FRESH

Hacker News

Home

Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation

520 points by jimminyx

by hebejebelus

9 subcomments

I think these days if I’m going to be actively promoting code I’ve created (with Claude, no shade for that), I’ll make sure to write the documentation, or at the very least the readme, by hand. The smell of LLM from the docs of any project puts me off even when I like the idea of the project itself, as in this case. It’s hard to describe why - maybe it feels like if you care enough to promote it, you should care to try and actually communicate, person to person, to the human being promoted at. Dunno, just my 2c and maybe just my own preference. I’d rather read a typo-ridden five line readme explaining the problem the code is there to solve for you and me,the humans, not dozens of lines of perfectly penned marketing with just the right number of emoji. We all know how easy it is to write code these days. Maybe use some of that extra time to communicate with the humans. I dunno.
Edit: I see you, making edits to the readme to make it sound more human-written since I commented ;) https://github.com/gavrielc/nanoclaw/commit/40d41542d2f335a0...

by popcorncowboy

4 subcomments

> running it scares the crap out of me
A hundred times this. It's fine until it isn't. And jacking these Claws into shared conversation spaces is quite literally pushing the afterburners to max on simonw's lethal trifecta. A lot of people are going to get burned hard by this. Every blackhat is eyes-on this right now - we're literally giving a drunk robot the keys to everything.

by esskay

7 subcomments

Stupid stuff openclaw did for me:
- Created its own github account, then proceeded to get itself banned (I have no idea what it did, all it said was it created some new repos and opened issues, clearly it must've done a bit more than that to get banned)
- Signed up for a Gmail account using a pay as you go sim in an old android handset connected with ADB for sms reading, and again proceeded to get itself banned by hammering the crap out of the docs api
- Used approx $2k worth of Kimi tokens (Thankfully temporarily free on opencode) in the space of approx 48hrs.
Unless you can budget $1k a week, this thing is next to useless. Once these free offers end on models a lot of people will stop using it, it's obscene how many tokens it burns through, like monumentally stupid. A simple single request is over 250k chars every single time. That's not sustainable.

by theptip

1 subcomments

> AI-native. No installation wizard; Claude Code guides setup. No monitoring dashboard; ask Claude what's happening. No debugging tools; describe the problem, Claude fixes it.
> Skills over features. Contributors shouldn't add features (e.g. support for Telegram) to the codebase. Instead, they contribute claude code skills like /add-telegram that transform your fork.
I’m interested to see how this model pans out. I can see benefits (don’t carry complexity you don’t need) and costs (how do I audit the generated code?).
But it seems pretty clear that things will move in this direction in ‘26 with all the vibe coding that folks are enjoying.
I do wonder if the end state is more like a very rich library of composable high-order abstractions, with Skills for how to use them - rather than raw skills with instructions for how to lossily reconstruct those things.

by thepoet

2 subcomments

One of the things that makes Clawdbot great is the allow all permissions to do anything. Not sure how those external actions with damaging consequences get sandboxed with this.
Apple containers have been great especially that each of them maps 1:1 to a dedicated lightweight VM. Except for a bug or two that appeared in the early releases, things seem to be working out well. I believe not a lot of projects are leveraging it.
A general code execution sandbox for AI code or otherwise that used Apple containers is https://github.com/instavm/coderunner It can be hooked to Claude code and others.

by renewiltord

1 subcomments

To be honest, when I see many vibecoded apps, I just build my own duplicate with Claude Code. It's not that useful to use someone else's vibecode. The idea is enough, or the evidence that it works for someone else means I can just build it myself with Claude Code and I can make it specific to my needs.

by narmiouh

0 subcomment

I feel like a lot of non technical people who are vibe coding or vibe using these models, focus on hallucinations and believe that as the hallucinations are reduced in benchmarks, and over estimate their ability to create safe prompts that will keep these models in line.
I think most people fail to estimate the real threat that malicious prompts can cause because it is not that common, its like when credit cards were launched, cc fraud and the various ways it could be perpetrated followed not soon after. The real threats aren’t visible yet but rest assured there are actors working to take advantage and many unfortunate examples will be seen before general awareness and precaution will prevail….

