https://github.com/anthropics/nanoclaw.git

Is this an official Anthropic project? Because that repo doesn't exist.

Or is this just so hastily thrown together that the Quick Start is a hallucination?

That's not a facetious question, given this project's declared raison d'etre is security and the subtle implication that OpenClaw is an insecure unreviewed pile of slop.

jimminyx|28 days ago

Fixed, thanks. Claude Code likes to insert itself and anthropic everywhere.

If it somehow wasn't abundantly clear: this is a vibe coded weekend project by a single developer (me).

It's rough around the edges but it fits my needs (talking with claude code that's mounted on my obsidian vault and easily scheduling cron jobs through whatsapp). And I feel a lot better running this than a +350k LOC project that I can't even begin to wrap my head around how it works.

This is not supposed to be something other people run as is, but hopefully a solid starting point for creating your own custom setup.

kklisura|28 days ago

Claude hallucinated that repo here in this commit https://github.com/gavrielc/nanoclaw/commit/dbf39a9484d9c66b...

raybb|28 days ago

Seems to be fixed now

eskaytwo|28 days ago

Thanks! Was hoping someone would do something more sane like this.

Openclaw is very useful, but like you I share the sentiment of it being terrifying, even before you introduce the social network aspect.

My Mac mini is currently literally switched off for this very reason.

prophesi|28 days ago

Am I correct that after cloning down the project, you open the directory in Claude Code, then "execute" a markdown file instructing a nondeterministic LLM to set everything up for you in natural language?

Spacemolte|27 days ago

The premise of the project is he doesn't want to run code he doesn't know + in an insecure way, so having the setup step to install dependencies etc, done by an LLM seems like an odd choice. Like what part about the setup step is so fluffy and different per environment, that using an LLM for it makes sense?

te_chris|28 days ago

Posthog is doing this now for project setup

sothatsit|28 days ago

The idea of avoiding config files, and having the config be getting your agent to modify its own codebase, is fascinating.

My gut reaction says that I don't like it, but it is such an interesting idea to think about.

river_otter|27 days ago

Great idea and name the danger here which I'll be interested to track is how do you keep this "nano"? Since it's built for you, you'll continue adding features i assume which over time will make this not very nano. I guess I'm wondering if there could be some small design tweaks of the repo that make this usable as a long term "fork the base and make it your own" concept

jimminyx|26 days ago

I will keep the source code as a minimal implementation that has the core capabilities that made Clawdbot/OpenClaw useful: chat with it via messaging app (only one channel included out of the box), memory (minimal implementation that leverages CLAUDE.md and the filesystem), cron jobs, browser.

If I want to add additional capabilities for myself, I'll contribute them to the project as skills for claude code to modify the code base, rather than directly to the source. I actually want to reduce the size of the base implementation and have a PR open to strip out 300-400 LOC

stronglikedan|27 days ago

A personal implementation will always be "nano" compared to the full OpenClaw suite. As with literally everything, it's all relative.

deadbabe|27 days ago

To those who complain about these bots and the security concerns they raise, you basically have two options:

1. You can live in the future, and be at the bleeding edge of the latest AI tech, reaping the benefits. Be part of the solution.

2. You can stay in the past and get left behind, at the mercy of those who took the risks.

mathfailure|27 days ago

The 2. Thank you.

chaostheory|28 days ago

For anyone else worried about running openclaw, in my case I just bought openclaw its Mac mini and I gave openclaw its own accounts including GitHub. It makes many of the security concerns moot. Of course, I could go further and give openclaw its own internet access as well.

aitchnyu|27 days ago

That Baileys api for Whatsapp may (AFAICT) put you in thin ice with Meta. Is there a cheap legit alternative?

https://baileys.wiki/docs/intro/

dandaka|27 days ago

I was using WAHA. It is an abstraction layer with a proper API on top. It supports many engines like Baileys and Whatsmeow (golang).

Unfortunately, all those solutions are shaky and could lead to a ban on your account.

https://waha.devlike.pro/

unknown|28 days ago

[deleted]

cyanydeez|28 days ago

The singularity, but instead successive exponential improvement, its excessive exponential slop which passes the Turing test for programmers.

ed_mercer|28 days ago

If you run openclaw on a spare laptop or VM and give it read only access to whatever it needs, doesn’t that eliminate most of the risk?

AlexCoventry|28 days ago

If you're letting it communicate with the outside world, you risk the leak and abuse of anything sensitive in the data it has access to.

retired|27 days ago

I looked at Clawdbot. Perhaps my life is so boring that managing it takes little time but I see zero reasons to run it.

written-beyond|27 days ago

I read your comment, then your username. I CAN'T BELIEVE THIS USERNAME WAS CLAIMED 14 DAYS AGO! Good catch!

ramoz|27 days ago

Not seeing how the sandbox prevents anything really. The point of OpenClaw is to connect out to different systems.

FreePalestine1|27 days ago

Sure but at least it protects against unauthorized free-for-all access on your host system. If you want to explicitly give it access to external APIs over the internet that's a risk you personally are taking. It's really smart to run something like this in a sandbox, especially in the current beta/experimentation phase.

Johnny_Bonk|28 days ago

Can you use MCP tools? I saw that with open claw they moved away from that which I personally didn't like but

johntash|28 days ago

I somewhat like the idea of not using MCP as much as it is being hyped.

It's certainly helpful for some things, but at the same time - I would rather improved CLI tools get created that can be used by humans and llm tools alike.

unknown|28 days ago

[deleted]

CuriouslyC|28 days ago

It uses a wrapper in places to consume MCPs as clis.

nsonha|28 days ago

what's the difference between this and just exposing opencode running in colima or whatever through tailscale? I got the impression that Clawdbot adds the headless browser (does it?) and that's the value. Otherwise even "nano"claw seems like uneccessary bloat for me.

ivanstepanovftw|27 days ago

Where are those 500 lines of code?

QuadmasterXLII|27 days ago

Earlier that day: “hey Claude how many lines of code are in this project? 500? Great!”

suprstarrd|28 days ago

It blows my mind that this wasn't the thought process going in. Thank you for doing this!

ccheshirecat|27 days ago

i installed clawdbot twice but didn't really use it because i couldn't wrap my head around the skills and plugins, this looks so much more managable. and +1 for apple containers

elgrantomate|27 days ago

def appreciate this more compact approach; everything is an experiment rn.

I realize you used Claude Agent SDK on purpose but I'd really like to this to be agent agnostic. Maybe I'll figure that out...

moi2388|27 days ago

500 lines? Single files in that repo already have more than 500 lines.

Bnjoroge|28 days ago

Can we start putting disclaimers beside the title on AI-generated projects? Extremely fatiguing to read through it and realize it’s mostly LLM slop.

dsrtslnd23|28 days ago

can NanoClaw be used to participate in ClackerNews?

Tepix|28 days ago

A personal assistant that runs in the standard cloud (anthropic in this case) is madness. That‘s the hill I‘m willing to die on. Run it locally or use a cloud provider you can deeply trust.

singular_atomic|28 days ago

Hackernews needs a mute keywords feature. Clawd/molt-slop is mass AI psychosis on steroids.

fragmede|28 days ago

If only there was some sort of thing that would help you build that for yourself.

aaronbrethorst|28 days ago

lol, I might finally have to upgrade my Mac mini to Tahoe. Yofi.

MORPHOICES|27 days ago

[deleted]

maximgeorge|28 days ago

[deleted]

pillbitsHQ|28 days ago

[deleted]