All apps · 0 apps
NanoClaw
Docker app from BitCryptic's 2nd Repository
Overview
NanoClaw is a lightweight, secure personal AI agent that runs on your own server.
It connects to Telegram and/or Matrix (E2EE) and runs every agent session
inside an isolated Docker container — so the AI only sees what you explicitly give it access to.
Built as a minimal alternative to OpenClaw/Clawdbot, NanoClaw has ~15 source files
you can actually read and understand. No complex config files — customise by
telling Claude Code what you want changed.
Features:
- Telegram and Matrix (E2EE) support
- Per-group isolated agent containers
- Scheduled tasks (morning briefings, weekly reviews, etc.)
- Web search and fetch
- Agent Swarms (teams of specialised agents)
- Memory via per-group CLAUDE.md files
Requirements:
- Anthropic API key (console.anthropic.com)
- Telegram bot token from @BotFather (for Telegram channel)
- Matrix homeserver account, e.g. self-hosted Synapse (for Matrix channel)
- Docker socket access (required for agent container isolation)
Messaging Channels:
At least one of Telegram or Matrix must be configured. Both can run simultaneously.
Telegram: Set TELEGRAM_BOT_TOKEN from @BotFather. After starting the container,
send /chatid to your bot and run the registration command — see the project README.
Matrix (E2EE): Set MATRIX_HOMESERVER_URL, MATRIX_BOT_USER_ID, and MATRIX_ACCESS_TOKEN.
MATRIX_BOT_PASSWORD is only needed once to bootstrap cross-signing keys and can
be removed after first successful start.
Optional Integrations:
- Tailscale — join your tailnet for secure private access
- Home Assistant — smart home control and automation
- Vikunja — task and project management
- Ollama / LiteLLM — local model inference
- Paperclip — AI agent orchestration
- UnraidClaw — manage your Unraid servers directly from chat
Project: https://github.com/qwibitai/nanoclaw
Unraid template: https://github.com/bitcryptic-gw/Unraid-nanoclaw
Support: https://forums.Unraid.net/topic/197773-support-nanoclaw-lightweight-secure-ai-agent-for-Unraid/
Readme
View on GitHub
An AI assistant that runs agents securely in their own containers. Lightweight, built to be easily understood and completely customized for your needs.
nanoclaw.dev •
docs •
中文 •
日本語 •
한국어 •
•
Why I Built NanoClaw
OpenClaw is an impressive project, but I wouldn't have been able to sleep if I had given complex software I didn't understand full access to my life. OpenClaw has nearly half a million lines of code, 53 config files, and 70+ dependencies. Its security is at the application level (allowlists, pairing codes) rather than true OS-level isolation. Everything runs in one Node process with shared memory.
NanoClaw provides that same core functionality, but in a codebase small enough to understand: one process and a handful of files. Agents run in their own Linux containers with filesystem isolation, not merely behind permission checks.
Quick Start
git clone https://github.com/nanocoai/nanoclaw.git nanoclaw-v2
cd nanoclaw-v2
bash nanoclaw.sh
nanoclaw.sh walks you from a fresh machine to a named agent you can message. It installs Node, pnpm, and Docker if missing, registers your Anthropic credential with OneCLI, builds the agent container, and pairs your first channel (Telegram, Discord, WhatsApp, or a local CLI). If a step fails, Claude Code is invoked automatically to diagnose and resume from where it broke.
Migrating from NanoClaw v1?
Run from a fresh v2 checkout next to your v1 install:
git clone https://github.com/nanocoai/nanoclaw.git nanoclaw-v2
cd nanoclaw-v2
bash migrate-v2.sh
migrate-v2.sh finds your v1 install (sibling directory, or NANOCLAW_V1_PATH=/path/to/nanoclaw), migrates state into the v2 checkout, then execs into Claude Code to finish the parts that need judgment (owner seeding, shared-memory migration, fork-customisation replay).
Run the script directly, not from inside a Claude session — the deterministic side needs interactive prompts and real shell I/O for Node/pnpm bootstrap, Docker, OneCLI, and the container build.
What it does: merges .env, seeds the v2 DB from registered_groups, copies group folders + session data + scheduled tasks, installs the channel adapters you select, copies channel auth state (including the Baileys keystore for WhatsApp — LID mapping is now resolved per-message by the Baileys v7 adapter, not migrated), builds the agent container.
