•7 min read•from VentureBeat
Should my enterprise AI agent do that? NanoClaw and Vercel launch easier agentic policy setting and approval dialogs across 15 messaging apps
Our take
In a groundbreaking partnership, NanoCo and Vercel have unveiled NanoClaw 2.0, a transformative framework that enhances the safety and usability of autonomous AI agents across 15 messaging platforms. This innovation addresses the longstanding dilemma of granting agents excessive permissions or confining them to limited functionalities. By implementing an infrastructure-level approval system, users can now authorize sensitive actions with confidence, ensuring that each operation receives explicit human consent.
For the past year, early adopters of autonomous AI agents have been forced to play a murky game of chance: keep the agent in a useless sandbox or give it the keys to the kingdom and hope it doesn't hallucinate a catastrophic "delete all" command.
To unlock the true utility of an agent—scheduling meetings, triaging emails, or managing cloud infrastructure—users have had to grant these models raw API keys and broad permissions, raising the risk of their systems being disrupted by an accidental agent mistake.
That tradeoff ends today. The creators of the open source sandboxed NanoClaw agent framework — now known under their new private startup named NanoCo — have announced a landmark partnership with Vercel and OneCLI to introduce a standardized, infrastructure-level approval system.
By integrating Vercel’s Chat SDK and OneCLI’s open source credentials vault, NanoClaw 2.0 ensures that no sensitive action occurs without explicit human consent, delivered natively through the messaging apps where users already live.
The specific use cases that stand to benefit most are those involving high-consequence "write" actions. That is, in DevOps, an agent could propose a cloud infrastructure change that only goes live once a senior engineer taps "Approve" in Slack.
For finance teams, an agent could prepare batch payments or invoice triaging, with the final disbursement requiring a human signature via a WhatsApp card.
Technology: security by isolation
The fundamental shift in NanoClaw 2.0 is the move away from "application-level" security to "infrastructure-level" enforcement. In traditional agent frameworks, the model itself is often responsible for asking for permission—a flow that Gavriel Cohen, co-founder of NanoCo, describes as inherently flawed.
"The agent could potentially be malicious or compromised," Cohen noted in a recent interview. "If the agent is generating the UI for the approval request, it could trick you by swapping the 'Accept' and 'Reject' buttons."
NanoClaw solves this by running agents in strictly isolated Docker or Apple Containers. The agent never sees a real API key; instead, it uses "placeholder" keys. When the agent attempts an outbound request, the request is intercepted by the OneCLI Rust Gateway. The gateway checks a set of user-defined policies (e.g., "Read-only access is okay, but sending an email requires approval").
If the action is sensitive, the gateway pauses the request and triggers a notification to the user. Only after the user approves does the gateway inject the real, encrypted credential and allow the request to reach the service.
Product: bringing the 'human' into the loop
While security is the engine, Vercel’s Chat SDK is the dashboard. Integrating with different messaging platforms is notoriously difficult because every app—Slack, Teams, WhatsApp, Telegram—uses different APIs for interactive elements like buttons and cards.
By leveraging Vercel’s unified SDK, NanoClaw can now deploy to 15 different channels from a single TypeScript codebase. When an agent wants to perform a protected action, the user receives a rich interactive card on their phone. "The approval shows up as a rich, native card right inside Slack or WhatsApp or Teams, and the user taps once to approve or deny," said Cohen. This "seamless UX" is what makes human-in-the-loop oversight practical rather than a productivity bottleneck.
The full list of 15 supported messaging apps/channels contains many favored by enterprise knowledge workers, including:
Slack
WhatsApp
Telegram
Microsoft Teams
Discord
Google Chat
iMessage
Facebook Messenger
Instagram
X (Twitter)
GitHub
Linear
Matrix
Email
Webex
Background on NanoClaw
NanoClaw launched on January 31, 2026, as a minimalist and security-focused response to the "security nightmare" inherent in complex, non-sandboxed agent frameworks.
Created by Cohen, a former Wix.com engineer, and marketed by his brother Lazer, CEO of B2B tech public relations firm Concrete Media, the project was designed to solve the auditability crisis found in competing platforms like OpenClaw, which had grown to nearly 400,000 lines of code.
By contrast, NanoClaw condensed its core logic into roughly 500 lines of TypeScript—a size that, according to VentureBeat, allows the entire system to be audited by a human or a secondary AI in approximately eight minutes.
The platform’s primary technical defense is its use of operating system-level isolation. Every agent is placed inside an isolated Linux container—utilizing Apple Containers for high performance on macOS or Docker for Linux—to ensure that the AI only interacts with directories explicitly mounted by the user.
As detailed in VentureBeat's reporting on the project's infrastructure, this approach confines the "blast radius" of potential prompt injections strictly to the container and its specific communication channel.
In March 2026, NanoClaw further matured this security posture through an official partnership with the software container firm Docker to run agents inside "Docker Sandboxes".
This integration utilizes MicroVM-based isolation to provide an enterprise-ready environment for agents that, by their nature, must mutate their environments by installing packages, modifying files, and launching processes—actions that typically break traditional container immutability assumptions.
Operationally, NanoClaw rejects the traditional "feature-rich" software model in favor of a "Skills over Features" philosophy. Instead of maintaining a bloated main branch with dozens of unused modules, the project encourages users to contribute "Skills"—modular instructions that teach a local AI assistant how to transform and customize the codebase for specific needs, such as adding Telegram or Gmail support.
This methodology, as described on NanoClaw's website and in VentureBeat interviews, ensures that users only maintain the exact code required for their specific implementation.
Furthermore, the framework natively supports "Agent Swarms" via the Anthropic Agent SDK, allowing specialized agents to collaborate in parallel while maintaining isolated memory contexts for different business functions.
Licensing and open source strategy
NanoClaw remains firmly committed to the open source MIT License, encouraging users to fork the project and customize it for their own needs. This stands in stark contrast to "monolithic" frameworks.
NanoClaw’s codebase is remarkably lean, consisting of only 15 source files and roughly 3,900 lines of code, compared to the hundreds of thousands of lines found in competitors like OpenClaw.
The partnership also highlights the strength of the "Open Source Avengers" coalition.
