Skip to main content
hc
Submit
toolsSource-backedReview first Safety Privacy

Nanobot AI

MIT-licensed personal AI agent framework with a small Python core, WebUI, CLI, chat channels, persistent goals, memory, MCP servers, CLI Apps, cron, shell and file tools, provider routing, OpenAI-compatible API serving, and deployment paths for long-running self-hosted agents.

by HKUDS·added 2026-06-18·
CLI
HarnessCLI
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Prefer package-manager installs such as `uv tool install nanobot-ai`, `pipx install nanobot-ai`, or a reviewed virtual-environment install. Upstream also documents downloaded installer scripts; inspect those scripts first instead of running remote shell content blindly.
  • Nanobot can execute shell commands, read and write workspace files, call MCP servers, fetch web content, run cron jobs, access chat channels, and keep long-running agent goals alive. Review every enabled tool surface before exposing it to nonlocal users.
  • `tools.restrictToWorkspace` is an application-level guard, not an operating-system sandbox. On Linux, combine it with `tools.exec.sandbox: "bwrap"` when shell execution should be isolated from config files and API keys.
  • HTTP and SSE MCP endpoints share Nanobot's SSRF guard. Keep `tools.ssrfWhitelist` narrow and prefer single-host CIDRs when private endpoints must be allowed.
  • Channel `allowFrom` and pairing controls decide who can talk to the bot. Avoid `allowFrom: ["*"]` unless the channel, workspace, and tool policy are intentionally public.
  • Docker deployment can require extra Linux capability settings for bubblewrap-based shell sandboxing. Review the Docker security notes before mounting secrets or persistent workspaces.

Privacy notes

  • Nanobot stores config, sessions, memory, cron jobs, workspace files, media, channel state, and logs under the configured Nanobot paths, usually `~/.nanobot`.
  • Provider API keys, bot tokens, email credentials, OAuth state, MCP headers, and chat-channel secrets can appear in config or environment variables. Use environment placeholders and protected files instead of literal secrets.
  • WebUI, chat apps, CLI sessions, and the OpenAI-compatible API can expose prompts, files, generated artifacts, tool output, screenshots or media attachments, channel IDs, user IDs, and conversation history to the selected model provider and enabled observability tools.
  • Langfuse tracing, if configured with environment variables and installed support, can export OpenAI-compatible provider calls to the configured Langfuse project.
  • Remote MCP servers, hosted search providers, image providers, chat platforms, and model providers each receive the data sent through their specific integration path.

Prerequisites

  • Python 3.11 or newer and either uv, pipx, pip in a virtual environment, or a source checkout.
  • At least one model provider, local model endpoint, OAuth-backed provider, or OpenAI-compatible endpoint configured with credentials or an API base URL.
  • A persistent `~/.nanobot` config and workspace location for sessions, memory, cron jobs, channel state, logs, generated artifacts, and WebUI runtime data.
  • Optional chat-channel credentials for Telegram, Discord, Slack, Matrix, Feishu, WeChat, Email, Microsoft Teams, Signal, or another supported channel.
  • A reviewed MCP, CLI App, shell, filesystem, and workspace policy before exposing Nanobot to long-running chat channels or shared WebUI access.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Collection metadata
Estimated setup
30 minutes
Difficulty
advanced
Tool listing metadata
Pricing
free
Disclosure
editorial
Application category
DeveloperApplication
Operating system
Cross-platform
Full copyable content
uv tool install nanobot-ai
nanobot --version
nanobot onboard --wizard
nanobot status
nanobot agent -m "Hello!"

About this resource

Overview

Nanobot AI is an open-source personal agent framework for running a lightweight agent across local CLI sessions, a browser WebUI, chat apps, MCP servers, CLI Apps, memory, cron, and long-running workspaces. It is not just a chatbot UI: the Python package exposes an agent runtime with channels, provider routing, workspace-aware tools, MCP integration, an OpenAI-compatible API surface, and deployment patterns for keeping the gateway online.

Use it when you want a self-hosted agent that can stay connected to your own tools and channels without adopting a large hosted automation platform. It is especially relevant for searches around personal AI agents, Claude-compatible workbenches, Codex/OpenAI provider routing, MCP-enabled agents, and chat-native agent deployment.