What it doesn't: flip the system service. Pick "switch to v2" at the prompt, or do it manually after testing — your v1 install is left untouched.
See docs/v1-to-v2-changes.md for what's different and docs/migration-dev.md for development notes.
Philosophy
Small enough to understand. One process, a few source files and no microservices. If you want to understand the full NanoClaw codebase, just ask Claude Code to walk you through it.
Secure by isolation. Agents run in Linux containers and they can only see what's explicitly mounted. Bash access is safe because commands run inside the container, not on your host.
Built for the individual user. NanoClaw isn't a monolithic framework; it's software that fits each user's exact needs. Instead of becoming bloatware, NanoClaw is designed to be bespoke. You make your own fork and have Claude Code modify it to match your needs.
Customization = code changes. No configuration sprawl. Want different behavior? Modify the code. The codebase is small enough that it's safe to make changes.
AI-native, hybrid by design. The install and onboarding flow is an optimized scripted path, fast and deterministic. When a step needs judgment, whether a failed install, a guided decision, or a customization, control hands off to Claude Code seamlessly. Beyond setup there's no monitoring dashboard or debugging UI either: describe the problem in chat and Claude Code handles it.
Skills over features. Trunk ships the registry and infrastructure, not specific channel adapters or alternative agent providers. Channels (Discord, Slack, Telegram, WhatsApp, …) live on a long-lived channels branch; alternative providers (OpenCode, Ollama) live on providers. You run /add-telegram, /add-opencode, etc. and the skill copies exactly the module(s) you need into your fork. No feature you didn't ask for.
Best harness, best model. NanoClaw natively uses Claude Code via Anthropic's official Claude Agent SDK, so you get the latest Claude models and Claude Code's full toolset, including the ability to modify and expand your own NanoClaw fork. Other providers are drop-in options: /add-codex for OpenAI's Codex (ChatGPT subscription or API key), /add-opencode for OpenRouter, Google, DeepSeek and more via OpenCode, and /add-ollama-provider for local open-weight models. Provider is configurable per agent group.
What It Supports
- Multi-channel messaging — WhatsApp, Telegram, Discord, Slack, Microsoft Teams, iMessage, Matrix, Google Chat, Webex, Linear, GitHub, WeChat, and email via Resend. Installed on demand with
/add-<channel>skills. Run one or many at the same time. - Flexible isolation — connect each channel to its own agent for full privacy, share one agent across many channels for unified memory with separate conversations, or fold multiple channels into a single shared session so one conversation spans many surfaces. Pick per channel via
/manage-channels. See docs/isolation-model.md. - Per-agent workspace — each agent group has its own
CLAUDE.md, its own memory, its own container, and only the mounts you allow. Nothing crosses the boundary unless you wire it to. - Scheduled tasks: recurring jobs executed by the agent, with optional script gates that avoid waking it when there is no work
- Web access — search and fetch content from the web
- Container isolation — agents are sandboxed in Docker containers (macOS/Linux/WSL2)
- Credential security — agents never hold raw API keys. Outbound requests route through OneCLI's Agent Vault, which injects credentials at request time and enforces per-agent policies and rate limits.
- Agent templates: stamp a ready-to-run agent (instructions + MCP tools + skills, no secrets) from a reusable bundle via
ncl groups create --template <ref>. Templates load from the localtemplates/folder; populate it by hand or by copying from the public library. See docs/templates.md.
Usage
Talk to your assistant with the trigger word (default: @Andy):
@Andy send an overview of the sales pipeline every weekday morning at 9am (has access to my Obsidian vault folder)
@Andy review the git history for the past week each Friday and update the README if there's drift
@Andy every Monday at 8am, compile news on AI developments from Hacker News and TechCrunch and message me a briefing
From a channel you own or administer, you can manage groups and tasks:
@Andy list all scheduled tasks across groups
@Andy pause the Monday briefing task
@Andy join the Family Chat group
Customizing
NanoClaw doesn't use configuration files. To make changes, just tell Claude Code what you want:
- "Change the trigger word to @Bob"
- "Remember in the future to make responses shorter and more direct"
- "Add a custom greeting when I say good morning"
- "Store conversation summaries weekly"
Or run /customize for guided changes.
