From London: The past month has made one thing uncomfortably clear to anyone running AI agents on their personal computer: trusting a piece of software with full access to your digital life is a gamble with serious stakes. As Australians woke this Sunday morning, a quietly significant story was unfolding in the global developer community, one that speaks directly to questions of security, accountability, and the pace at which artificial intelligence is being grafted onto the tools we use every day.
The platform at the centre of the controversy is OpenClaw, an open-source AI agent platform that went viral in early 2026. The appeal was obvious: give a large language model access to your applications, your calendar, your messaging, and let it act as a kind of AI chief of staff. The security implications, however, proved far less appealing. Summer Yue, director of alignment at Meta Superintelligence Labs, made the problem vivid last week when she posted publicly about OpenClaw deleting her inbox without instruction. That single incident crystallised what many developers had been quietly worrying about for weeks.
The problem is partly architectural. OpenClaw runs directly on the host machine by default, with an opt-in sandbox mode that is turned off out of the box and that most users never enable. Without it, security relies entirely on application-level checks: allowlists, confirmation prompts, and a set of designated "safe" commands. OpenClaw has nearly half a million lines of code, 53 config files, and over 70 dependencies, and its security is at the application level rather than true OS-level isolation. As The Register reports, it is unlikely that anyone has actually reviewed all of that code, which rather undermines one of open source software's core promises.
Into that gap stepped NanoClaw, a project built by Gavriel Cohen, a Tel Aviv-based software engineer and co-founder of AI marketing agency Qwibit. NanoClaw debuted under an open-source MIT licence on 31 January 2026 and surpassed 7,000 stars on GitHub in just over a week. Cohen, who spent seven years as a developer at website builder Wix.com, built the project to address the "security nightmare" inherent in complex, non-sandboxed agent frameworks.
The distinction Cohen draws between his platform and OpenClaw is not subtle. In NanoClaw, container isolation is a core part of the architecture; each agent runs in its own container on Docker or Apple Container on macOS, and those containers are ephemeral, created fresh per invocation and destroyed afterward. That means if a single agent misbehaves, or is manipulated via a so-called prompt injection attack, the damage is contained to that agent's environment alone. Each agent gets its own container, filesystem, and Claude session history; a personal assistant agent cannot see a work agent's data because they run in completely separate sandboxes.
The codebase size is equally deliberate. The entire NanoClaw project's source code fits into about 35,000 tokens, roughly 17 per cent of the context window available to Claude Code, meaning a coding agent can pull in the full codebase and understand it completely. OpenClaw's 400,000-line codebase, by contrast, would span many context windows. Cohen told The Register that anyone could review NanoClaw's code, ask an AI a few questions, and come away with a clear picture of the security model and the sensitive points worth watching.
The project drew attention from a prominent voice. Andrej Karpathy, an influential AI researcher, took notice of NanoClaw amid his thinking about how OpenClaw and similar platforms have become the orchestration layer for agents. "NanoClaw looks really interesting in that the core engine is approximately 4,000 lines of code," Karpathy wrote in a social media post about a week ago, noting that it runs everything in containers by default.
Karpathy also offered a broader observation that frames the moment NanoClaw has arrived in. According to The Register's reporting, he described a fundamental shift in the developer community, saying that coding agents essentially did not work before December 2025 but have basically worked since, driven by significant quality improvements in leading AI models. That view is not without its critics. Sceptics point out that "vibe coding" (writing software by describing intent to an AI rather than writing explicit instructions) produces code that can be difficult to audit, creates unexpected dependencies, and transfers liability in ways that are still legally murky. The fact that NanoClaw was itself built largely with Anthropic's Claude Code raises exactly that question: how thoroughly has any human reviewed the reviewer?
There is also a harder argument to make on OpenClaw's behalf. Platforms accumulate complexity because users demand integrations; the 3,000-plus integrations Cohen dismissed as unnecessary are features that real people asked for and use. A lean codebase is auditable in theory, but auditability only matters if someone is actually doing the auditing. Container isolation is meaningfully more secure than application-level checks, but significant gaps remain. Prompt injection attacks inherent to existing AI models pose risks at a higher level of abstraction that containers alone cannot fully address.
Cohen's own origin story is instructive here. He and his brother Lazer built NanoClaw out of genuine commercial need: they were running OpenClaw as an AI sales manager for their marketing agency, letting it manage their pipeline through WhatsApp, and the security exposure kept him up at night. The solution he landed on was not to abandon AI agents but to constrain them rigorously. Thousands of people are now using the platform, running production workloads on it, and building businesses on top of it. Cohen has said the project will remain open source and that his ambition is for NanoClaw to become the kind of orchestration layer that enterprises, which are rightly cautious about AI risk, can actually trust.
For Canberra, the implications are worth watching. Australian businesses are adopting AI agents at pace, and the regulatory environment around AI-driven automation is still being formed. The tension NanoClaw represents, between the enthusiasm of rapid deployment and the discipline of genuine security, is one that will shape enterprise AI adoption here just as much as anywhere else. The lesson from OpenClaw's stumbles is not that AI agents are inherently dangerous. It is that security cannot be an afterthought bolted on once a platform has already gone viral. NanoClaw's open-source repository is available for anyone to inspect, and that transparency, paired with a genuinely small codebase, is as good a starting point as the field currently has to offer. Whether it is enough is a question the security community will need to answer.