OpenClaw vs NanoClaw vs PicoClaw vs ZeroClaw: AI Agent Frameworks Compared (2026)
In early 2026, AI agent frameworks exploded. The idea is simple: give an LLM the ability to run shell commands, read and write files, browse the web, and connect to your messaging apps — then let it act autonomously on your behalf.
OpenClaw started the wave. Within weeks, it had over 200,000 GitHub stars and tens of thousands of deployments. Then came the security incidents. And then came the alternatives.
This post covers the major frameworks in the “claw” ecosystem — what they do, how they differ, and what the security picture looks like for each.
OpenClaw — The One That Started It All
Language: TypeScript | Stars: 247k+ | Created by: Peter Steinberger
OpenClaw is the original open-source AI agent framework. It provides a messaging-style UI, supports 15+ communication channels (WhatsApp, Telegram, Discord, Slack, and more), and has a plugin ecosystem called ClawHub with thousands of community-built “skills.”
The feature set is broad: tool execution, web browsing, file management, memory, scheduled tasks, and multi-model support. You can run it locally or on a VPS, point it at your preferred LLM provider, and connect it to your chat apps.
It is, by far, the most popular framework in this space. It’s also the one with the most documented security problems.
The Security Crisis
OpenClaw’s security story in early 2026 has been rough. Here are the highlights:
9 CVEs and counting. The most critical, CVE-2026-25253 (CVSS 8.8), is a one-click remote code execution chain. If a developer visits an attacker-controlled website, JavaScript on that page can open a WebSocket connection to the local OpenClaw gateway, brute-force the authentication (no rate limiting), and gain full control of the machine. Other CVEs cover sandbox escapes, command injection, SSRF, authentication bypasses, and path traversal. Three of these have public exploit code.
The ClawHavoc supply chain attack. Starting January 27, 2026, researchers discovered over 1,184 malicious skills in ClawHub — roughly 1 in 5 packages in the registry. The campaign delivers Atomic Stealer (AMOS) malware targeting credentials, browser data, and crypto wallets. Attack techniques include fake error messages with base64-encoded commands, dormant payloads triggered by specific prompts, and credential harvesting from plaintext config files.
135,000+ exposed instances. SecurityScorecard found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. The root cause: the default configuration binds to 0.0.0.0:18789, listening on all network interfaces. Over 15,000 of these are directly vulnerable to RCE.
36% of skills contain prompt injection. A Snyk audit of 3,984 ClawHub skills found 1,467 malicious payloads. 91% combine prompt injection with traditional malware, and 2.9% dynamically fetch and execute content from external endpoints at runtime.
OpenClaw has responded with mandatory authentication, VirusTotal-based skill scanning, and several patch releases. But the structural challenges — a massive attack surface, a permissive plugin ecosystem, and default-insecure configuration — remain.
Bottom line: OpenClaw has the largest ecosystem and the most features. It also has the most documented vulnerabilities. If you use it, lock down the network binding, enable authentication, audit every skill you install, and stay current on patches.
NanoClaw — Security Through Simplicity
Language: TypeScript | Stars: 7k+ | Created by: Gavriel Cohen
NanoClaw was built in a weekend after its creator learned about OpenClaw’s security problems. The thesis: if the entire codebase is small enough to audit, and every agent runs in an isolated container, most of OpenClaw’s vulnerability classes simply don’t apply.
The core engine is roughly 500 lines of TypeScript across a handful of files. It runs on Anthropic’s Claude Agent SDK, meaning agents execute as Claude Code sessions inside Linux containers (Apple Container on macOS, Docker on Linux). Each conversation gets its own container with isolated filesystem, process space, and network.
Architecture
- Container-first: Every agent session runs in an isolated container. Agents can only access explicitly mounted directories. No ambient filesystem access.
- Deny-by-default: Allowlists with symlink escape detection. Containers run as non-root with read-only project mounts.