The codebase is small enough that Claude can safely modify it.
Contributing
Don't add features. Add skills.
If you want to add a new channel or agent provider, don't add it to trunk. New channel adapters land on the channels branch; new agent providers land on providers. Users install them in their own fork with /add-<name> skills, which copy the relevant module(s) into the standard paths, wire the registration, and pin dependencies.
This keeps trunk as pure registry and infra, and every fork stays lean — users get the channels and providers they asked for and nothing else.
RFS (Request for Skills)
No channel or provider skills are currently requested — propose one via an issue.
Requirements
- macOS or Linux (Windows via WSL2)
- Node.js 20+ and pnpm 10+ (the installer will install both if missing)
- Docker Desktop (macOS/Windows) or Docker Engine (Linux)
- Claude Code for
/customize,/debug, error recovery during setup, and all/add-<channel>skills
Architecture
messaging apps → host process (router) → inbound.db → container (Bun, Claude Agent SDK) → outbound.db → host process (delivery) → messaging apps
A single Node host orchestrates per-session agent containers. When a message arrives, the host routes it via the entity model (user → messaging group → agent group → session), writes it to the session's inbound.db, and wakes the container. The agent-runner inside the container polls inbound.db, runs the agent, and writes responses to outbound.db. The host polls outbound.db and delivers back through the channel adapter.
Two SQLite files per session, each with exactly one writer — no cross-mount contention, no IPC, no stdin piping. Channels and alternative providers self-register at startup; trunk ships the registry and the Chat SDK bridge, while the adapters themselves are skill-installed per fork.
For the full architecture writeup see docs/architecture.md; for the three-level isolation model see docs/isolation-model.md.
Key files:
src/index.ts— entry point: DB init, channel adapters, delivery polls, sweepsrc/router.ts— inbound routing: messaging group → agent group → session →inbound.dbsrc/delivery.ts— pollsoutbound.db, delivers via adapter, handles system actionssrc/host-sweep.ts— 60s sweep: stale detection, due-message wake, recurrencesrc/session-manager.ts— resolves sessions, opensinbound.db/outbound.dbsrc/container-runner.ts— spawns per-agent-group containers, OneCLI credential injectionsrc/db/— central DB (users, roles, agent groups, messaging groups, wiring, migrations)src/channels/— channel adapter infra (adapters installed via/add-<channel>skills)src/providers/— host-side provider config (claudebaked in; others via skills)container/agent-runner/— Bun agent-runner: poll loop, MCP tools, provider abstractiongroups/<folder>/— per-agent-group filesystem (CLAUDE.md, skills, container config)
FAQ
Why Docker?
Docker provides cross-platform support (macOS, Linux and Windows via WSL2) and a mature ecosystem.
Can I run this on Linux or Windows?
Yes. Docker is the default runtime and works on macOS, Linux, and Windows (via WSL2). Just run bash nanoclaw.sh.
Is this secure?
Agents run in containers, not behind application-level permission checks. They can only access explicitly mounted directories. Credentials never enter the container — outbound API requests route through OneCLI's Agent Vault, which injects authentication at the proxy level and supports rate limits and access policies. You should still review what you're running, but the codebase is small enough that you actually can. See the security documentation for the full security model.
Why no configuration files?
We don't want configuration sprawl. Every user should customize NanoClaw so that the code does exactly what they want, rather than configuring a generic system. If you prefer having config files, you can tell Claude to add them.
Can I use third-party or open-source models?
Yes. The supported path is /add-opencode (OpenRouter, OpenAI, Google, DeepSeek, and more via OpenCode config) or /add-ollama-provider (local open-weight models via Ollama). Both are configurable per agent group, so different agents can run on different backends in the same install.
For one-off experiments, any Claude API-compatible endpoint also works via .env:
ANTHROPIC_BASE_URL=https://your-api-endpoint.com
ANTHROPIC_AUTH_TOKEN=your-token-here
How do I debug issues?
Ask Claude Code. "Why isn't the scheduler running?" "What's in the recent logs?" "Why did this message not get a response?" That's the AI-native approach that underlies NanoClaw.
Why isn't the setup working for me?
If a step fails, nanoclaw.sh hands off to Claude Code to diagnose and resume. If that doesn't resolve it, run claude, then /debug. If Claude identifies an issue likely to affect other users, open a PR against the relevant setup step or skill.
