Running AI coding agents in team chat sounds great until you think about security. ClaudeClaw, a new open-source project from developer Stephane Busso, tackles that problem head-on by wrapping Claude Code in OS-level process sandboxing while making it persistently available across Slack, Discord, Telegram, WhatsApp, and Gmail.
The project started as a fork of NanoClaw but was rebuilt from scratch into roughly 8,000 lines of TypeScript with 355 tests. The core idea: instead of spinning up Docker containers for each agent session (which NanoClaw did, with 2-5 second startup times), ClaudeClaw uses Anthropic's own @anthropic-ai/sandbox-runtime package. On macOS, that means Seatbelt protection. On Linux, Bubblewrap isolation. Cold starts drop to under 10 milliseconds.
How the Sandboxing Works
The security model flips Docker's approach. Rather than proxying all network traffic through the container, ClaudeClaw gives agents direct credential access but restricts network calls to an allowedDomains whitelist. Each chat group gets its own isolated sandbox process with separate memory files, model settings, cost limits, and tool permissions. One runaway agent cannot touch another group's data.
Built Around Extensions
ClaudeClaw uses a plugin architecture where channels (Slack, Discord) and features (webhooks, cost tracking, triage) are installed as separate extension modules with their own dependencies. The Slack extension supports Socket Mode, threaded conversations, and typing indicators. Agents can be triggered by @mentions, cron schedules, or authenticated webhooks with HMAC-SHA256 signing.
The memory system is practical rather than clever: daily logs, topic-specific files, and long-term storage, all searchable via grep. It layers on top of Claude's built-in memory rather than replacing it.
Each group can configure its own model, reasoning effort level, system prompt, and per-query cost caps. Token usage is logged with USD cost estimates, so you can track what your always-on agents are actually spending.
For teams already using Claude Code and wanting to make it available as a shared resource in Slack or Discord without giving it unrestricted system access, ClaudeClaw is a serious option. The sub-10ms cold starts matter here because chat interactions feel instant rather than waiting seconds for a container to spin up. The project is available on GitHub under the sbusso/claudeclaw repository.