NanoClaw Container Isolation Review Capability Pack Skill
Expert NanoClaw container isolation review capability pack for auditing per-agent containers, mount scopes, credential routing, channel boundaries, and scheduled task blast radius with source-backed review matrices.
Open the source and read safety notes before installing.
Safety notes
- This skill reviews isolation posture; it must not broaden mounts, disable containers, or expose vault secrets without explicit approval.
- Broad host mounts or shared credential vaults can break per-agent isolation; treat as blockers until scoped down.
- Scheduled NanoClaw tasks compound blast radius; require staging proof before unattended production runs.
- Container isolation is not a substitute for MCP tool scope review when agents call external integrations.
Privacy notes
- NanoClaw configs may expose channel IDs, user handles, mount paths, and vault key names in review output.
- Agent transcripts and SQLite routing logs can contain message content and credentials; redact before external sharing.
- Mount listings may reveal internal directory structures; keep detailed paths in private maintainer notes.
- Third-party channel integrations remain subject to vendor retention policies separate from NanoClaw.
Prerequisites
- NanoClaw deployment with agent-group configuration, container mounts, and channel setup available for review.
- Access to NanoClaw documentation and the server repository for mount and vault defaults.
- Ability to test container boundaries in a staging environment before production enablement.
- Security stakeholder for approvals when mounts or credentials exceed least privilege.
Schema details
- Install type
- package
- Reading time
- 9 min
- Difficulty score
- 84
- Troubleshooting
- Yes
- Breaking changes
- No
- Scope
- Source repo
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-15
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
# Trigger
"Apply the NanoClaw container isolation review capability pack for this deployment."
# Required output
1) Agent group and container inventory summary
2) Mount and filesystem boundary findings
3) Credential vault and channel scope assessment
4) Scheduled task blast-radius review
5) Privacy-safe rollout or block recommendationAbout this resource
Knowledge Freshness
This capability pack is grounded in NanoClaw documentation, the public NanoClaw repository, and Claude Code sandboxing cross-links verified on 2026-06-15. Container defaults and mount behavior can change with releases; prefer live docs over cached assumptions.
Retrieval Sources
- https://docs.nanoclaw.dev
- https://github.com/nanocoai/nanoclaw
- https://code.claude.com/docs/en/sandboxing
- https://code.claude.com/docs/en/security
- https://developers.google.com/search/docs/fundamentals/creating-helpful-content
Source Verification Notes
Verified against public NanoClaw documentation and repository on 2026-06-15:
- NanoClaw documents per-session agent containers with OS-level isolation and explicit mount configuration for filesystem boundaries.
- Agent groups, channels, and scheduled tasks route through SQLite-backed message flows that must be scoped to intended recipients.
- Claude Code sandboxing docs provide complementary patterns for Bash isolation when NanoClaw agents invoke terminal workflows.
Scope Note
This pack provides a reusable isolation review workflow for NanoClaw operators.
It complements the NanoClaw tool listing and the nanoclaw-container-isolation-review-agent
in agents by packaging checklist steps, review matrix, and output contract as
a Skill capability pack.
Core Workflow
- Inventory agent groups, containers, channels, mounts, and scheduled tasks.
- Review mount allowlists for host paths, credential directories, and executables on PATH.
- Validate vault and credential routing so agents receive only required secrets.
- Check channel and messaging scope for cross-group leakage or overly broad listeners.
- Assess scheduled tasks for unattended blast radius and rollback paths.
- Run staged tests for mount denial, vault access, and channel isolation failures.
- Produce findings, review matrix actions, and privacy-safe recommendation.
Capability Scope
- Container and mount boundary review.
- Vault and credential routing checks.
- Channel and messaging scope validation.
- Scheduled task blast-radius assessment.
- Privacy-safe operator summary.
Compatibility
Native
- Claude Code / Claude: use as an Agent Skill when vetting NanoClaw deployments before enabling production agent groups.
Manual Adaptation
- Codex, Cursor, Windsurf, Generic AGENTS: apply the checklist to any NanoClaw deployment using public documentation and repository defaults.
Required Inputs
- NanoClaw agent-group configuration and mount definitions.
- Channel setup, scheduled task definitions, and vault routing rules.
- Staging environment for isolation reproduction tests.
- Security policy for acceptable mount and credential scope.
Production Rules
- Default to smallest mount set that satisfies required workflows.
- Deny host credential directories unless explicitly documented and approved.
- Require human approval before enabling scheduled tasks with write mounts.
- Treat isolation test failures as blockers, not warnings.
- Document rollback steps before changing production mount policies.
- Keep detailed mount paths in internal notes; summarize risk in public output.
Review Matrix
| Topic | Signal | Action |
|---|---|---|
| Mounts | Host home or PATH dirs writable | Narrow mounts or block enablement |
| Vault | Shared vault across groups | Split credentials per agent group |
| Channels | Cross-group listeners | Scope channels to intended agents |
| Schedules | Unattended write mounts | Require staging proof and approval |
| Tests | Mount denial not reproduced | Fix config before production |
| Docs | README disagrees with config | Align docs and redeploy |
Output Contract
- Deployment inventory summary.
- Mount and filesystem findings with severity.
- Vault and channel scope assessment.