By combining NanoClaw (agent orchestration), Vercel Chat SDK (UI/UX), and OneCLI (security/secrets), the project demonstrates that modular, open-source tools can outpace proprietary labs in building the application layer for AI.
Community reactions
As shown on the NanoClaw website, the project has amassed more than 27,400 stars on GitHub and maintains an active Discord community.
A core claim on the NanoClaw site is that the codebase is small enough to understand in "8 minutes," a feature targeted at security-conscious users who want to audit their assistant.
In an interview, Cohen noted that iMessage support via Vercel’s Photon project addresses a common community hurdle: previously, users often had to maintain a separate Mac Mini to connect agents to an iMessage account.
The enterprise perspective: should you adopt?
For enterprises, NanoClaw 2.0 represents a shift from speculative experimentation to safe operationalization.
Historically, IT departments have blocked agent usage due to the "all-or-nothing" nature of credential access. By decoupling the agent from the secret, NanoClaw provides a middle ground that mirrors existing corporate security protocols—specifically the principle of least privilege.
Enterprises should consider this framework if they require high-auditability and have strict compliance needs regarding data exfiltration. According to Cohen, many businesses have not been ready to grant agents access to calendars or emails because of security concerns. This framework addresses that by ensuring the agent structurally cannot act without permission.
Enterprises stand to benefit specifically in use cases involving "high-stakes" actions. As illustrated in the OneCLI dashboard, a user can set a policy where an agent can read emails freely but must trigger a manual approval dialog to "delete" or "send" one.
Because NanoClaw runs as a single Node.js process with isolated containers , it allows enterprise security teams to verify that the gateway is the only path for outbound traffic. This architecture transforms the AI from an unmonitored operator into a supervised junior staffer, providing the productivity of autonomous agents without forgoing executive control.
Ultimately, NanoClaw is a recommendation for organizations that want the productivity of autonomous agents without the "black box" risk of traditional LLM wrappers. It turns the AI from a potentially rogue operator into a highly capable junior staffer who always asks for permission before hitting the "send" or "buy" button.
As AI-native setups become the standard, this partnership establishes the blueprint for how trust will be managed in the age of the autonomous workforce.
Read on the original site
Open the publisher's page for the full experience
Related Articles
- The end of 'shadow AI' at enterprises? Kilo launches KiloClaw for Organizations to enable secure AI agents at scale As generative AI matures from a novelty into a workplace staple, a new friction point has emerged: the "shadow AI" or "Bring Your Own AI (BYOAI)" crisis. Much like the unsanctioned use of personal devices in years past, developers and knowledge workers are increasingly deploying autonomous agents on personal infrastructure to manage their professional workflows. "Our journey with Kilo Claw has been to make it easier and easier and more accessible to folks," says Kilo co-founder Scott Breitenother. Today, the company dedicated to providing a portable, multi-model, cloud-based AI coding environment is moving to formalize this "shadow AI" layer: it's launching KiloClaw for Organizations and KiloClaw Chat, a suite of tools designed to provide enterprise-grade governance over personal AI agents. The announcement comes at a period of high velocity for the company. Since making its securely hosted, one-click OpenClaw product for individuals, KiloClaw, generally available last month, more than 25,000 users have integrated the platform into their daily workflows. Simultaneously, Kilo’s proprietary agent benchmark, PinchBench, has logged over 250,000 interactions and recently gained significant industry validation when it was referenced by Nvidia CEO Jensen Huang during his keynote at the 2026 Nvidia GTC conference in San Jose, California. The shadow AI crisis: Addressing the BYOAI problem The impetus for KiloClaw for Organizations stems from a growing visibility gap within large enterprises. In a recent interview with VentureBeat, Kilo leadership detailed conversations with high-level AI directors at government contractors who found their developers running OpenClaw agents on random VPS instances to manage calendars and monitor repositories. "What we’re announcing on Tuesday is Kilo Claw for organizations, where a company can buy an organization-level package of Kilo Claws and give every team member access," explained Kilo co-founder and head of product and engineering Emilie Schario during the interview. "We can't see any of it," the head of AI at one such firm reportedly told Kilo. "No audit logs. No credential management. No idea what data is touching what API". This lack of oversight has led some organizations to issue blanket bans on autonomous agents before a clear strategy on deployment could be formed. Anand Kashyap, CEO and founder of data security firm Fortanix, told VentureBeat without seeing Kilo's announcement that while "Openclaw has taken the technology world by storm... the enterprise usage is minimal due to the security concerns of the open source version." Kashyap expanded on this trend: "In recent times, NVIDIA (with NemoClaw), Cisco (DefenseClaw), Palo Alto Networks, and Crowdstrike have all announced offerings to create an enterprise-ready version of OpenClaw with guardrails and governance for agent security. However, enterprise adoption continues to be low. Enterprises like centralized IT control, predictable behavior, and data security which keeps them compliant. An autonomous agentic platform like OpenClaw stretches the envelope on all these parameters, and while security majors have announced their traditional perimeter security measures, they don't address the fundamental problems of having a reduced attack surface. Over time, we will see an agentic platform emerge where agents are pre-built and packaged, and deployed responsibly with centralized controls, and data access controls built into the agentic platform as well as the LLMs they call upon to get instructions on how to perform the next task. Technologies like Confidential Computing provide compartmentalization of data and processing, and are tremendously helpful in reducing the attack surface." KiloClaw for Organizations is positioned as the way for the security team to say "yes," providing