Install

Install the published Python package:

uv tool install nanobot-ai
nanobot --version

Initialize or refresh the local config and workspace:

nanobot onboard --wizard
nanobot status
nanobot agent -m "Hello!"

The upstream README also documents downloaded installer scripts for macOS, Linux, and Windows. Those are convenience paths, but they should be inspected before use. For agent and automation environments, prefer a package manager, virtual environment, or reviewed source checkout so the install path is clear.

Configuration Model

Nanobot stores its default config at ~/.nanobot/config.json and workspace state under ~/.nanobot/workspace/. The docs recommend proving a single local agent reply before enabling WebUI, chat channels, Docker, systemd, LaunchAgent, or custom tools.

Minimal production-oriented settings usually cover:

  • Provider credentials through environment variables or a protected config file.
  • A named model preset selected by agents.defaults.modelPreset.
  • Workspace restriction for filesystem and shell-adjacent work.
  • Explicit channel access control through allowFrom or pairing.
  • Narrow MCP tool exposure with enabledTools when a server offers broad capabilities.

Capability Map

Area Nanobot Coverage
CLI agent nanobot agent, one-shot messages, interactive chat, explicit config/workspace flags, and session selection
WebUI Browser workbench with chat sessions, model controls, project workspaces, activity rendering, Apps, Skills, settings, and automations
Gateway Long-running process for chat channels, WebSocket/WebUI, cron-backed jobs, Dream/memory jobs, and a health endpoint
Chat channels Telegram, Discord, WhatsApp, WeChat, Feishu, DingTalk, Slack, Matrix, Email, QQ, Napcat, WeCom, Microsoft Teams, Mochat, and Signal docs
MCP Stdio and HTTP/SSE MCP servers configured under tools.mcpServers, with optional headers, timeouts, and enabledTools filtering
CLI Apps Extension path for CLI-native tools, surfaced with MCP-style capability mentions in newer releases
Tools Filesystem, shell execution, web search/fetch, MCP, cron, image generation, and runtime self-inspection
Memory Session history, long-term memory, Dream consolidation, and workspace-scoped state
Providers Anthropic, OpenAI-compatible providers, local endpoints, OAuth-backed OpenAI Codex/GitHub Copilot paths, image providers, transcription, fallbacks, and model presets
API nanobot serve exposes OpenAI-compatible /v1/chat/completions, /v1/models, and health routes
Deployment Docker Compose, Docker CLI, Linux systemd user service, and macOS LaunchAgent docs

MCP and Agent Workflows

Nanobot treats MCP servers as native agent tools once they are configured under tools.mcpServers. Stdio servers use command, args, and optional env; remote servers use url and optional headers. HTTP and SSE MCP connections are checked by the shared SSRF guard before probing, before connecting, and again before following redirects.

For broad MCP servers, use enabledTools to keep the active tool surface small. The setting accepts raw MCP tool names such as read_file or Nanobot-wrapped names such as mcp_filesystem_read_file.

WebUI and Channels

The WebUI is served by the WebSocket channel after nanobot gateway starts. It adds session management, project workspace selection, visible agent activity, model settings, Apps, Skills, and automations around the same Nanobot runtime.

Chat channels use a common setup pattern: configure the channel credentials, keep access narrow with allowFrom or pairing, verify nanobot channels status, then run nanobot gateway --verbose while debugging startup. The docs call out that allowing everyone on a channel should only be used when that is intentional.

Security Boundaries

Nanobot has useful controls, but they need to be configured deliberately:

  • tools.restrictToWorkspace keeps workspace-aware file tools under the active workspace and applies best-effort shell working-directory checks.
  • tools.exec.sandbox: "bwrap" adds Linux bubblewrap isolation for shell commands and hides config files/API keys from the sandboxed process.
  • tools.exec.enable: false removes the shell tool entirely.
  • tools.ssrfWhitelist exempts private networks from the shared SSRF guard and should be kept as narrow as possible.
  • Channel allowFrom and pairing determine who can send instructions into the agent.

Those controls matter because a long-running personal agent often has access to local files, project workspaces, chat credentials, model provider keys, and MCP tools at the same time.

