NanoClaw, a container-isolated fork of OpenClaw built by NanoCo AI, now routes agent package downloads through JFrog’s curated registries instead of pulling directly from public npm. Creator Gavriel Cohen announced the integration Thursday evening at a JFrog event in San Francisco.
The problem NanoClaw is solving: Claw-based agents can fetch tools and resources they don’t already have to extend their own capabilities. When those resources come from known local data with manual approval, the process works. When they come from public npm, it doesn’t, even with containerized sandboxing. Malicious code inside a container can still take harmful actions within whatever scope it has access to.
“So we teamed up with JFrog and we integrated NanoClaw with JFrog’s registries,” Cohen told The Register. The integration means agents download tools and libraries from a vetted source rather than the open registry.
JFrog already operates an Agent Skills Registry as part of its AI Catalog, positioning itself as the enterprise governance layer for agent skills, MCP servers, and AI-generated code artifacts.
The PR Factory
Cohen also released what he calls the PR Factory, built with NanoClaw and hosted on exe.dev. The system addresses a growing pain point for open source maintainers: AI coding agents have made it trivially easy to open pull requests against any repository, and distinguishing quality contributions from automated reputation-building has become nearly impossible.
“It’s very easy now to point a coding agent at a repo and say, ‘open a pull request for this repo,’” Cohen explained. “And it’s very difficult as a maintainer to tell the difference between a high quality contribution from somebody who’s really using the open source project versus someone who’s just trying to build up the reputation.”
When a PR opens, the factory spins up a dedicated NanoClaw worker agent that posts a thread to Slack, triages the change, reviews the diff, and proposes a test plan. Merges, test runs, and credentialed GitHub actions surface as approval cards in the thread and only fire when a human clicks approve.
Instructions Are Not Security
Cohen used the announcement to make a broader point about agent safety that resonates beyond NanoClaw’s user base. He pointed to the common pattern of configuration files containing warnings like “Important: Never run drop database production.”
“If you see something like this in the Claude.md file, it tells you two things,” Cohen said. “You know that that agent has deleted a production database before. And you know that it can actually still do it again.”
Instructions steer agents toward useful output, Cohen argued, but they are not a security mechanism. “The only way to reliably prevent an agent from taking undesired action is not allowing it to take that action, not giving it the ability to take the action.”
That architectural philosophy, restricting capabilities rather than relying on instructions, is the same principle that Palo Alto Networks’ Unit 42 team recently highlighted when it crawled OpenClaw’s 49,943-skill registry and found supply chain attack chains running through third-party skills.
The Supply Chain Hardening Pattern
The NanoClaw-JFrog integration fits a broader pattern emerging across the agent ecosystem. Unit 42 published its behavioral-integrity verification (BIV) methodology for detecting hidden vulnerabilities in agent skills earlier this week. Datadog announced AI Guard at DASH 2026 for behavioral detection of agent attacks. Cequence shipped an AI Gateway focused on behavior-driven agent security.
Each approach differs in scope, but the through-line is the same: the agent supply chain is the attack surface, and the industry is building the plumbing to control what agents can access before they access it.