the visibility and control required to bring these agents in-house. It transitions agents from developer-managed infrastructure into a managed environment characterized by scoped access and organizational-level controls. Technology: Universal persistence and the "Swiss cheese" method A core technical hurdle in the current agent landscape is the fragmentation of chat sessions. During the VentureBeat interview, Schario noted that even advanced tools often struggle with canonical sessions, frequently dropping messages or failing to sync across devices. Schario emphasized the security layer that supports this new structure: “You get all the same benefits of the Kilo gateway and the Kilo platform: you can limit what models people can use, get usage visibility, cost controls, and all the advantages of leveraging Kilo with managed, hosted, controlled Kilo Claw”. To address the inherent unreliability of autonomous agents—such as missed cron jobs or failed executions—Kilo employs what Schario calls the "Swiss cheese method" of reliability. By layering additional protections and deterministic guardrails on top of the base OpenClaw architecture, Kilo aims to ensure that tasks, such as a daily 6:00 PM summary, are completed even if the underlying agent logic falters. This is critical because, as Schario noted, “The real risk for any company is data leakage, and that can come from a bot commenting on a GitHub issue or accidentally emailing the person who’s going to get fired before they get fired”. Product: KiloClaw Chat and organizational guardrails While managed infrastructure solves the backend problem, KiloClaw Chat addresses the user experience. Schario noted that “Hosted, managed OpenClaw is easier to get started with, but it’s not enough, and it still requires you to be at the edge of technology to understand how to set it up”. Kilo is looking to lower that barrier for the average worker, asking: “How do we give people who have never heard the phrase OpenClaw or Claudebot an always-on AI assistant?”. Traditionally, interacting with an OpenClaw agent required connecting to third-party messaging services like Telegram or Discord—a process that involves navigating "BotFather" tokens and technical configurations that alienate non-engineers. “One of the number one hurdles we see, both anecdotally and in the data, is that you get your bot running and then you have to connect a channel to it. If you don’t know what’s going on, it’s overwhelming,” Schario observed. “We solved that problem. You don’t need to set up a channel. You can chat with Kilo in the web UI and, with the Kilo Claw app on your phone, interact with Kilo without setting an external channel,” she continued. This native approach is essential for corporate compliance because, as she further explained, “When we were talking to early enterprise opportunities, they don’t want you using your personal Telegram account to chat with your work bot”. As Schario put it, there is a reason enterprise communication doesn't flow through personal DMs; when a company shuts off access, they must be able to shut off access to the bot. Looking ahead, the company plans to integrate these environments further. “What we’re going to do is make Kilo Chat the waypoint between Telegram, Discord, and OpenClaw, so you get all the convenience of Kilo Chat but can use it in the other channels,” Breitenother added. The enterprise package includes several critical governance features: Identity Management: SSO/OIDC integration and SCIM provisioning for automated user lifecycles. Centralized Billing: Full visibility into compute and inference usage across the entire organization. Admin Controls: Org-wide policies regarding which models can be used, specific permissions, and session durations. Secrets Configuration: Integration with 1Password ensures that agents never handle credentials in plain text, preventing accidental leaks. Licensing and governance: The "bot account" model Other security experts note that handling bot and AI agentic permissions are among the most pressing problems enterprises are facing today As Ev Kontsevoy, CEO and co-founder of AI infrastructure and identity management company Teleport told VentureBeat without seeing the Kilo news: "The potential impact of OpenClaw as a non-deterministic actor demonstrates why identity can’t be an afterthought. You have an autonomous agent with shell access, browser control, and API credentials — running on a persistent loop, across dozens of messaging platforms, with the ability to write its own skills. That’s not a chatbot. That’s a non-deterministic actor with broad infrastructure access and no cryptographic identity, no short-lived credentials, and no real-time audit trail tying actions to a verifiable actor." Kilo is proposing to solve it with a major change in organizational structure: the adoption of employee "bot accounts". In Kilo’s vision, every employee eventually carries two identities—their standard human account and a corresponding bot account, such as scott.bot@kiloco.ai. These bot identities operate with strictly limited, read-only permissions. For example, a bot might be granted read-only access to company logs or a GitHub account with contributor-only rights. This "scoped" approach allows the agent to maintain full visibility of the data it needs to be helpful while ensuring it cannot accidentally share sensitive information with others. Addressing concerns over data privacy and "black box" algorithms, Kilo emphasizes that its code is source available. “Anyone can go look at our code. It’s not a black box. When you’re buying Kilo Claw, you’re not giving us your data, and we’re not training on any of your data because we're not building our own model,” Schario clarified. This licensing choice allows organizations to audit the resiliency and security of the platform without fearing their proprietary data will be used to improve third-party models. Pricing and availability KiloClaw for Organizations follows a usage-based pricing model where companies pay only for the compute and inference consumed. Organizations can utilize a "Bring Your Own Key" (BYOK) approach or use Kilo Gateway credits for inference. The service is available starting today, Wednesday, April 1. KiloClaw Chat is currently in beta, with support for web, desktop, and iOS sessions. New users can evaluate the platform via a free tier that includes seven days of compute. As Breitenother summarized to VentureBeat, the goal is to shift from "one-off" deployments to a scalable model for the entire workforce: "I think of Kilo for orgs as buying Kilo Claw by the bushel instead of by the one-off. And we're hoping to sell a lot of bushels of of kilo claw".