Use Cases

  • Run a local personal agent with persistent workspace, sessions, memory, and provider routing.
  • Connect a Claude/OpenAI-compatible model workflow to MCP servers without manually wiring every tool into a separate host app.
  • Keep an AI assistant online in Discord, Telegram, Slack, Matrix, Email, or a private WebUI while preserving explicit channel access controls.
  • Operate long-running goals, cron automations, and workbench sessions from a self-hosted Python runtime.
  • Expose a controlled OpenAI-compatible API for local experiments around one configured Nanobot instance.
  • Compare lightweight self-hosted personal-agent stacks against larger agent platforms or hosted workflow automation tools.

Source Review

Verified on 2026-06-18:

  • GitHub metadata reported HKUDS/nanobot as an MIT-licensed Python repository with the description Lightweight, open-source AI agent for your tools, chats, and workflows, a homepage at nanobot.wiki, active updates on 2026-06-18, latest release v0.2.1 published on 2026-06-01, and more than 44,000 stars.
  • PyPI metadata for nanobot-ai reported version 0.2.1, summary A lightweight personal AI assistant framework, Python >=3.11, MIT license, and dependencies including Anthropic, OpenAI, MCP, web, channel, document, cron, and provider-related packages.
  • The docs index says the repository docs track current source while published release documentation lives at nanobot.wiki, and points users through quick start, concepts, provider, WebUI, chat app, deployment, OpenAI API, Python SDK, and MCP configuration pages.
  • The configuration docs document environment-variable secret placeholders, provider/model presets, channel settings, web tools, image generation, MCP servers, shell/workspace controls, SSRF whitelisting, pairing, and Langfuse observability.
  • The MCP configuration section documents stdio and HTTP/SSE server config, optional headers, toolTimeout, enabledTools, and shared SSRF validation for remote MCP endpoints.
  • The WebUI docs describe a packaged browser workbench with chat sessions, visible agent activity, workspace selection, Apps, MCP presets, Skills, Automations, settings, and WebSocket-channel serving.
  • The chat-app docs document a common gateway-backed setup pattern and channel coverage across Telegram, Discord, WhatsApp, WeChat, Feishu, DingTalk, Slack, Matrix, Email, QQ, Napcat, WeCom, Microsoft Teams, Mochat, and Signal.
  • The architecture docs map the runtime across channels, message bus, agent loop, provider/tool runner, tools, state, WebUI/gateway, memory, MCP, filesystem, shell, web, cron, image generation, and security boundaries.
  • Release v0.2.1 describes WebUI workbench improvements, stronger long-running goal stability, unified CLI Apps and MCP extension workflows, broader provider routing, channel additions, and security/reliability hardening.
#nanobot#personal-agent#ai-agent#mcp#cli-apps#webui#chatbots#automations

Source citations

Add this badge to your README

Show that Nanobot AI is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/tools/nanobot-ai.svg)](https://heyclau.de/entry/tools/nanobot-ai)

How it compares

Nanobot AI side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

FieldNanobot AI

MIT-licensed personal AI agent framework with a small Python core, WebUI, CLI, chat channels, persistent goals, memory, MCP servers, CLI Apps, cron, shell and file tools, provider routing, OpenAI-compatible API serving, and deployment paths for long-running self-hosted agents.

Open dossier 		Open WebUI

Self-hosted AI platform and web UI for Ollama, OpenAI-compatible APIs, RAG, Python function tools, model builder workflows, artifacts, web search, vector databases, enterprise auth, observability, plugins, and MCP-adjacent OpenAPI integrations.

Open dossier 		AnythingLLM

Local-first AI application for private chat, document RAG, workspace agents, MCP-compatible tools, model routing, memories, scheduled tasks, multimodal workflows, multi-user Docker deployments, and self-hosted agent automation.

Open dossier 		LobeHub (formerly LobeChat)

