Safely run AI agents

Agents that do real work need real constraints. Nanoclaw is built around isolation — agents run in hardware-isolated VMs, secrets never leave your device, and sensitive actions require biometric approval on your phone.

Isolated from the start

Every agent runs in a Firecracker microVM — its own kernel, its own filesystem, its own network namespace. Agents cannot access each other's memory, files, or processes. Compromise one agent, and the others are unaffected.

The agent VM boots in under a second and can be live-migrated to another host without dropping connections — overlay IP addresses follow the VM.

Your phone guards the keys

API keys and credentials live in your iPhone's Secure Enclave. When an agent needs to make an authenticated API call, the request is proxied through your phone. The secret is injected at the device — it never reaches the server, never touches the agent VM.

Agent → proxy request → your iPhone → authenticated call → API
                               ↑
                    Face ID required to access secret

The fallback path uses ECDH encryption: the device encrypts the secret with a session key, delivers it to the agent sidecar, and the sidecar decrypts it. Even this path never exposes the raw secret to the cloud.

Data is tokenized before agents see it

When sensitive data (credit card numbers, SSNs, API keys, email addresses) appears in a prompt, Nanoclaw can replace it with a format-preserving surrogate token before the agent sees it. The agent works with the surrogate. The real value is restored on the way out.

This is configurable — run in monitor mode to see what would be tokenized without changing anything, or enforce mode to actually transform the data.

Face ID for sensitive actions

When an agent requests something sensitive — a destructive operation, elevated permissions, access to a new external service, or a credential from your vault — a push notification goes to your iPhone. You see the full request and approve or deny with Face ID.

No action happens until you approve. The approval is cryptographically linked to your biometric.

Profiles limit what agents can do

Every agent runs with a declared access profile, enforced in the MCP tool layer:

• Baseline — can read and send messages, nothing more
• Advanced — can schedule tasks, use platform tools
• Orchestrator — can delegate to other agents, manage group membership

An orchestrator-profile agent cannot grant another agent orchestrator-level tools. Privilege doesn't escalate without an explicit approval flow.

What this means in practice

You can give an agent access to your calendar, code repository, or project tools — knowing that:

1. The agent runs in an isolated VM, not on bare metal
2. Credentials never leave your phone
3. Sensitive data in prompts is tokenized before the LLM sees it
4. Destructive or out-of-policy actions require your face

For the technical deep-dive on enclaves, VPod sidecars, FPE tokenization, and the RBAC model, see the security guides →.