- Secret handling: API keys passed via stdin JSON, never loaded into
process.env. - Memory: SQLite-backed persistence for messages, sessions, and scheduled tasks. Each conversation gets its own
CLAUDE.mdmemory file.
Features
WhatsApp is built in (via the Baileys library with QR code pairing). Other channels — Telegram, Discord, Slack, Signal — are added through Claude Code skills. It supports agent swarms (teams of specialized agents collaborating), scheduled cron tasks, and web browsing via containerized Chromium.
Trade-offs
NanoClaw is intentionally limited. No plugin marketplace means no supply chain attack surface, but it also means fewer pre-built integrations. The Claude Agent SDK dependency means you’re locked to Anthropic’s models. And the small codebase, while auditable, means fewer features out of the box.
Bottom line: NanoClaw trades ecosystem breadth for security and auditability. If you want an AI agent you can actually understand end-to-end, and you’re already using Claude, it’s a strong choice.
PicoClaw — AI Agents on $10 Hardware
Language: Go | Stars: 12k+ | Created by: Sipeed
PicoClaw answers a different question: what if you want an AI agent running on a $10 RISC-V board with less than 10MB of RAM?
Written in Go, PicoClaw compiles to a single self-contained binary that runs on RISC-V, ARM64, and x86. It boots in under 1 second on 0.6GHz processors and uses 99% less memory than OpenClaw. The project was AI-bootstrapped — 95% of the core code was generated by an AI agent, with human-in-the-loop refinement.
Performance
| Metric | OpenClaw | PicoClaw |
|---|---|---|
| Idle RAM | ~1.2 GB | <10 MB |
| Cold Start | ~8 sec | <1 sec |
| Min Hardware Cost | ~$500 (Mac Mini) | $10 (LicheeRV Nano) |
| Binary Size | ~800 MB | ~50 MB |
Features
PicoClaw supports Telegram (with voice), Discord, QQ, DingTalk, LINE, WeCom, and Slack. It connects to multiple LLM providers: OpenRouter, Anthropic, OpenAI, Google Gemini, DeepSeek, and Groq. It includes cron-based scheduling, Brave Search integration, persistent memory, and even an offline mode using PicoLM (a 1-billion parameter local model).
Security
PicoClaw has a minimal attack surface by virtue of having fewer features. There’s a security sandbox, but the project lacks a formal, documented security model comparable to NanoClaw’s container isolation or ZeroClaw’s allowlist system. The Go binary does eliminate some vulnerability classes (no Node.js dependency chain), but Go’s runtime doesn’t provide the same memory safety guarantees as Rust.
Bottom line: PicoClaw is purpose-built for edge and IoT. If you want an AI agent on constrained hardware — home automation, monitoring, or embedded systems — it’s the only real option.
ZeroClaw — The Rust Security Play
Language: Rust | Stars: 18k+ | Created by: Argenis De La Rosa
ZeroClaw is a Rust-native rewrite that prioritizes security and performance above all else. It ships as a 3.4MB binary with cold start under 10 milliseconds and peak memory around 7.8MB.
Security Model
ZeroClaw’s security approach is the most comprehensive in the ecosystem:
- Pairing-based authentication: New connections require a secure pairing code with bearer-token auth.
- Workspace scoping: File access restricted to the configured workspace directory.
- Command allowlists: Only explicitly permitted commands (git, npm, cargo, etc.) can be executed.
- Domain allowlists: Network access restricted to approved domains.
- Encrypted secrets: API keys encrypted at rest using a local key file.
- Localhost-first binding: No ambient network exposure by default.
Rust’s ownership system eliminates buffer overflows, use-after-free, and data races at compile time. No plugin marketplace means no supply chain attack vector.
Autonomy Modes
ZeroClaw offers three execution levels:
- Readonly: Inspection and low-risk tasks only.
- Supervised: Balanced autonomy with human approval for sensitive operations.
- Full: Broader autonomous execution for trusted workflows.
