Nanobot, NanoClaw prompt local LLM security questions

The real story here isn’t the backend choice, it’s the trust boundary. Once an agent can read, write, and message on your behalf, the safest design shrinks blast radius first and optimizes prompts second.

• –Based on the docs, Nanobot is MCP-first while NanoClaw is centered on Claude Agent SDK and container isolation, so local inference looks more like a custom integration than a turnkey default.
• –NanoClaw’s per-session container model is the strongest answer to the thread’s security anxiety: isolate the agent before you let it touch real messages or files.
• –The hardening checklist is boring but necessary: prompt-injection tests, tool allowlists, secrets isolation, logging, and human approval for outward-facing or destructive actions.
• –Local models can reduce privacy and cost concerns, but they don’t remove the core risk in agentic systems, which is tool misuse once the model gets a decision loop.