by evrenesat

0 subcomment

> No daemons, no queues, no complexity.
Last time I checked, having a continuously running background process considered as a daemon. Using SQLite as back-end for storing the jobs also doesn't make it queueless.
/nit

by dceddia

3 subcomments

This look nice! I was curious about being allowed to use a Claude Pro/Max subscription vs an API key, since there's been so much buzz about that lately, so I went looking for a solid answer.
Thankfully the official Agent SDK Quickstart guide says that you can: https://platform.claude.com/docs/en/agent-sdk/quickstart
In particular, this bit:
"After installing Claude Code onto your machine, run claude in your terminal and follow the prompts to authenticate. The SDK will use this authentication automatically."

by mark_l_watson

0 subcomment

I like the idea of a smaller version of OpenClaw.
Minor nitpick, it looks like about 2500 lines of typescript (I am on a mobile device, so my LOC estimate may be off). Also, Apple container looks really interesting.

by walterbell

0 subcomment

> found it useful but running it scares

https://maordayanofficial.medium.com/the-sovereign-ai-securi...

  At least 42,665 instances are publicly exposed on the internet, with 5,194 instances actively verified as vulnerable through systematic scanning..  The narrative that “running AI locally = security and privacy” is significantly undermined when 93% of deployments are critically vulnerable. Users may lose faith in self-hosted alternatives.. Governments and regulators already scrutinizing AI may use this incident to justify restrictions on self-hosted AI agents, citing security externalities.

by srinath693

1 subcomments

The "skills not features" contribution model is the most interesting part of this. Instead of a project that grows into another 52-module beast, contributors teach Claude how to transform the codebase per-user. It's basically contributing build instructions instead of build artifacts. If it actually works in practice, it's a genuinely novel approach to keeping small projects small.

by pulkas

1 subcomments

This violates the Claude Code subscription terms of service, so please be careful.

This project violates Claude Code's Terms of Service by automating Claude to create an unattended chatbot service that responds to third-party messaging platforms (WhatsApp, and what you add ...).

  The exact issues:

  1. Automated, unattended usage - The system runs as a background service (launchd) that automatically responds to WhatsApp
  messages without human intervention (src/index.ts:549-574)

  2. Building a bot service - This creates a persistent bot that monitors messages and responds automatically, which violates restrictions on building derivative services on top of Claude

  3. Third-party platform integration - Connecting Claude to WhatsApp (or other messaging platforms) to create an automated
  assistant service isn't an authorized use case.

  The README itself reveals awareness of this issue at line 41:

  **No ToS gray areas.** Because it uses Claude Agent SDK natively with no hacks or workarounds, using your subscription with your auth token is completely legitimate (I think). No risk of being shut down for terms of service violations
  (I am not a lawyer).

  The defensive tone ("I think", "I am not a lawyer") indicates uncertainty about legitimacy. While using your own credentials doesn't automatically make automated bot services compliant—Anthropic's TOS restricts using their products to build automated chatbot services, regardless of authentication method.

  The core violation: transforming Claude Code into an automated bot service that operates without human intervention, which is explicitly prohibited.

by reassess_blind

1 subcomments

What’s the difference between this, and just running Claude Code in —dangerously-skip-permissions mode in a container and accessing remotely via ssh?
I’m confused as to what these claw agents actually offer.

by hitsmaxft

0 subcomment

https://github.com/gavrielc/nanoclaw/commit/22eb5258057b49a0... Is this inserting an advertisement into the agent prompt?

by treelover

4 subcomments

Interesting choice to use native Apple Containers over Docker.
I assume this is to keep the footprint minimal on a Mac Mini without the overhead of the Docker VM, but does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

by avaer

3 subcomments

```
  Quick Start
  git clone https://github.com/anthropics/nanoclaw.git
```
Is this an official Anthropic project? Because that repo doesn't exist.
Or is this just so hastily thrown together that the Quick Start is a hallucination?
That's not a facetious question, given this project's declared raison d'etre is security and the subtle implication that OpenClaw is an insecure unreviewed pile of slop.

by eskaytwo

0 subcomment

Thanks! Was hoping someone would do something more sane like this.
Openclaw is very useful, but like you I share the sentiment of it being terrifying, even before you introduce the social network aspect.
My Mac mini is currently literally switched off for this very reason.