How do I uninstall NanoClaw?
bash nanoclaw.sh --uninstall
Every install is tagged with a per-checkout id, so the uninstaller removes only what belongs to that copy: the background service, containers and image, app data and logs, your agents' files, and this copy's OneCLI vault agents. Shared things — the OneCLI app and your credentials, other NanoClaw copies on the machine — are left alone. It shows exactly what it found and asks for confirmation per group; nothing is deleted until you say yes. Use --dry-run to preview without changing anything, or --yes to skip the prompts. Your .env is backed up before removal. To finish, delete the checkout folder itself.
What changes will be accepted into the codebase?
Only security fixes, bug fixes, and clear improvements will be accepted to the base configuration. That's all.
Everything else (new capabilities, OS compatibility, hardware support, enhancements) should be contributed as skills: channel and provider code on the channels/providers registry branches, everything else as a self-contained skill. See docs/customizing.md and CONTRIBUTING.md.
This keeps the base system minimal and lets every user customize their installation without inheriting features they don't want.
Community
Questions? Ideas? Join the Discord.
Changelog
See CHANGELOG.md for breaking changes, or the full release history on the documentation site.
License
MIT
Install NanoClaw on Unraid in a few clicks.
Find NanoClaw in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Categories
Download Statistics
Related apps
Explore more like this
Explore allLinks
Details
bitcryptic/nanoclaw:latestRuntime arguments
- Network
bridge- Shell
sh- Privileged
- false
Template configuration
Required. Gives NanoClaw access to the host Docker daemon so it can spin up isolated agent containers for each conversation.
- Target
- /var/run/docker.sock
- Default
- /var/run/docker.sock
Persistent data: SQLite database, sessions, IPC, env copy.
- Target
- /app/data
- Default
- /mnt/cache/appdata/nanoclaw/data
Persistent store: registered groups, messages, scheduled tasks.
- Target
- /app/store
- Default
- /mnt/cache/appdata/nanoclaw/store
Per-group CLAUDE.md memory files and agent runner source.
- Target
- /app/groups
- Default
- /mnt/cache/appdata/nanoclaw/groups
NanoClaw service logs.
- Target
- /app/logs
- Default
- /mnt/cache/appdata/nanoclaw/logs
Required. Host path to the NanoClaw appdata directory. Must match the host-side path of the AppData volume mount so agent containers can resolve volume paths correctly.
- Default
- /mnt/cache/appdata/nanoclaw
Optional. Telegram bot token from @BotFather. Only required if using Telegram as a messaging channel — Matrix is the recommended primary channel.
URL of your Matrix homeserver, e.g. https://matrix.yourdomain.com. Required for Matrix channel support.
- Target
- MATRIX_HOMESERVER_URL
Full Matrix user ID for the bot account, e.g. @Andy:yourdomain.com. Required for Matrix channel support.
- Target
- MATRIX_BOT_USER_ID
Matrix access token for the bot account. Obtain via the Matrix login API or your client. Required for Matrix channel support.
- Target
- MATRIX_ACCESS_TOKEN
k2 Matrix account password — used once to bootstrap cross-signing keys. Can be removed after first successful bootstrap.
- Target
- MATRIX_BOT_PASSWORD
Anthropic API key from console.anthropic.com. Use this OR CLAUDE_CODE_OAUTH_TOKEN.
Claude Pro/Max subscription OAuth token. Use this OR ANTHROPIC_API_KEY. Obtain by running 'claude setup-token' with Claude Code installed.
Optional. URL of your OneCLI gateway instance. OneCLI is the upstream default credential provider for agent containers. Leave blank if using the native credential proxy skill instead (self-hosted alternative).
- Target
- ONECLI_URL
Optional. API key for your OneCLI gateway. Required only if ONECLI_URL is set. Leave blank if using the native credential proxy skill.
- Target
- ONECLI_API_KEY
Trigger word the assistant responds to. Default is @Andy. The assistant name is automatically derived from this — e.g. @Andy makes the assistant named Andy.
- Default
- @Andy
Whether the assistant requires the trigger word to respond. Set to false to respond to all messages without needing the trigger.