- Scheduled task blast-radius notes.
- Privacy-safe enable/block recommendation.
Troubleshooting
Issue: Agent fails after mount hardening Fix: Add minimal read-only mounts required for the workflow; retest in staging.
Issue: Vault secret visible to multiple groups Fix: Split vault entries and update routing rules per agent group.
Issue: Scheduled task runs outside intended channel Fix: Tighten channel filters and verify SQLite routing constraints.
Issue: Docs describe isolation features not enabled in config Fix: Treat as configuration drift; update deployment before approval.
Duplicate Check
Checked content/skills/, content/agents/, open PRs, and the live catalog.
nanoclaw-container-isolation-review-agent in agents provides a review prompt,
and nanoclaw exists in tools. No skills entry provides this NanoClaw container
isolation review capability pack with review matrix and output contract.
Editorial Disclosure
Submitted as an independent source-backed HeyClaude content entry by kiannidev.
It is based on public NanoClaw documentation and the public NanoClaw repository.
No paid placement, referral link, affiliate link, or vendor sponsorship is used.
Source citations
Add this badge to your README
Show that NanoClaw Container Isolation Review Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/nanoclaw-container-isolation-review-capability-pack)How it compares
NanoClaw Container Isolation Review Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | NanoClaw Container Isolation Review Capability Pack Skill Expert NanoClaw container isolation review capability pack for auditing per-agent containers, mount scopes, credential routing, channel boundaries, and scheduled task blast radius with source-backed review matrices. Open dossier | Claude Code Troubleshooting Triage Capability Pack Skill Expert Claude Code troubleshooting triage capability pack for diagnosing install failures, auth errors, MCP issues, sandbox blocks, and update regressions with source-backed triage matrices and privacy-safe support output. Open dossier | Claude Agent SDK MCP Integration Capability Pack Skill Expert Claude Agent SDK MCP integration capability pack for designing, reviewing, and rolling out Agent SDK MCP integration with source-backed checklists, production rules, and privacy-safe output contracts. Open dossier | Claude Agent SDK Session Storage Capability Pack Skill Expert Claude Agent SDK session storage capability pack for designing, reviewing, and rolling out Agent SDK session storage with source-backed checklists, production rules, and privacy-safe output contracts. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | kiannidev | kiannidev | kiannidev | kiannidev |
| Added | 2026-06-15 | 2026-06-15 | 2026-06-14 | 2026-06-14 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓This skill reviews isolation posture; it must not broaden mounts, disable containers, or expose vault secrets without explicit approval. Broad host mounts or shared credential vaults can break per-agent isolation; treat as blockers until scoped down. Scheduled NanoClaw tasks compound blast radius; require staging proof before unattended production runs. Container isolation is not a substitute for MCP tool scope review when agents call external integrations. | ✓This skill triages failures; it must not disable sandbox, security, or managed policy without explicit admin approval. Do not paste secrets, OAuth tokens, or session cookies into public troubleshooting threads. Avoid running destructive fix steps (global uninstall, credential deletion) without user confirmation. MCP and plugin removals can break team workflows; document rollback before changes. | ✓This skill plans Agent SDK MCP integration; it must not execute destructive changes without explicit approval. Browser, computer-use, and remote surfaces can access sensitive UI state; scope tests carefully. MCP and SDK integrations may exfiltrate data if tool scopes are too broad. The public `anthropics/claude-code` repository ships documentation links to code.claude.com for settings, security, and integration surfaces. Scheduled or autonomous workflows compound risk; cap blast radius in staging first. | ✓This skill plans Agent SDK session storage; it must not execute destructive changes without explicit approval. Browser, computer-use, and remote surfaces can access sensitive UI state; scope tests carefully. MCP and SDK integrations may exfiltrate data if tool scopes are too broad. The public `anthropics/claude-code` repository ships documentation links to code.claude.com for settings, security, and integration surfaces. Scheduled or autonomous workflows compound risk; cap blast radius in staging first. |
| Privacy notes | ✓NanoClaw configs may expose channel IDs, user handles, mount paths, and vault key names in review output. Agent transcripts and SQLite routing logs can contain message content and credentials; redact before external sharing. Mount listings may reveal internal directory structures; keep detailed paths in private maintainer notes. Third-party channel integrations remain subject to vendor retention policies separate from NanoClaw. | ✓Troubleshooting logs can expose repo paths, auth emails, internal URLs, and MCP tool arguments. Support handoffs may include session transcripts; redact customer or employee identifiers first. Network proxy and ZDR settings can reveal enterprise security posture; keep details in private channels. Diagnostic exports may contain API usage metadata governed by org retention policies. | ✓Reviews may expose integration tokens, customer metadata, and internal URLs related to Agent SDK MCP integration. Telemetry and analytics configs can include account emails; redact before sharing externally. Keep troubleshooting logs in internal channels unless explicitly sanitized. Third-party vendors remain outside Anthropic retention policies; document separately. | ✓Reviews may expose integration tokens, customer metadata, and internal URLs related to Agent SDK session storage. Telemetry and analytics configs can include account emails; redact before sharing externally. Keep troubleshooting logs in internal channels unless explicitly sanitized. Third-party vendors remain outside Anthropic retention policies; document separately. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Featured in
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.