- AI agent credentials live in the same box as untrusted code. Two new architectures show where the blast radius actually stops.Four separate RSAC 2026 keynotes arrived at the same conclusion without coordinating. Microsoft's Vasu Jakkal told attendees that zero trust must extend to AI. Cisco's Jeetu Patel called for a shift from access control to action control, saying in an exclusive interview with VentureBeat that agents behave "more like teenagers, supremely intelligent, but with no fear of consequence." CrowdStrike's George Kurtz identified AI governance as the biggest gap in enterprise technology. Splunk's John Morgan called for an agentic trust and governance model. Four companies. Four stages. One problem. Matt Caulfield, VP of Product for Identity and Duo at Cisco, put it bluntly in an exclusive VentureBeat interview at RSAC. "While the concept of zero trust is good, we need to take it a step further," Caulfield said. "It's not just about authenticating once and then letting the agent run wild. It's about continuously verifying and scrutinizing every single action the agent's trying to take, because at any moment, that agent can go rogue." Seventy-nine percent of organizations already use AI agents, according to PwC's 2025 AI Agent Survey. Only 14.4% reported full security approval for their entire agent fleet, per the Gravitee State of AI Agent Security 2026 report of 919 organizations in February 2026. A CSA survey presented at RSAC found that only 26% have AI governance policies. CSA's Agentic Trust Framework describes the resulting gap between deployment velocity and security readiness as a governance emergency. Cybersecurity leaders and industry executives at RSAC agreed on the problem. Then two companies shipped architectures that answer the question differently. The gap between their designs reveals where the real risk sits. The monolithic agent problem that security teams are inheriting The default enterprise agent pattern is a monolithic container. The model reasons, calls tools, executes generated code, and holds credentials in one process. Every component trusts every other component. OAuth tokens, API keys, and git credentials sit in the same environment where the agent runs code it wrote seconds ago. A prompt injection gives the attacker everything. Tokens are exfiltrable. Sessions are spawnable. The blast radius is not the agent. It is the entire container and every connected service. The CSA and Aembit survey of 228 IT and security professionals quantifies how common this remains: 43% use shared service accounts for agents, 52% rely on workload identities rather than agent-specific credentials, and 68% cannot distinguish agent activity from human activity in their logs. No single function claimed ownership of AI agent access. Security said it was a developer's responsibility. Developers said it was a security responsibility. Nobody owned it. CrowdStrike CTO Elia Zaitsev, in an exclusive VentureBeat interview, said the pattern should look familiar. "A lot of what securing agents look like would be very similar to what it looks like to secure highly privileged users. They have identities, they have access to underlying systems, they reason, they take action," Zaitsev said. "There's rarely going to be one single solution that is the silver bullet. It's a defense in depth strategy." CrowdStrike CEO George Kurtz highlighted ClawHavoc (a supply chain campaign targeting the OpenClaw agentic framework) at RSAC during his keynote. Koi Security named the campaign on February 1, 2026. Antiy CERT confirmed 1,184 malicious skills tied to 12 publisher accounts, according to multiple independent analyses of the campaign. Snyk's ToxicSkills research found that 36.8% of the 3,984 ClawHub skills scanned contain security flaws at any severity level, with 13.4% rated critical. Average breakout time has dropped to 29 minutes. Fastest observed: 27 seconds. (CrowdStrike 2026 Global Threat Report) Anthropic separates the brain from the hands Anthropic's Managed Agents, launched April 8 in public beta, split every agent into three components that do not trust each other: a brain (Claude and the harness routing its decisions), hands (disposable Linux containers where code executes), and a session (an append-only event log outside both). Separating instructions from execution is one of the oldest patterns in software. Microservices, serverless functions, and message queues. Credentials never enter the sandbox. Anthropic stores OAuth tokens in an external vault. When the agent needs to call an MCP tool, it sends a session-bound token to a dedicated proxy. The proxy fetches real credentials from the vault, makes the external call, and returns the result. The agent never sees the actual token. Git tokens get wired into the local remote at sandbox initialization. Push and pull work without the agent touching the credential. For security directors, this means a compromised sandbox yields nothing an attacker can reuse. The security gain arrived as a side effect of a performance fix. Anthropic decoupled the brain from the hands so inference could start before the container booted. Median time to first token dropped roughly 60%. The zero-trust design is also the fastest design. That kills the enterprise objection that security adds latency. Session durability is the third structural gain. A container crash in the monolithic pattern means total state loss. In Managed Agents, the session log persists outside both brain and hands. If the harness crashes, a new one boots, reads the event log, and resumes. No state lost turns into a productivity gain over time. Managed Agents include built-in session tracing through the Claude Console. Pricing: $0.08 per session-hour of active runtime, idle time excluded, plus standard API token costs. Security directors can now model agent compromise cost per session-hour against the cost of the architectural controls. Nvidia locks the sandbox down and monitors everything inside it Nvidia's NemoClaw, released March 16 in early preview, takes the opposite approach. It does not separate the agent from its execution environment. It wraps the entire agent inside four stacked security layers and watches every move. Anthropic and Nvidia are the only two vendors to have shipped zero-trust agent architectures publicly as of this writing; others are in development. NemoClaw stacks five enforcement layers between the agent and the host. Sandboxed execution uses Landlock, seccomp, and network namespace isolation at the kernel level. Default-deny outbound networking forces every external connection through explicit operator approval via YAML-based policy. Access runs with minimal privileges. A privacy router directs sensitive queries to locally-running Nemotron models, cutting token cost and data leakage to zero. The layer that matters most to security teams is intent verification: OpenShell's policy engine intercepts every agent action before it touches the host. The trade-off for organizations evaluating NemoClaw is straightforward. Stronger runtime visibility costs more operator staffing. The agent does not know it is inside NemoClaw. In-policy actions return normally. Out-of-policy actions get a configurable denial. Observability is the strongest layer. A real-time Terminal User Interface logs every action, every network request, every blocked connection. The audit trail is complete. The problem is cost: operator load scales linearly with agent activity. Every new endpoint requires manual approval. Observation quality is high. Autonomy is low. That ratio gets expensive fast in production environments running dozens of agents. Durability is the gap nobody's talking about. Agent state persists as files inside the sandbox. If the sandbox fails, the state goes with it. No external session recovery mechanism exists. Long-running agent tasks carry a durability risk that security teams need to price into deployment planning before they hit production. The credential proximity gap Both architectures are a real step up from the monolithic default. Where they diverge is the question that matters most to security teams: how close do credentials sit to the execution environment? Anthropic removes credentials from the blast radius entirely. If an attacker compromises the sandbox through prompt injection, they get a disposable container with no tokens and no persistent state. Exfiltrating credentials requires a two-hop attack: influence the brain's reasoning, then convince it to act through a container that holds nothing worth stealing. Single-hop exfiltration is structurally eliminated. NemoClaw constrains the blast radius and monitors every action inside it. Four security layers limit lateral movement. Default-deny networking blocks unauthorized connections. But the agent and generated code share the same sandbox. Nvidia's privacy router keeps inference credentials on the host, outside the sandbox. But messaging and integration tokens (Telegram, Slack, Discord) are injected into the sandbox as runtime environment variables. Inference API keys are proxied through the privacy router and not passed into the sandbox directly. The exposure varies by credential type. Credentials are policy-gated, not structurally removed. That distinction matters most for indirect prompt injection, where an adversary embeds instructions in content the agent queries as part of legitimate work. A poisoned web page. A manipulated API response. The intent verification layer evaluates what the agent proposes to do, not the content of data returned by external tools. Injected instructions enter the reasoning chain as trusted context. With proximity to execution. In the Anthropic architecture, indirect injection can influence reasoning but cannot reach the credential vault. In the NemoClaw architecture, injected context sits next to both reasoning and execution inside the shared sandbox. That is the widest gap between the two designs. NCC Group's David Brauchler, Technical Director and Head of AI/ML Security, advocates for gated agent architectures built on trust segmentation principles where AI systems inherit the trust level of the data they process. Untrusted input, restricted capabilities. Both Anthropic and Nvidia move in this direction. Neither fully arrives. The zero-trust architecture audit for AI agents The audit grid covers three vendor patterns across six security dimensions, five actions per row. It distills to five priorities: Audit every deployed agent for the monolithic pattern. Flag any agent holding OAuth tokens in its execution environment. The CSA data shows 43% use shared service accounts. Those are the first targets. Require credential isolation in agent deployment RFPs. Specify whether the vendor removes credentials structurally or gates them through policy. Both reduce risk. They reduce it by different amounts with different failure modes. Test session recovery before production. Kill a sandbox mid-task. Verify state survives. If it does not, long-horizon work carries a data-loss risk that compounds with task duration. Staff for the observability model. Anthropic's console tracing integrates with existing observability workflows. NemoClaw's TUI requires an operator-in-the-loop. The staffing math is different. Track indirect prompt injection roadmaps. Neither architecture fully resolves this vector. Anthropic limits the blast radius of a successful injection. NemoClaw catches malicious proposed actions but not malicious returned data. Require vendor roadmap commitments on this specific gap. Zero trust for AI agents stopped being a research topic the moment two architectures shipped. The monolithic default is a liability. The 65-point gap between deployment velocity and security approval is where the next class of breaches will start.