- Default
- true
Default model for agent containers. Per-group override via settings.json. Use model name with optional [1m] suffix for 1M context (Sonnet only). Examples: haiku, sonnet[1m], claude-opus-4-6
- Target
- NANOCLAW_AGENT_MODEL
- Default
- haiku
Default reasoning effort for agent containers. Per-group override via settings.json. Valid values: low, medium, high, max.
- Target
- NANOCLAW_AGENT_EFFORT
- Default
- medium
Additional volume mounts passed to agent containers. Format: hostpath:containerpath:ro,hostpath2:containerpath2:rw — e.g. /mnt/cache/logs:/central-logs:ro
Docker network for agent containers. Leave blank for default bridge. Set to a custom network name (e.g. ai-local) to isolate agent containers. The NanoClaw container itself must also be on this network.
- Default
- ai-local
UnraidClaw server config as JSON array. Example: [{"name":"unraid-syd","url":"https://unraid-syd:9876","apiKey":"YOUR_KEY"}]. Supports multiple servers.
OAuth client ID from login.tailscale.com/admin/settings/oauth. Used by the assistant to query the Tailscale API for device discovery, monitoring and ACL auditing.
- Target
- TS_API_CLIENT_ID
OAuth client secret from login.tailscale.com/admin/settings/oauth. Keep this masked — treated as a credential.
- Target
- TS_API_CLIENT_SECRET
Your Tailscale tailnet name. Found in the Tailscale admin console.
- Target
- TS_API_TAILNET
- Default
- your-tailnet.ts.net
URL of your Home Assistant instance. Use http://YOUR-UNRAID-IP:8123 if HA is on the same Unraid server.
- Target
- HA_URL
- Default
- http://homeassistant:8123
Long-lived access token from Home Assistant. Create at Profile → Long-Lived Access Tokens in HA.
- Target
- HA_TOKEN
URL of your Vikunja instance. Use http://vikunja:3456 if Vikunja is on the same Docker network as NanoClaw.
- Target
- VIKUNJA_URL
- Default
- http://vikunja:3456
Vikunja API token. Create at Settings → API Tokens in the Vikunja UI. Needs Projects (read), Tasks (read/write/update/delete), Task comments (read/write), Task assignees (read/write/delete), and User (read) permissions.
- Target
- VIKUNJA_TOKEN
Persistent Tailscale state directory. Prevents new node identity being created on each restart.
- Target
- /mnt/cache/appdata/nanoclaw/tailscale
- Default
- /mnt/cache/appdata/nanoclaw/tailscale
URL of your Ollama instance. Use http://ollama:11434 if Ollama is on the same Docker network as NanoClaw.
- Target
- OLLAMA_URL
- Default
- http://ollama:11434
Base URL for LiteLLM API. If set, enables the LiteLLM MCP skill for model discovery and Ollama sync.
- Target
- LITELLM_URL
- Default
- http://litellm:4000
Master key for LiteLLM model management API. Required for Ollama auto-sync into LiteLLM.
- Target
- LITELLM_MASTER_KEY
URL of your Paperclip instance. Use http://paperclip:3100 if on the same Docker network.
- Target
- PAPERCLIP_URL
- Default
- http://paperclip:3100
JWT secret from Paperclip for agent API auth. Found in Paperclip appdata at instances/default/.env
- Target
- PAPERCLIP_AGENT_JWT_SECRET
UUID of the NanoClaw agent in Paperclip. Found in Paperclip UI under Agents.
- Target
- PAPERCLIP_AGENT_ID
UUID of your Paperclip company. Found in Paperclip UI under Company settings or the URL.
- Target
- PAPERCLIP_COMPANY_ID
Bearer token Paperclip uses to authenticate heartbeat calls to NanoClaw.
- Target
- PAPERCLIP_WEBHOOK_SECRET
NanoClaw group folder that receives Paperclip tasks, e.g. telegram_1234567890.
- Target
- PAPERCLIP_GROUP_FOLDER
Port for the Paperclip webhook server. Default 3102.
- Target
- PAPERCLIP_WEBHOOK_PORT
- Default
- 3102
Internal credential proxy port used by agent containers to reach the Anthropic API. Only needs to be accessible on the local Docker bridge network. Change if port 3001 is already in use.
- Target
- 3001
- Default
- 3001
Paperclip webhook port for receiving heartbeats from Paperclip.
- Target
- 3102
- Default
- 3102