Should my business AI agent do this? NanoClaw and Vercel Launch Easier Agent Policy Configuration and Approval Dialogs Across 15 Messaging Apps

Over the past year, early adopters of autonomous AI agents have been forced to play a murky gamble: keep the agent in a useless sandbox or give it the keys to the kingdom and hope it doesn’t hallucinate a catastrophic “delete everything” command.

To unlock an agent’s true utility—scheduling meetings, triaging emails, or managing cloud infrastructure—users have had to grant these models raw API keys and broad permissions, increasing the risk of their systems being disrupted by an accidental agent failure.

This engagement ends today. The creators of the open source sandbox NanoClaw Agent Framework — now known under their new private startup called NanoCo — have announced a historic partnership with Vercell i OneCLI introduce a standardized approval system at infrastructure level.

By integrating Vercel’s Chat SDK and OneCLI’s open source credential box, NanoClaw 2.0 ensures that no sensitive action takes place without explicit human consent, delivered natively through the messaging apps where users already live.

The specific use cases that benefit the most are those that involve high-consequence “write” actions. That is, in DevOps, an agent might propose a change to cloud infrastructure that only goes live once a senior engineer taps “Approve” in Slack.

For finance teams, an agent could prepare batch payments or bill triage, and the final disbursement requires a human signature via a WhatsApp card.

Technology: safety by isolation

The fundamental change in NanoClaw 2.0 is the move from “application-level” security to “infrastructure-level” enforcement. In traditional agent frameworks, the model itself is often responsible for asking for permission, a flow that NanoCo co-founder Gavriel Cohen describes as inherently flawed.

“The agent could be malicious or compromised,” Cohen noted in a recent interview. “If the agent is generating the UI for the approval request, it could trick you by switching the ‘Accept’ and ‘Reject’ buttons.

NanoClaw solves this by running agents in strictly isolated Docker or Apple Containers. The agent never sees an actual API key; instead, it uses “placeholder” keys. When the agent attempts an exit request, the request is intercepted by the OneCLI Rust Gateway. The gateway checks a set of user-defined policies (for example, “Read-only access is fine, but sending an email requires approval”).

If the action is sensitive, the gateway pauses the request and triggers a notification to the user. Only after the user approves, the gateway injects the real encrypted credential and allows the request to reach the service.

Product: Put the “human” in the loop

While security is the engine, the Vercel Chat SDK is the dashboard. Integrating with different messaging platforms is notoriously difficult because each app (Slack, Teams, WhatsApp, Telegram) uses different APIs for interactive elements like buttons and cards.

Leveraging Vercel’s unified SDK, NanoClaw can now be deployed to 15 different channels from a single TypeScript code base. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. “Approval is displayed as a native rich card within Slack, WhatsApp or Teams, and the user taps once to approve or deny,” Cohen said. This “seamless UX” is what makes human supervision in the loop practical rather than a productivity bottleneck.

The full list of 15 supported messaging apps/channels contains many favored by business knowledge workers, including:

• False

• whatsapp

• telegram

• Microsoft Teams

• discord

• Google Chat

• iMessage

• Facebook Messenger

• Instagram

• X (Twitter)

• GitHub

• linear

• matrix

• Email

• webex

Background on NanoClaw

NanoClaw was released on January 31, 2026, as a minimalistic, security-focused answer to the “security nightmare” inherent in complex, unsandboxed agent frameworks.

Created by Cohen, a former Wix.com engineer, and marketed by his brother Lazer, CEO of B2B tech PR firm Specific mediathe project was designed to solve the auditability crisis found in competing platforms such as OpenClaw, which had grown to nearly 400,000 lines of code.

By contrast, NanoClaw condensed its core logic into roughly 500 lines of TypeScript, a size that, according to VentureBeat, allows a human or secondary AI to audit the entire system in roughly eight minutes.

The main technical defense of the platform is the use of isolation at the operating system level. Each agent is placed inside an isolated Linux container, using Apple Containers for high performance on macOS or Docker for Linux, to ensure that the AI ​​only interacts with directories explicitly mounted by the user.

As detailed in VentureBeat reports on the project’s infrastructurethis approach limits the “blast radius” of possible fast injections strictly to the container and its specific communication channel.

In March 2026, NanoClaw further matured this security posture an official partnership with software container firm Docker to run agents inside “Docker Sandboxes”.

This integration uses MicroVM-based isolation to provide an enterprise-ready environment for agents who, by their very nature, must mutate their environments by installing packages, modifying files, and launching processes—actions that often break traditional container immutability assumptions.

Operationally, NanoClaw rejects the traditional “feature-rich” software model in favor of a “Skills over Features” philosophy. Instead of maintaining a master branch bloated with dozens of unused modules, the project encourages users to contribute “Skills,” modular instructions that teach a local AI assistant how to transform and customize the code base for specific needs, such as adding support for Telegram or Gmail.

This methodology, as described on the NanoClaw website and in VentureBeat interviews, ensures that users maintain only the exact code needed for their specific implementation.

Additionally, the framework natively supports “Agent Swarms” via the Anthropic Agent SDK, allowing specialized agents to collaborate in parallel while maintaining isolated memory contexts for different business functions.

Licensing and open source strategy

NanoClaw remains strongly committed to the open source MIT license, encouraging users to fork the project and customize it to their own needs. This contrasts with “monolithic” frameworks.

NanoClaw’s code base is remarkably lean, consisting of just 15 source files and roughly 3,900 lines of code, compared to the hundreds of thousands of lines found in competitors like OpenClaw.

The partnership also highlights the strength of the “Open Source Avengers” coalition.

By combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that modular and open source tools can outperform proprietary labs in building the application layer for AI.

Community reactions

As shown on the NanoClaw website, the project has accumulated over 27,400 stars on GitHub and maintains an active Discord community.

A key claim on the NanoClaw site is that the codebase is small enough to understand in “8 minutes,” a feature aimed at security-conscious users who want to audit their wizard.

In an interview, Cohen noted that iMessage support through Vercel’s Photon project addresses a common community hurdle: Previously, users often had to maintain a separate Mac Mini to connect agents to an iMessage account.

The Enterprise Perspective: Should You Adopt?

For companies, NanoClaw 2.0 represents a shift from speculative experimentation to safe operation.

Historically, IT departments have blocked the use of agents due to the “all-or-nothing” nature of credential access. By decoupling the agent from secrecy, NanoClaw provides a middle ground that mirrors existing corporate security protocols, specifically the principle of least privilege.

Companies should consider this framework if they require high auditability and have strict compliance needs regarding data exfiltration. According to Cohen, many companies have been unwilling to grant agents access to calendars or emails due to security concerns. This framework addresses this by ensuring that the agent is structurally unable to act without permission.

Businesses will specifically benefit in use cases involving “high-risk” actions. As illustrated in the OneCLI dashboard, a user can set a policy where an agent can freely read emails, but must trigger a manual approval dialog to “delete” or “send” one.

Because NanoClaw runs as a single Node.js process with isolated containers, it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms AI from an unsupervised operator to a supervised junior staff, providing the productivity of autonomous agents without giving up executive control.

All in all, NanoClaw is a recommendation for organizations that want the productivity of autonomous agents without the “black box” risk of traditional LLM wrappers. It turns the AI ​​from a potentially rogue operator into a highly capable junior staff that always asks for permission before hitting the “submit” or “buy” button.

As native AI configurations become the standard, this partnership sets the model for how trust will be managed in the age of the autonomous workforce.