- Anthropic’s Claude can now control your Mac, escalating the fight to build AI agents that actually do workAnthropic on Monday launched the most ambitious consumer AI agent to date, giving its Claude chatbot the ability to directly control a user's Mac — clicking buttons, opening applications, typing into fields, and navigating software on the user's behalf while they step away from their desk. The update, available immediately as a research preview for paying subscribers, transforms Claude from a conversational assistant into something closer to a remote digital operator. It arrives inside both Claude Cowork, the company's agentic productivity tool, and Claude Code, its developer-focused command-line agent. Anthropic is also extending Dispatch — a feature introduced last week that lets users assign Claude tasks from a mobile phone — into Claude Code for the first time, creating an end-to-end pipeline where a user can issue instructions from anywhere and return to a finished deliverable. The move thrusts Anthropic into the center of the most heated competition in artificial intelligence: the scramble to build agents that can act, not just talk. OpenAI, Google, Nvidia, and a growing swarm of startups are all chasing the same prize — an AI that operates inside your existing tools rather than beside them. And the stakes are no longer theoretical. Reuters reported Sunday that OpenAI is actively courting private equity firms in what it described as an "enterprise turf war with Anthropic," a battle in which the ability to ship working agents is fast becoming the decisive weapon. The new features are available to Claude Pro subscribers (starting at $17 per month) and Max subscribers ($100 or $200 per month), but only on macOS for now. Inside Claude's computer use: How Anthropic's AI agent decides when to click, type, and navigate your Mac The computer use feature works through a layered priority system that reveals how Anthropic is thinking about reliability versus reach. When a user assigns Claude a task, it first checks whether a direct connector exists — integrations with services like Gmail, Google Drive, Slack, or Google Calendar. These connectors are the fastest and most reliable path to completing a task, according to Anthropic's documentation. If no connector is available, Claude falls back to navigating the Chrome browser via Anthropic's Claude for Chrome extension. Only as a last resort does Claude interact directly with the user's screen — clicking, typing, scrolling, and opening applications the way a human operator would. This hierarchy matters. As Anthropic's help center documentation explains, "pulling messages through your Slack connection takes seconds, but navigating Slack through your screen takes much longer and is more error-prone." Screen-level interaction is the most flexible mode — it can theoretically work with any application — but it is also the slowest and most fragile. When Claude does interact with the screen, it takes screenshots of the user's desktop to understand what it's looking at and determine how to navigate. That means Claude can see anything visible on the screen, including personal data, sensitive documents, or private information. Anthropic trains Claude to avoid engaging in stock trading, inputting sensitive data, or gathering facial images, but the company is candid that "these guardrails are part of how Claude is trained and instructed, but they aren't absolute." There is nothing to configure. No API keys, no terminal setup, no special permissions beyond what the user grants on a per-app basis. As Ryan Donegan, who handles communications for Anthropic, put it in a press briefing: "Download the app and it uses what's already on your machine." Claude Dispatch turns your iPhone into a remote control for AI-powered desktop automation The real strategic play may not be computer use itself but how Anthropic is pairing it with Dispatch. Dispatch, which launched last week for Cowork and now extends to Claude Code, creates a persistent, continuous conversation between Claude on your phone and Claude on your desktop. A user pairs their mobile device with their Mac by scanning a QR code, and from that point forward, they can text Claude instructions from anywhere. Claude executes those instructions on the desktop — which must remain awake and running the Claude app — and sends back the results. The use cases Anthropic envisions range from mundane to ambitious: having Claude check your email every morning, pull weekly metrics into a report template, organize a cluttered Downloads folder, or even compile a competitive analysis from local files and connected tools into a formatted document. Scheduled tasks allow users to set a cadence once — "every Friday," "every morning" — and let Claude handle the rest without further prompting. Anthropic's blog post frames the combination of Dispatch and computer use as something of a paradigm shift. "Claude can use your computer on your behalf while you're away," the company wrote, offering examples like creating a morning briefing while a user commutes, making changes in an IDE, running tests, and submitting a pull request. One early user on social media captured the broader ambition succinctly. Gagan Saluja, who describes himself as working with Claude and AWS, wrote: "combine this with /schedule that just dropped and you've basically got a background worker that can interact with any app on a cron job. that's not an AI assistant anymore, that's infrastructure." First hands-on tests reveal Claude's computer use works about half the time — and that may be the point Anthropic is calling this a research preview for a reason. Early hands-on testing suggests the feature works well for information retrieval and summarization but struggles with more complex, multi-step workflows — particularly those that require interacting with multiple applications. John Voorhees of MacStories, the Apple-focused publication, published a detailed hands-on evaluation of Dispatch the same day as the announcement. His results were mixed. Claude successfully located a specific screenshot on his Mac, summarized the most recent note in his Notion database, listed notes saved that day, added a URL to Notion, summarized his most recently received email, and recalled a screenshot from earlier in the session. But it failed to open the Shortcuts app on his Mac, send a screenshot via iMessage, list unfinished Todoist tasks (due to an authorization error), list Terminal sessions, display a food order from an active Safari tab, or fetch a URL from Safari using AppleScript. Voorhees' verdict was measured: Dispatch "can find information on your Mac and works with Connectors, but it's slow and about a 50/50 shot whether what you try will work." He added that it is "not good enough to rely on when you're away from your desk" but called it "a step in the right direction." Meanwhile, on GitHub, users are already surfacing technical issues. One bug report filed against Claude Code describes a scenario where the Read tool attempts to process multiple large PDF files in a single turn without checking whether the combined payload exceeds the 20MB API limit, causing the request