Self-hostable AI agent workspace formerly known as LobeChat, with agent builder, agent groups, personal memory, model-provider routing, skills, MCP-compatible plugins, Docker deployment, Vercel deployment, and IM gateway workflows.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categorytoolstoolstoolstools
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorHKUDSOpen WebUIMintplex LabsLobeHub
Added2026-06-182026-06-182026-06-182026-06-18
Platforms
CLI
CLI
CLI
CLI
Source repo
Safety notesPrefer package-manager installs such as `uv tool install nanobot-ai`, `pipx install nanobot-ai`, or a reviewed virtual-environment install. Upstream also documents downloaded installer scripts; inspect those scripts first instead of running remote shell content blindly. Nanobot can execute shell commands, read and write workspace files, call MCP servers, fetch web content, run cron jobs, access chat channels, and keep long-running agent goals alive. Review every enabled tool surface before exposing it to nonlocal users. `tools.restrictToWorkspace` is an application-level guard, not an operating-system sandbox. On Linux, combine it with `tools.exec.sandbox: "bwrap"` when shell execution should be isolated from config files and API keys. HTTP and SSE MCP endpoints share Nanobot's SSRF guard. Keep `tools.ssrfWhitelist` narrow and prefer single-host CIDRs when private endpoints must be allowed. Channel `allowFrom` and pairing controls decide who can talk to the bot. Avoid `allowFrom: ["*"]` unless the channel, workspace, and tool policy are intentionally public. Docker deployment can require extra Linux capability settings for bubblewrap-based shell sandboxing. Review the Docker security notes before mounting secrets or persistent workspaces.Open WebUI can run Python function-calling tools, RAG ingestion, web search, web browsing, image generation, plugins, and model/provider integrations; review each capability before enabling it for untrusted users. Docker examples expose web ports and persistent volumes. Mount persistent data, set admin/auth controls, and avoid treating demo defaults as production hardening. Python function tools and plugin pipelines can execute application logic and access configured services. Restrict tool creation and plugin installation to trusted administrators. RAG and web browsing can ingest local documents, URLs, cloud files, and extracted text; test indexing quality and permissions before exposing private corpora to users. Open WebUI uses a custom Open WebUI License with branding restrictions and enterprise-license exceptions. Verify license terms before redistribution, white-labeling, or commercial deployment.AnythingLLM can run agents, scheduled tasks, MCP-compatible tools, browser-like workspace actions, developer APIs, and external model calls; scope tools and credentials before enabling them for users. The upstream Docker guide includes examples that add the SYS_ADMIN capability to the container. Review whether that capability is acceptable for the host before copying production run commands. Multi-user Docker deployments need normal production controls: authentication, TLS, network isolation, secret management, persistent-volume ownership, backups, and upgrade planning. Agent tools, custom agents, model routing, memories, and scheduled tasks can change behavior over time; use least privilege, logging, review gates, and rollback plans for write-capable workflows. Localhost services such as Ollama, Chroma, LocalAI, or LM Studio may need Docker host routing adjustments; avoid exposing local provider ports wider than intended.Review the official deployment guide, generated Compose files, image tags, mounted volumes, and network bindings before running LobeHub on production or personal machines. LobeHub can organize agent teams, schedule work, use memory, connect skills, and use MCP-compatible plugins. Restrict write-capable plugins, account integrations, and scheduled actions until permissions are reviewed. Docker deployment can expose persistent storage, service ports, and provider credentials. Keep compose files, environment files, backups, and reverse-proxy configs under normal server hardening rules. The current repository license file uses the LobeHub Community License with additional commercial derivative-work conditions, while `package.json` still reports MIT. Treat the LICENSE file as the review source for usage decisions. Do not assume self-hosting removes third-party risk: model providers, plugins, skills, analytics, storage providers, and sandbox integrations can still receive data.
Privacy notesNanobot stores config, sessions, memory, cron jobs, workspace files, media, channel state, and logs under the configured Nanobot paths, usually `~/.nanobot`. Provider API keys, bot tokens, email credentials, OAuth state, MCP headers, and chat-channel secrets can appear in config or environment variables. Use environment placeholders and protected files instead of literal secrets. WebUI, chat apps, CLI sessions, and the OpenAI-compatible API can expose prompts, files, generated artifacts, tool output, screenshots or media attachments, channel IDs, user IDs, and conversation history to the selected model provider and enabled observability tools. Langfuse tracing, if configured with environment variables and installed support, can export OpenAI-compatible provider calls to the configured Langfuse project. Remote MCP servers, hosted search providers, image