Features
22+ LLM provider integrations, multi-channel support (CLI, Telegram, Discord, Slack, and 30+ total channels), SQLite memory with hybrid FTS5 keyword + vector similarity retrieval, shell execution, file I/O, browser automation, and observability via Prometheus and OpenTelemetry.
Bottom line: ZeroClaw is what you pick when security is non-negotiable. The trade-off is a smaller ecosystem and community compared to OpenClaw.
The Cloud-Hosted Claws
Two major cloud providers have built managed services on top of OpenClaw’s architecture:
MaxClaw (by MiniMax)
Launched February 25, 2026. MaxClaw runs OpenClaw in the cloud with zero-setup deployment — no Docker, no API key management, no server configuration. It’s powered by MiniMax’s M2.5 model (229B parameters, ~10B active per token) and costs $19/month.
Key differentiators: native long-term memory that persists across days and weeks, 10,000+ pre-configured “Experts” (multi-agent workflow templates), and built-in image/video understanding and generation. Connects to Telegram, Discord, Slack, WhatsApp, Feishu, and DingTalk.
KimiClaw (by Moonshot AI)
Launched February 15, 2026. KimiClaw runs OpenClaw natively inside kimi.com — no terminal, no Docker, just a browser tab. Powered by Kimi K2.5 (1-trillion-parameter MoE architecture). Includes 5,000+ pre-loaded ClawHub skills, 40GB cloud storage for RAG workflows, and a “Bring Your Own Claw” (BYOC) feature for connecting your local OpenClaw instance to the cloud interface.
Bottom line: MaxClaw and KimiClaw are the “managed” options. You trade self-hosting control for convenience and zero ops overhead. Both inherit OpenClaw’s skill ecosystem — including its supply chain risks, though the managed environments add their own security layers.
MicroClaw — The Chat-Native Alternative
Language: Rust | Stars: 358 | Created by: Community
MicroClaw is a newer Rust-based entry inspired by NanoClaw’s design philosophy but focused on chat platform breadth. It supports 15+ platform adapters out of the box: Telegram, Discord, Slack, WhatsApp, iMessage, Email, Signal, Matrix, IRC, Feishu/Lark, DingTalk, QQ, Nostr, and Web. It works with both Anthropic and OpenAI-compatible APIs and includes shell execution, file operations, browser automation, scheduled tasks, and persistent memory.
Still early (358 stars), but worth watching if chat platform coverage is your primary requirement.
Comparison
| OpenClaw | NanoClaw | PicoClaw | ZeroClaw | |
|---|---|---|---|---|
| Language | TypeScript | TypeScript | Go | Rust |
| Idle RAM | ~1.2 GB | ~150 MB | <10 MB | ~4 MB |
| Cold Start | ~8 sec | ~3 sec | <1 sec | <10 ms |
| Security Model | Opt-in auth | Container isolation | Sandbox | Allowlists + encryption |
| Plugin Ecosystem | ClawHub (5,000+) | Claude skills | Minimal | Trait-based |
| LLM Providers | 15+ | Anthropic only | 7+ | 22+ |
| Chat Channels | 15+ | 5+ | 7 | 30+ |
| Best For | Max features | Auditability | Edge/IoT | Security-first |
Security Comparison
Security is the defining differentiator in this ecosystem. Here’s how the frameworks compare across key dimensions:
Default network exposure. OpenClaw binds to all interfaces by default — the single decision responsible for 135,000+ exposed instances. ZeroClaw and NanoClaw default to localhost-only. PicoClaw requires explicit configuration.
Supply chain risk. OpenClaw’s ClawHub has the largest attack surface, with 36% of audited skills containing prompt injection. NanoClaw and ZeroClaw have no plugin marketplace. PicoClaw’s ecosystem is minimal.
Memory safety. ZeroClaw (Rust) and MicroClaw (Rust) eliminate entire vulnerability classes at compile time. PicoClaw (Go) has garbage collection and bounds checking but not Rust-level guarantees. OpenClaw and NanoClaw (TypeScript/Node.js) inherit Node’s attack surface.
