NanoClaw Integrates JFrog Registries to Secure AI Agent Package Downloads
NanoClaw, a secure AI agent framework, has partnered with JFrog to let agents fetch tools from vetted registries, reducing exposure to malicious packages.
NanoClaw, a secure agent framework designed to constrain AI agent behavior, has integrated with supply chain platform JFrog to allow agents to download tools and libraries from reviewed registries. The announcement was made by Gavriel Cohen, creator of NanoClaw and co-founder of NanoCo AI, at a JFrog event in San Francisco on Thursday evening. The partnership addresses a fundamental challenge in agentic AI: when agents autonomously fetch resources to improve themselves, they risk pulling in malicious code from untrusted sources.
Cohen explained that while NanoClaw already sandboxes agents and isolates them in containers, that protection is not sufficient when agents download npm packages or other third-party code. "Malicious code within a container may still be able to take harmful actions, even if the scope of potential activity is constrained," he said. Developers often lack the time to thoroughly vet every package an agent might request, making a trusted registry essential. By integrating with JFrog's reviewed registries, NanoClaw ensures that agents only fetch software from a vetted source, reducing the attack surface.
In addition to the JFrog integration, Cohen unveiled what he called an "agent factory" — a system built with NanoClaw that triages pull requests (PRs) using dedicated worker agents. Dubbed the PR Factory in the actual pull request, the system spins up a worker agent for each incoming PR, posts a thread to Slack, and has the worker review the diff and propose a test plan. Crucially, no consequential action — such as merging, running tests, or executing credentialed GitHub actions — happens without human approval. "Nothing consequential happens on its own: merges, test runs, and credentialed GitHub actions each surface as an approval card in the thread, and only fire when a human clicks approve," Cohen wrote in the documentation.
The PR Factory is designed to help maintainers cope with the surge of AI-generated pull requests. "It's very easy now to point a coding agent at a repo and say, 'open a pull request for this repo,'" Cohen noted. "And it's very difficult as a maintainer to tell the difference between a high quality contribution from somebody who's really using the open source project versus someone who's just trying to build up the reputation using automated methods." The factory is hosted on exe.dev, a service providing VMs with persistent storage, and is itself built with NanoClaw.
Cohen also delivered a pointed critique of relying on instructions alone to secure AI agents. He showed a slide with the phrase "Never, ever, ever do this" — a common warning in configuration files like Claude.md that instruct agents not to perform dangerous actions. "If you see something like this in the Claude.md file and the agent instructions say, 'Important: Never run drop database production,' it tells you two things. You know that that agent has deleted a production database before. And you know that it can actually still do it again," he said, drawing a knowing laugh from the audience. "Instructions help steer an agent AI towards valuable output, but it's not a safety mechanism. The only way to reliably prevent an agent from taking undesired action is not allowing it to take that action, not giving it the ability to take the action."
The NanoClaw-JFrog integration represents a practical step toward safer autonomous agents by addressing the supply chain risk inherent in agentic code execution. As AI agents increasingly gain the ability to fetch and run third-party code, the security industry is racing to develop guardrails that go beyond sandboxing and instruction-based safety. Cohen's emphasis on design-level constraints — rather than behavioral guidelines — aligns with a growing consensus among security researchers that agent safety must be baked into the architecture, not left to prompts.
For developers building agentic workflows, the partnership offers a way to reduce the risk of supply chain attacks without sacrificing the flexibility that makes agents powerful. By routing agent package downloads through JFrog's reviewed registries, NanoClaw provides a vetted pipeline that can be audited and controlled. The PR Factory, meanwhile, offers a template for how organizations can safely manage the flood of AI-generated contributions without lowering their security bar.