providers, chat platforms, and model providers each receive the data sent through their specific integration path.Chats, prompts, uploaded files, document chunks, embeddings, vector metadata, web search results, browser-fetched pages, Python tool inputs, plugin outputs, voice/video data, logs, metrics, and traces may contain private data. Configured model providers, vector databases, document extraction engines, web search providers, image providers, object storage, Redis, auth providers, and observability backends may receive user data. Keep provider keys, OAuth/LDAP/SSO secrets, database URLs, object storage keys, plugin credentials, uploaded files, RAG indexes, and OpenTelemetry exports out of public repos and screenshots. Define retention, deletion, tenant separation, group permissions, export policy, and audit review before using Open WebUI as a shared internal workspace.Uploaded documents, parsed chunks, embeddings, workspace memories, prompts, chat history, agent state, scheduled task inputs, MCP payloads, provider responses, logs, and API calls may contain sensitive data. The README documents anonymous telemetry and an opt-out through DISABLE_TELEMETRY=true or the in-app privacy setting; review this before using regulated or confidential data. Even with telemetry disabled, outbound calls may still go to configured LLMs, embedding models, vector databases, external tools, cdn.anythingllm.com, GitHub, or GitHubusercontent depending on the deployment. Keep provider keys, JWT secrets, workspace invite links, storage paths, private documents, and generated citations out of public prompts, screenshots, issues, and examples.Agent prompts, chat history, scheduled tasks, personal memory, workspace context, uploaded files, model responses, tool calls, plugin traffic, MCP-compatible plugin payloads, logs, and analytics can contain private data. Model provider API keys, auth secrets, S3/storage credentials, database URLs, sandbox credentials, and analytics settings should stay in deployment secrets, not committed configs or screenshots. If using shared workspaces, define who can inspect agent memory, saved prompts, generated pages, project history, plugin configuration, logs, and scheduled task results. Before enabling cloud providers, plugins, skills, or analytics, review data retention and regional handling outside the self-hosted instance.
Prerequisites
  • Python 3.11 or newer and either uv, pipx, pip in a virtual environment, or a source checkout.
  • At least one model provider, local model endpoint, OAuth-backed provider, or OpenAI-compatible endpoint configured with credentials or an API base URL.
  • A persistent `~/.nanobot` config and workspace location for sessions, memory, cron jobs, channel state, logs, generated artifacts, and WebUI runtime data.
  • Optional chat-channel credentials for Telegram, Discord, Slack, Matrix, Feishu, WeChat, Email, Microsoft Teams, Signal, or another supported channel.
  • Python 3.11 or 3.12 for pip installation, or Docker/Kubernetes for container deployment.
  • Ollama, OpenAI-compatible endpoint, OpenAI API key, or another configured model provider.
  • Persistent storage for the application database and uploaded/RAG content; Docker users must mount `/app/backend/data` to avoid data loss.
  • Optional vector database, document extraction, web search, image generation, speech, enterprise auth, object storage, Redis, or observability services depending on enabled features.
  • Docker for the documented self-hosted path, or the desktop application for a local workstation install.
  • At least the upstream minimum host resources, with disk sized for documents, embeddings, vector storage, models, logs, and backups.
  • A local or remote LLM provider, embedding provider, and optional speech or image models for the workflows the workspace will run.
  • A storage, backup, retention, and access-control plan before ingesting private documents or opening a multi-user Docker instance.
  • Docker Compose, Vercel, or another supported deployment target from the official self-hosting documentation.
  • Model-provider credentials such as `OPENAI_API_KEY`, plus any provider-specific proxy, model list, auth, storage, sandbox, analytics, or database settings required by the deployment.
  • A review of the official deployment files, image tags, mounted volumes, environment variables, and network bindings before running LobeHub on a machine with sensitive data.
  • A storage, auth, backup, retention, and update plan for a self-hosted agent workspace.
Install
uv tool install nanobot-ai
pip install open-webui
docker pull mintplexlabs/anythingllm
docker compose up -d
Config
{
  "providers": {
    "anthropic": {
      "apiKey": "${ANTHROPIC_API_KEY}"
    }
  },
  "modelPresets": {
    "primary": {
      "label": "Primary",
      "provider": "anthropic",
      "model": "claude-sonnet-4-5",
      "maxTokens": 8192,
      "contextWindowTokens": 65536
    }
  },
  "agents": {
    "defaults": {
      "modelPreset": "primary"
    }
  },
  "channels": {
    "websocket": {
      "enabled": true
    }
  },
  "tools": {
    "restrictToWorkspace": true,
    "exec": {
      "sandbox": "bwrap"
    },
    "mcpServers": {
      "filesystem": {
        "command": "npx",
        "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/dir"],
        "enabledTools": ["read_file", "list_directory"]
      }
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.