to fail outright. The issue, which has been tagged as a bug specific to macOS, highlights the kinds of rough edges that come with shipping an early preview of a complex agentic system. OpenClaw, NemoClaw, and the startup swarm: Why Anthropic is racing to ship AI computer use now Anthropic's timing is not accidental. The company is shipping computer use capabilities into a market that has been rapidly reshaped by the viral rise of OpenClaw, the open-source framework that enables AI models to autonomously control computers and interact with tools. OpenClaw exploded earlier this year and proved that users wanted AI agents capable of taking real actions on their computers — and that they were willing to tolerate rough edges to get them. The framework spawned an entire ecosystem of derivative tools — what the community calls "claws" — that turned autonomous computer control from a research curiosity into a product category almost overnight. Nvidia entered the fray last week with NemoClaw, its own framework designed to simplify the setup and deployment of OpenClaw with added security controls. Anthropic is now entering a market that the open-source community essentially created, betting that its advantages — tighter integration, a consumer-friendly interface, and an existing subscriber base — can compete with free. Smaller startups are also pushing into the space. Coasty, which offers both a desktop app and browser-based AI agent for Mac and Windows, markets itself as providing "full browser, desktop, and terminal automation with a native experience." One user on social media directly pitched Coasty in the replies to Anthropic's announcement, claiming it offers "much better user experience and more accurate" results — a sign of how crowded and competitive the computer-use agent space has become in a matter of months. The competitive dynamics extend beyond just computer use. Reuters has reported that OpenAI is sweetening its pitch to private equity firms amid what the wire service described as an "enterprise turf war with Anthropic." The two companies are locked in an escalating battle for enterprise customers, and the ability to offer agents that can actually operate within a company's existing software stack — not just chat about it — is increasingly the differentiator. Prompt injection, screenshot surveillance, and the unsolved security risks of letting AI control your desktop If the competitive pressure explains why Anthropic shipped this feature now, the safety caveats explain why the company is hedging its bets. Computer use runs outside the virtual machine that Cowork normally uses for file operations and commands. That means Claude is interacting with the user's actual desktop and applications — not an isolated sandbox. The implications are significant: a misclick, a misunderstood instruction, or a prompt injection attack could have real consequences on a user's live system. Anthropic has built several layers of defense. Claude requests permission before accessing each application. Some sensitive apps — investment platforms, cryptocurrency tools — are blocked by default. Users can maintain a blocklist of applications Claude is never allowed to touch. The system scans for signs of prompt injection during computer use sessions. And users can stop Claude at any point. But the company is remarkably forthright about the limits of these protections. "Computer use is still early compared to Claude's ability to code or interact with text," Anthropic's blog post states. "Claude can make mistakes, and while we continue to improve our safeguards, threats are constantly evolving." The help center documentation goes further, explicitly warning users not to use computer use to manage financial accounts, handle legal documents, process medical information, or interact with apps containing other people's personal information. Anthropic also advises against using Cowork for HIPAA, FedRAMP, or FSI-regulated workloads. For enterprise and team customers, there is an additional wrinkle. Cowork conversation history is stored locally on the user's device, not on Anthropic's servers. But critically, enterprise features like audit logs, compliance APIs, and data exports do not currently capture Cowork activity. This means that organizations subject to regulatory oversight have no centralized record of what Claude did on a user's machine — a gap that could be a dealbreaker for compliance-sensitive industries. One user flagged this concern on social media with particular precision. NomanInnov8 wrote: "when the agent IS the user (same mouse, keyboard, screen), traditional forensic markers won't distinguish human vs AI actions. How are we thinking about audit trails here?" The question is not academic. As AI agents gain the ability to take real-world actions — sending emails, modifying files, interacting with financial systems — the ability to distinguish between human and machine actions becomes a foundational requirement for governance, liability, and compliance. Anthropic has not yet answered it. From excitement to anxiety: How users are reacting to Claude's new power over their machines The social media reaction to the announcement split roughly into three camps: those excited about the productivity implications, those concerned about the security risks, and those frustrated that they cannot yet use it. The enthusiasm was genuine and widespread. "Legit just got the update and used it with dispatch — exactly the feature I wanted," wrote one X user. Mike Joseph called the speed of Anthropic's feature releases "fantastic." Another X user noted the significance for non-technical users: "Very exciting for non-tech folks who don't want or know how to set up OpenClaw." But the security concerns were equally pointed. One user, posting as Profannyti, wrote: "Granting that kind of control over your personal device doesn't sit right. It's almost like letting someone you barely know take the wheel and trusting everything will be fine." As Engadget reported, experts have warned that one major concern with agentic AI is that "it can take major, sometimes dramatic actions quickly and with little warning," and that such tools "can also be hijacked by malicious actors." Several users flagged practical frustrations as well. Windows users — excluded from the macOS-only research preview — expressed predictable dismay. Others reported that the new features were consuming their usage quotas at alarming rates. One Max 20x subscriber paying $200 per month complained that Dispatch was "eating my quota like crazy," consuming 10% of their allowance in a single prompt. Another user linked to the GitHub bug report about the 20MB payload issue, calling the situation "quite urgent." Anthropic's enterprise playbook: Plugins, pricing tiers, and the bet that AI agents can replace entire workflows The pricing structure reveals where Anthropic sees the real market. While individual Pro users get access to Cowork, the company notes that agentic tasks "consume more capacity than regular chat" because "Claude coordinates multiple sub-agents and tool calls to complete complex work." Heavy users are nudged toward Max plans at $100 or $200 per month. For teams, the