NanoClaw gives you something genuinely useful: a real personal AI agent that lives on Telegram, runs in its own sandboxed container, and decides for itself what to do. The sandbox is the point. One agent, one container, no blast radius.
But that same container is also an amnesia machine. Tell the agent you're allergic to penicillin, restart the session, and it's gone. The isolation that makes the agent safe is the same isolation that makes it forgetful. Every conversation starts from zero.
That's not a NanoClaw bug. It's the consequence of a design choice that's actually correct — and it points at the real architecture of agent systems.
The distinctionCompute isolation is not knowledge isolation
There are two different things you want to isolate in an agent fleet, and they pull in opposite directions.
Compute
Each agent runs in its own sandbox, so a bad turn, a prompt injection, or a runaway loop can't reach anything it shouldn't. Per-agent. Ephemeral. NanoClaw does this well.
Knowledge
A fact learned Monday should be there Tuesday. A preference one channel captured should serve another. Persistent. Pooled. Governed — because it's the one place that sees everything.
When compute isolation accidentally becomes knowledge isolation, every agent is brilliant for ninety seconds and then a stranger again. So the architecture wants two layers, not one: a compute layer that isolates, and a cognition layer that's shared and governed.
Many agents, one cognition layer. The agents stay cheap and disposable. The brain is the durable thing underneath them.
The wiringHow we connected it — the honest version
MemClaw is a remote HTTP MCP server (memclaw.net/mcp). NanoClaw's MCP transport is stdio-only — its server config is just { command, args, env }, with no URL transport. So the integration isn't a fork and isn't a config-file edit. It's three real moves:
- Bridge the transport. Add the standard
mcp-remotestdio↔HTTP bridge to the agent image — a one-line merge intocli-tools.json, then a rebuild. Now a stdio MCP client can reach a remote HTTP server. - Register MemClaw per group. NanoClaw keeps MCP servers per agent group in its central DB. One command registers a
memclawserver that runs the bridge. Naming itmemclawauto-exposes every tool asmcp__memclaw__*— write, recall, keystones, and the rest. No allowlist edit. - Tell the agent the brain moved. A short block in the group's
CLAUDE.local.mdmakes MemClaw the authoritative long-term memory, and tells the agent to recall before answering and write durable facts proactively.
That's it. The whole thing ships as a NanoClaw skill: drop it in and run /add-memclaw. The agent now decides on its own when to recall and when to remember, calling the MemClaw tools mid-conversation. The memory is no longer in the container — the container just rents it.
What it actually looks like
Three channels on one screen, all pointed at a single MemClaw tenant: a real NanoClaw Telegram agent (Tele) on your phone, plus a Slack pane and a Web pane that read and write the same brain. This is the live dashboard:
Zoom in on one beat — a fact crossing channels, from the panes above:
- The CFO who owns the budget is Dana Levin.
- The Q3 board meeting is in Lisbon on October 14.
A different channel just used what another channel remembered. Web never saw either statement.
Behind the panes is the brain itself — every memory in the tenant, auto-titled and auto-tagged by MemClaw on write, not by the user:
Payment card number provided
You can bill it to card 4111 •••• •••• ••••.
CFO budget owner is Dana Levin
The CFO who owns the budget is Dana Levin.
Q3 board meeting scheduled in Lisbon (Oct 14)
Our Q3 board meeting is in Lisbon on October 14.
Notice the top card. With PII governance enabled on this tenant, the brain flagged it ⚠ PII on write. (We masked the digits ourselves for this post.)
Governance is the feature, not the footnote
The moment many agents share one brain, that brain becomes the most dangerous surface in the system. Everything they learn pools there. So the cognition layer can't just store — it has to govern, on write.
PII flagging (opt-in)
Turn on PII governance and a card number written in any channel gets a ⚠ PII badge on write — nobody has to remember to catch it. Masking the value itself is a separate mode.
Keystones — policy that outranks the user
A keystone is a fleet-wide rule every agent must obey, overriding conflicting user instructions. Set once, enforced for every agent on the tenant.
Contradiction handling
Correct a fact and MemClaw supersedes the stale version rather than piling up duplicates, so recall stays coherent as the world changes.
NanoClaw isolates compute. MemClaw governs knowledge. The sandbox keeps a bad agent from reaching your system; the cognition layer keeps a careless one from poisoning the shared memory — or leaking through it.
The thesisWhy this is the shape of things
If you believe agents are becoming digital labor, then the interesting question stops being “how good is one agent” and becomes “how many can you run, and what do they stand on.” A fleet of disposable, sandboxed workers is only as valuable as the substrate they share. The compute is commoditizing. The governed, persistent cognition underneath it is not.
That's the bet. NanoClaw is a great way to spawn agents. MemClaw is what they remember with — and, just as importantly, what stops them from remembering the wrong things. One brain, many agents, governed by default.
The demo's Slack and Web panes are demo channels with a simple write/recall heuristic, not full NanoClaw agents — but everything they read and write is the real live tenant, and Tele on Telegram is a real agent. The walkthrough uses a tenant-scoped key, so per-agent read-isolation isn't shown — that needs agent-scoped keys, where identity is bound at mint. And contradiction→supersede runs as a background crystallizer (minutes, not inline), so it's something you describe rather than wait for on stage. The NanoClaw wiring is verified line-by-line against upstream source.