by prophesi

2 subcomments

Am I correct that after cloning down the project, you open the directory in Claude Code, then "execute" a markdown file instructing a nondeterministic LLM to set everything up for you in natural language?

by sothatsit

0 subcomment

The idea of avoiding config files, and having the config be getting your agent to modify its own codebase, is fascinating.
My gut reaction says that I don't like it, but it is such an interesting idea to think about.

by river_otter

2 subcomments

Great idea and name the danger here which I'll be interested to track is how do you keep this "nano"? Since it's built for you, you'll continue adding features i assume which over time will make this not very nano. I guess I'm wondering if there could be some small design tweaks of the repo that make this usable as a long term "fork the base and make it your own" concept

by deadbabe

1 subcomments

To those who complain about these bots and the security concerns they raise, you basically have two options:
1. You can live in the future, and be at the bleeding edge of the latest AI tech, reaping the benefits. Be part of the solution.
2. You can stay in the past and get left behind, at the mercy of those who took the risks.

by chaostheory

0 subcomment

For anyone else worried about running openclaw, in my case I just bought openclaw its Mac mini and I gave openclaw its own accounts including GitHub. It makes many of the security concerns moot. Of course, I could go further and give openclaw its own internet access as well.

by aitchnyu

1 subcomments

That Baileys api for Whatsapp may (AFAICT) put you in thin ice with Meta. Is there a cheap legit alternative?
https://baileys.wiki/docs/intro/

0 subcomment

by cyanydeez

0 subcomment

The singularity, but instead successive exponential improvement, its excessive exponential slop which passes the Turing test for programmers.

by ramoz

1 subcomments

Not seeing how the sandbox prevents anything really. The point of OpenClaw is to connect out to different systems.

by retired

1 subcomments

I looked at Clawdbot. Perhaps my life is so boring that managing it takes little time but I see zero reasons to run it.

by ed_mercer

1 subcomments

If you run openclaw on a spare laptop or VM and give it read only access to whatever it needs, doesn’t that eliminate most of the risk?

by nsonha

0 subcomment

what's the difference between this and just exposing opencode running in colima or whatever through tailscale? I got the impression that Clawdbot adds the headless browser (does it?) and that's the value. Otherwise even "nano"claw seems like uneccessary bloat for me.

by Johnny_Bonk

3 subcomments

Can you use MCP tools? I saw that with open claw they moved away from that which I personally didn't like but

by ccheshirecat

0 subcomment

i installed clawdbot twice but didn't really use it because i couldn't wrap my head around the skills and plugins, this looks so much more managable. and +1 for apple containers

by ivanstepanovftw

1 subcomments

Where are those 500 lines of code?

by moi2388

0 subcomment

500 lines? Single files in that repo already have more than 500 lines.

by suprstarrd

0 subcomment

It blows my mind that this wasn't the thought process going in. Thank you for doing this!

by elgrantomate

0 subcomment

def appreciate this more compact approach; everything is an experiment rn.
I realize you used Claude Agent SDK on purpose but I'd really like to this to be agent agnostic. Maybe I'll figure that out...

by Bnjoroge

0 subcomment

Can we start putting disclaimers beside the title on AI-generated projects? Extremely fatiguing to read through it and realize it’s mostly LLM slop.

by dsrtslnd23

0 subcomment

can NanoClaw be used to participate in ClackerNews?

by Tepix

0 subcomment

A personal assistant that runs in the standard cloud (anthropic in this case) is madness. That‘s the hill I‘m willing to die on. Run it locally or use a cloud provider you can deeply trust.

by singular_atomic

1 subcomments

Hackernews needs a mute keywords feature. Clawd/molt-slop is mass AI psychosis on steroids.

by aaronbrethorst

0 subcomment

lol, I might finally have to upgrade my Mac mini to Tahoe. Yofi.

by MORPHOICES

0 subcomment

[dead]

by maximgeorge

0 subcomment

[dead]

by pillbitsHQ

0 subcomment

[dead]

by raphaelmolly8

0 subcomment

[dead]

by charliecs

0 subcomment

[dead]

by zizheruan

0 subcomment

[dead]

by fernandolugo

0 subcomment

[dead]