pricing starts at $20 per seat per month for groups of five to 75 users. Enterprise pricing is custom and includes admin controls to toggle Cowork on or off for the organization. The plugin architecture is where Anthropic's enterprise ambitions become clearest. Plugins bundle skills, connectors, and sub-agents into a single install that turns Claude into a domain specialist — for legal work, finance, brand voice management, or other functions. Anthropic already lists plugins for legal workflows (contract review, NDA triage), finance (journal entries, reconciliation, variance analysis), and brand voice (analyzing existing documents to enforce guidelines). The company is betting that the combination of computer use, Dispatch, scheduled tasks, and domain-specific plugins will create an agent capable enough to justify enterprise procurement. The testimonials Anthropic has gathered suggest the pitch is landing with at least some organizations. Larisa Cavallaro, identified as an AI Automation Engineer, described connecting Cowork to her company's tech stack and asking it to identify engineering bottlenecks. Claude, she said, returned "an interactive dashboard, team-by-team efficiency analyses, and a prioritized roadmap." Joel Hron, a CTO, offered a more philosophical framing: "The human role becomes validation, refinement, and decision-making. Not repetitive rework." The AI industry's defining tension: Shipping fast enough to win, slow enough to be safe Anthropic is shipping these capabilities at a moment of extraordinary velocity in the AI industry — and extraordinary uncertainty about what that velocity means. The company's own research quantifies the transformation underway. Its economic index, published in March 2026, tracks how AI is reshaping labor markets and productivity across sectors. The data suggests that AI adoption is accelerating unevenly, with knowledge workers in technology, finance, and professional services seeing the most dramatic shifts. Anthropic is also navigating significant external pressures beyond the product arena. Recent reporting has highlighted scrutiny from Senator Elizabeth Warren regarding Anthropic's defense and supply chain relationships — a reminder that the company's ambitions to build powerful autonomous agents exist within an increasingly complex political and regulatory environment. For now, the computer use feature remains early and imperfect. Complex tasks sometimes require a second attempt. Screen interaction is meaningfully slower than direct integrations. The audit trail gap for enterprise users is a genuine liability. And the fundamental tension between giving an AI agent enough access to be useful and limiting that access enough to be safe remains unresolved. But Anthropic is not waiting for perfection. The company is building in public, shipping capabilities it openly describes as incomplete, and betting that users will tolerate a 50 percent success rate today in exchange for the promise of something transformative tomorrow. It is a calculation that only works if the failures remain minor — a missed click, a stalled task, an unread email. The moment a failure isn't minor, the calculus changes entirely. The AI industry has spent the last three years proving that machines can think. Anthropic is now asking a harder question: whether humans are ready to let them act. The answer, for the moment, is a provisional yes — hedged with permissions dialogs, blocklists, and the quiet hope that nothing important gets deleted before the technology catches up to the ambition.
- OpenClaw has 500,000 instances and no enterprise kill switch“Your AI? It’s my AI now.” The line came from Etay Maor, VP of Threat Intelligence at Cato Networks, in an exclusive interview with VentureBeat at RSAC 2026 — and it describes exactly what happened to a U.K. CEO whose OpenClaw instance ended up for sale on BreachForums. Maor's argument is that the industry handed AI agents the kind of autonomy it would never extend to a human employee, discarding zero trust, least privilege, and assume-breach in the process. The proof arrived on BreachForums three weeks before Maor’s interview. On February 22, a threat actor using the handle “fluffyduck” posted a listing advertising root shell access to the CEO’s computer for $25,000 in Monero or Litecoin. The shell was not the selling point. The CEO’s OpenClaw AI personal assistant was. The buyer would get every conversation the CEO had with the AI, the company’s full production database, Telegram bot tokens, Trading 212 API keys, and personal details the CEO disclosed to the assistant about family and finances. The threat actor noted the CEO was actively interacting with OpenClaw in real time, making the listing a live intelligence feed rather than a static data dump. Cato CTRL senior security researcher Vitaly Simonovich documented the listing on February 25. The CEO’s OpenClaw instance stored everything in plain-text Markdown files under ~/.openclaw/workspace/ with no encryption at rest. The threat actor didn't need to exfiltrate anything; the CEO had already assembled it. When the security team discovered the breach, there was no native enterprise kill switch, no management console, and no way to inventory how many other instances were running across the organization. OpenClaw runs locally with direct access to the host machine’s file system, network connections, browser sessions, and installed applications. The coverage to date has tracked its velocity, but what it hasn't mapped is the threat surface. The four vendors who used RSAC 2026 to ship responses still haven't produced the one control enterprises need most: a native kill switch. The threat surface by the numbers Metric Numbers Source Internet-facing instances ~500,000 (March 24 live check) Etay Maor, Cato Networks (exclusive RSAC 2026 interview) Exposed instances with security risks 30,000+ observed during scan window Bitsight Exploitable via known RCE 15,200 instances SecurityScorecard High-severity CVEs 3 (highest CVSS: 8.8) NVD (24763, 25157, 25253) Malicious skills on ClawHub 341 in Koi audit (335 from ClawHavoc); 824 by mid-Feb Koi ClawHub skills with critical flaws 13.4% of 3,984 analyzed Snyk API tokens exposed (Moltbook) 1.5 million Wiz Maor ran a live Censys check during an exclusive VentureBeat interview at RSAC 2026. “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million. Almost doubled in one week,” Maor said. Three high-severity CVEs define the attack surface: CVE-2026-24763 (CVSS 8.8, command injection via Docker PATH handling), CVE-2026-25157 (CVSS 7.7, OS command injection), and CVE-2026-25253 (CVSS 8.8, token exfiltration to full gateway compromise). All three CVEs have been patched, but OpenClaw has no enterprise management plane, no centralized patching mechanism, and no fleet-wide kill switch. Individual administrators must update each instance manually, and most have not. The defender-side telemetry is just as alarming. CrowdStrike's Falcon sensors already detect more than 1,800 distinct AI applications across its customer fleet — from ChatGPT to Copilot to OpenClaw — generating around 160 million unique instances on enterprise endpoints. ClawHavoc, a malicious