Isolation model. NanoClaw’s container-per-session approach is the strongest isolation primitive. ZeroClaw’s workspace scoping and allowlists provide defense-in-depth without container overhead. OpenClaw’s Docker sandbox has documented escape vulnerabilities (CVE-2026-24763).
Secret management. ZeroClaw encrypts secrets at rest. NanoClaw passes secrets via stdin, never in environment variables. OpenClaw historically stored credentials in plaintext configuration files.
Which One Should You Use?
There’s no single answer, but here’s a decision framework:
You want maximum features and ecosystem → OpenClaw, but invest heavily in hardening. Enable authentication, bind to localhost, audit every skill, and subscribe to security advisories.
You want something you can fully understand and audit → NanoClaw. The 500-line codebase and container isolation make it the easiest to reason about. Locked to Anthropic’s models.
You want to run agents on constrained hardware → PicoClaw. Nothing else runs on $10 RISC-V boards.
Security is your primary concern → ZeroClaw. Rust memory safety, deny-by-default allowlists, encrypted secrets, and no plugin marketplace.
You don’t want to manage infrastructure → MaxClaw ($19/mo) or KimiClaw (browser-based). Both are managed OpenClaw deployments with their own LLM backends.
Final Thoughts
The claw ecosystem is moving fast. OpenClaw proved the demand for personal AI agents. Its security crisis proved that “move fast” without “secure by default” creates real damage at scale — 135,000 exposed instances, over a thousand malicious packages, and multiple RCE chains with public exploits.
The alternatives each make a different bet. NanoClaw bets on radical simplicity. PicoClaw bets on edge ubiquity. ZeroClaw bets on Rust and defense-in-depth. The cloud variants bet that most people just want it to work without thinking about Docker or API keys.
What’s clear is that the AI agent pattern — LLMs with tool access running autonomously — is here to stay. The question is whether the security models can evolve fast enough to match the ambition.
References
OpenClaw
- OpenClaw Security Risks: The AI Agent Threat Explained — Cyberdesserts, 2026
- Critical OpenClaw Vulnerability Exposes AI Agent Risks — Dark Reading, 2026
- Securing OpenClaw Against ClawHavoc — Security Boulevard, 2026
- Every OpenClaw CVE Explained — MintMCP, 2026
NanoClaw
- NanoClaw’s Answer to OpenClaw Is Minimal Code, Maximum Isolation — The New Stack, 2026
- NanoClaw Brings Container-Isolated AI Agents to WhatsApp and Telegram — FAUN, 2026
- OpenClaw, but in Containers: Meet NanoClaw — The Register, 2026
- NanoClaw GitHub Repository — GitHub
PicoClaw
- PicoClaw: The $10 AI Agent That Changed My Edge Computing Game — Medium, 2026
- PicoClaw: Lightweight AI Assistant CLI for Edge & Low-Cost Devices — Firethering, 2026
- PicoClaw: The Ultra-Lightweight AI Assistant That Runs on Almost Anything — Medium, 2026
- PicoClaw GitHub Repository — GitHub
ZeroClaw
- ZeroClaw: A Lightweight, Secure Rust Agent Runtime — DEV Community, 2026
- Deconstructing ZeroClaw: The Ultra-Lightweight AI Agent Framework — OnePageCode, 2026
- ZeroClaw vs OpenClaw vs PicoClaw: The Definitive 2026 Comparison — ZeroClaw Blog, 2026
- ZeroClaw GitHub Repository — GitHub
MaxClaw & KimiClaw
- MiniMax Launches MaxClaw: A One-Click Agent System — 24-7 Press Release, 2026
- Moonshot AI Launches Kimi Claw: Native OpenClaw on Kimi.com — MarkTechPost, 2026
- MaxClaw vs KimiClaw — Cloud AI Agent Comparison 2026 — MaxClaw, 2026