Run NanoClaw on MacBook Safely with Docker MicroVM Sandboxes
NanoClaw is the lightweight AI agent you can actually understand. Here's how to run it without betting your MacBook on it behaving perfectly.
There's a moment every developer hits when they first discover the Claw ecosystem. You read the README, you see it can browse the web, run shell commands, manage files, send messages on your behalf - and you think: this is incredible. Then you clone the repo, run the install script, and you're off.
Directly on your MacBook.
This is a mistake. Let me explain why - and show you a better path that takes about five minutes more.
A Quick Word on the Claw Ecosystem
If you've landed here without context, the "Claw" ecosystem is a family of open-source AI agent frameworks that have emerged in quick succession - each one a reaction to the last. OpenClaw is the TypeScript incumbent with 52+ modules and enterprise-grade features. PicoClaw rewrote it in Go. ZeroClaw pushed further in Rust. NullClaw went all the way to Zig - a 678 KB static binary that runs on a $5 board.
This post is specifically about NanoClaw: the one that takes a different approach entirely. Not faster. Not smaller. Simpler and more trustworthy.
Do check out this recent blog article my own Docker team member Oleg Selajev ~ https://www.docker.com/blog/run-nanoclaw-in-docker-shell-sandboxes/
What Makes NanoClaw Different
NanoClaw isn't trying to win the benchmark table. Its README makes the philosophy explicit:
"OpenClaw has 52+ modules, 8 config management files, 45+ dependencies. Security is application-level rather than OS isolation. NanoClaw gives you the same core functionality in a codebase you can understand in 8 minutes."
The architecture reflects this:
WhatsApp (baileys) --> SQLite --> Polling loop --> Container (Claude Agent SDK) --> Response
Four key files. One Node.js process. Agents running in actual Linux containers — Apple Container on macOS, Docker everywhere else — with explicit filesystem mounts per conversation. Not behind permission checks. OS-level isolation by default.
This is NanoClaw's answer to the security question that every Claw framework has to answer: security through smallness. If you can read the whole codebase in 8 minutes, you can actually audit what you're running.
What NanoClaw Can Do (And Why That's the Problem)
NanoClaw is a personal Claude-powered assistant that you talk to via WhatsApp. Out of the box it can:
- Read and write files in mounted directories
- Execute shell commands inside its container
- Browse the web and fetch content
- Run scheduled tasks that fire while you're asleep
- Manage per-conversation memory via SQLite
- Send messages back to you on WhatsApp
That's the whole point. And the power is the problem.
Even with NanoClaw's container-per-agent architecture, running the entire NanoClaw process natively on your Mac means the gateway itself - the Node.js process managing connections, routing messages, spawning containers — lives on your host. It has access to your Node.js environment, your npm global packages, your local filesystem outside the workspace.
One hallucinated command to the wrong path. One prompt injection from a website the agent browses. One scheduled task that fires at 3am and interprets "clean up old files" more aggressively than you intended.
Simon Willison, one of the most careful thinkers in the AI tools space, put it plainly: "I'm not brave enough to run OpenClaw directly on my Mac." The same caution applies to any agent framework with real system access - including NanoClaw.
The Better Path: Docker Shell Sandboxes + MicroVM
Docker Sandboxes adds a layer outside the application entirely. The shell sandbox type drops you into a MicroVM - a lightweight virtual machine with its own kernel, completely isolated from your host OS. The entire NanoClaw process - gateway, containers, everything - runs inside this VM. Your host machine never knows it's there.
This complements NanoClaw's own container isolation beautifully. NanoClaw isolates agents from each other inside the VM. The VM isolates NanoClaw from your Mac.
Prerequisites
- Docker Desktop 4.57 or later
- Docker Sandboxes v.0.12.0
- An Anthropic API key
Step 1 - Create the sandbox
mkdir -p ~/nanoclaw-workspace
docker sandbox create --name nanoclaw shell ~/nanoclaw-workspace
Step 2 - Connect into it
docker sandbox run nanoclaw
You're now inside the MicroVM. Everything from here runs in isolation — nothing touches your Mac.
Step 3 - Install Claude Code
Node.js 20 is pre-installed in the shell sandbox:
npm install -g @anthropic-ai/claude-code
Step 4 - Configure the credential proxy
This is the step that makes Docker Sandboxes genuinely clever. Your Anthropic API key never enters the MicroVM. The sandbox's network proxy intercepts outgoing API calls and swaps a sentinel value for your real key - nothing to steal even if the agent is compromised:
mkdir -p ~/.claude && cat > ~/.claude/settings.json << 'EOF'
{
"apiKeyHelper": "echo proxy-managed",
"defaultMode": "bypassPermissions",
"bypassPermissionsModeAccepted": true
}
EOF
Step 5 — Clone NanoClaw and install
cd ~/workspace
git clone https://github.com/gavrielc/nanoclaw.git
cd nanoclaw && npm install
Step 6 — Run setup
claude
Then run /setup. Claude Code walks you through WhatsApp QR pairing, container runtime selection (Apple Container or Docker), and everything else. Follow the prompts.
Step 7 — Start NanoClaw
npm start
NanoClaw is now running, listening for WhatsApp messages, inside a MicroVM. Your host machine is completely isolated from everything it does.
Managing the sandbox
docker sandbox ls # see running sandboxes
docker sandbox stop nanoclaw # stop NanoClaw
docker sandbox start nanoclaw # start it again
docker sandbox rm nanoclaw # remove entirely — clean slate
Why NanoClaw + Docker Sandboxes Is the Right Combination
NanoClaw's philosophy is security through smallness - a codebase you can audit, agents isolated in containers, no shared memory between conversations. Docker Sandboxes adds security through hardware isolation - a MicroVM boundary that no process inside can escape.
Together they cover both dimensions:
| Layer | What It Protects |
|---|---|
| NanoClaw's per-agent containers | Agents isolated from each other |
| Docker Sandboxes MicroVM | NanoClaw isolated from your Mac |
| Credential proxy | API keys never inside the VM |
| Approach | Isolation | Credential Safety | Blast Radius |
|---|---|---|---|
| NanoClaw native on Mac | App-level only | ⚠️ Keys on host | Your machine |
| NanoClaw in Docker Sandboxes | Kernel-level MicroVM | ✅ Proxy-managed | Near zero |
One More Thing
The hardest part of running AI agents safely isn't the technical setup. It's fighting the instinct to take shortcuts when something just works natively.
NanoClaw running directly on your Mac does just work - right up until it doesn't.
The MicroVM path takes five extra minutes. It adds one configuration step (the credential proxy). And it means you can experiment with a capable, WhatsApp-connected AI assistant without quietly betting your SSH keys and home directory on it behaving perfectly every single time.
It won't. Set up the sandbox.