skill distributed through the ClawHub marketplace, became the primary case study in the OWASP Agentic Skills Top 10. CrowdStrike CEO George Kurtz flagged it in his RSAC 2026 keynote as the first major supply chain attack on an AI agent ecosystem. AI agents got root access. Security got nothing. Maor framed the visibility failure through the OODA loop (observe, orient, decide, act) during the RSAC 2026 interview. Most organizations are failing at the first step: security teams can't see which AI tools are running on their networks, which means the productivity tools employees bring in quietly become shadow AI that attackers exploit. The BreachForums listing proved the end state. The CEO’s OpenClaw instance became a centralized intelligence hub with SSO sessions, credential stores, and communication history aggregated into one location. “The CEO’s assistant can be your assistant if you buy access to this computer,” Maor told VentureBeat. “It’s an assistant for the attacker.” Ghost agents amplify the exposure. Organizations adopt AI tools, run a pilot, lose interest, and move on — leaving agents running with credentials intact. “We need an HR view of agents. Onboarding, monitoring, offboarding. If there’s no business justification? Removal,” Maor told VentureBeat. “We’re not left with any ghost agents on our network, because that’s already happening.” Cisco moved toward an OpenClaw kill switch Cisco President and Chief Product Officer Jeetu Patel framed the stakes during an exclusive VentureBeat interview at RSAC 2026. “I think of them more like teenagers. They’re supremely intelligent, but they have no fear of consequence,” Patel said of AI agents. “The difference between delegating and trusted delegating of tasks to an agent … one of them leads to bankruptcy. The other one leads to market dominance.” Cisco launched three free, open-source security tools for OpenClaw at RSAC 2026. DefenseClaw packages Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into a single open-source framework running inside NVIDIA’s OpenShell runtime, which NVIDIA launched at GTC the week before RSAC. “Every single time you actually activate an agent in an Open Shell container, you can now automatically instantiate all the security services that we have built through Defense Claw,” Patel told VentureBeat. AI Defense Explorer Edition is a free, self-serve version of Cisco’s algorithmic red-teaming engine, testing any AI model or agent for prompt injection and jailbreaks across more than 200 risk subcategories. The LLM Security Leaderboard ranks foundation models by adversarial resilience rather than performance benchmarks. Cisco also shipped Duo Agentic Identity to register agents as identity objects with time-bound permissions, Identity Intelligence to discover shadow agents through network monitoring, and the Agent Runtime SDK to embed policy enforcement at build time. Palo Alto made agentic endpoints a security category of their own Palo Alto Networks CEO Nikesh Arora characterized OpenClaw-class tools as creating a new supply chain running through unregulated, unsecured marketplaces during an exclusive March 18 pre-RSA briefing with VentureBeat. Koi found 341 malicious skills on ClawHub in its initial audit, with the total growing to 824 as the registry expanded. Snyk found 13.4% of analyzed skills contained critical security flaws. Palo Alto Networks built Prisma AIRS 3.0 around a new agentic registry that requires every agent to be logged before operating, with credential validation, MCP gateway traffic control, agent red-teaming, and runtime monitoring for memory poisoning. The pending Koi acquisition adds supply chain visibility specifically for agentic endpoints. Cato CTRL delivered the adversarial proof Cato Networks’ threat intelligence arm Cato CTRL presented two sessions at RSAC 2026. The 2026 Cato CTRL Threat Report, published separately, includes a proof-of-concept “Living Off AI” attack targeting Atlassian’s MCP and Jira Service Management. Maor’s research provides the independent adversarial validation that vendor product announcements cannot deliver on their own. The platform vendors are building governance for sanctioned agents. Cato CTRL documented what happens when the unsanctioned agent on the CEO’s laptop gets sold on the dark web. Monday morning action list Regardless of vendor stack, four controls apply immediately: bind OpenClaw to localhost only and block external port exposure, enforce application allowlisting through MDM to prevent unauthorized installations, rotate every credential on machines where OpenClaw has been running, and apply least-privilege access to any account an AI agent has touched. Discover the install base. CrowdStrike’s Falcon sensor, Cato’s SASE platform, and Cisco Identity Intelligence all detect shadow AI. For teams without premium tooling, query endpoints for the ~/.openclaw/ directory using native EDR or MDM file-search policies. If the enterprise has no endpoint visibility at all, run Shodan and Censys queries against corporate IP ranges. Patch or isolate. Check every discovered instance against CVE-2026-24763, CVE-2026-25157, and CVE-2026-25253. Instances that cannot be patched should be network-isolated. There is no fleet-wide patching mechanism. Audit skill installations. Review installed skills against Cisco’s Skills Scanner or the Snyk and Koi research. Any skill from an unverified source should be removed immediately. Enforce DLP and ZTNA controls. Cato’s ZTNA controls restrict unapproved AI applications. Cisco Secure Access SSE enforces policy on MCP tool calls. Palo Alto’s Prisma Access Browser controls data flow at the browser layer. Kill ghost agents. Build a registry of every AI agent running. Document business justification, human owner, credentials held, and systems accessed. Revoke credentials for agents with no justification. Repeat weekly. Deploy DefenseClaw for sanctioned use. Run OpenClaw inside NVIDIA’s OpenShell runtime with Cisco’s DefenseClaw to scan skills, verify MCP servers, and instrument runtime behavior automatically. Red-team before deploying. Use Cisco AI Defense Explorer Edition (free) or Palo Alto Networks’ agent red-teaming in Prisma AIRS 3.0. Test the workflow, not just the model. The OWASP Agentic Skills Top 10, published using ClawHavoc as its primary case study, provides a standards-grade framework for evaluating these risks. Four vendors shipped responses at RSAC 2026. None of them is a native enterprise kill switch for unsanctioned OpenClaw deployments. Until one exists, the Monday morning action list above is the closest thing to one.
Tagged with
#generative AI for data analysis#Excel alternatives for data analysis#natural language processing for spreadsheets#enterprise-level spreadsheet solutions#financial modeling with spreadsheets#enterprise data management#cloud-native spreadsheets#rows.com#cloud-based spreadsheet applications#real-time data collaboration#no-code spreadsheet solutions#spreadsheet API integration#self-service analytics tools#digital transformation in spreadsheet software#AI-native spreadsheets#business intelligence tools#real-time collaboration#data visualization tools#big data performance#interactive charts