GhostClaw Review: De-containerised NanoClaw hacker fork
GhostClaw community
Claws Gone Wild — full machine access for a 10-minute Telegram bot. Hacker spare-box toy; BestClaw does not recommend production use.
Review updated: June 14, 2026 · Methodology version aligned with BestClaw rankings
BestClaw composite (28 dimensions)
#30 Unified ranking this cycle
Overview
GhostClaw (b1rdmania/ghostclaw, MIT) forks NanoClaw by removing Docker/containers: agents run as Node child processes with full host access to bash/files/mail/web. ~4K LOC, Telegram-first (WhatsApp supported).
BestClaw lists it on the watchlist with methodology Security 5.0 — an honest score for an intentional bare-metal choice, not accidental weakness. Setup ~10 minutes vs NanoClaw's containers vs heavier OpenClaw.
Typical users are solo hackers on spare boxes trading isolation for simplicity. The Skills engine inherits NanoClaw's merge/manifest model; every Skill is supply-chain risk — worse under full access.
If you picked NanoClaw for containers, stay on NanoClaw or try Moltis; GhostClaw is for isolated experiments — see A/B comparison.
At a glance
- Shape
- Node service + Telegram/WhatsApp bot; ~4K LOC TypeScript
- NanoClaw lineage
- Fork removing containers; keeps Skills engine + agent runner
- System access
- Bare-metal full privilege; no Docker sandbox
- Channels
- Telegram-first; WhatsApp group @ mention; voice notes
- Setup
- ~10 minutes per docs; wizard for API keys + Telegram
- License
- MIT; early community (small GitHub footprint)
- Best for
- Spare personal machines and full-access hacker experiments
- Risk focus
- Skill supply chain, Telegram session hijack, full host compromise
Pros & cons
Pros
- Short install and tiny codebase — fast personal automation.
- NanoClaw Skills engine (merge/manifest) extends without core edits.
- Telegram remote control feels like a co-worker bot.
- Markdown Skills align with NanoClaw/OpenClaw concepts.
- MIT + small LOC keeps audit scope bounded (privileges still huge).
Cons
- BestClaw <strong>watchlist</strong> + Security <strong>5.0</strong> — bare-metal by design.
- No container isolation — one malicious Skill ≈ host owned.
- Community/war stories tiny vs OpenClaw/NanoClaw mains.
- Unfit for multi-tenant, enterprise compliance or regulated data.
- Opposite of security-first board goals — a cautionary comparator.
Capabilities (honest breakdown)
Bare-metal execution
Full bash/files; simple, but fail-open to the host.
Telegram surface
DM/group @ triggers; guard session hijack and accidental @ batches.
Markdown Skills
Gmail/cron etc.; scan permissions before install.
Tiny codebase
~4K LOC easy to fork; small ≠ safe.
NanoClaw lineage
Clear migration story; container users should stay upstream.
Security — read this before go-live
GhostClaw's bare-metal model means no second isolation layer. Use only on isolated/spare machines:
- Dedicated box — never daily driver or secret stores.
- Skill audit — clear-source Markdown only; reject opaque scripts.
- Telegram binding — allowlist chat ids; enforce @ mention rules.
- Keys — disposable API keys; no production DB credentials.
- Network — egress allowlists; block internal/metadata targets.
Bottom line
GhostClaw is a watchlist cautionary sample at 6.3 (Security 5.0) showing the cost of removing containers. For production pick NanoClaw or IronClaw via A/B comparison and the leaderboard.
Scores and rankings follow the published BestClaw methodology; editorial and partnership placements, if any, are labeled separately and do not change numeric conclusions.
Reviews & ratings
Star ratings and review text on this page are independent of BestClaw methodology scores and leaderboard placement.
User ratings come from submissions reviewed on this page; they do not change the methodology score (6.3 / 10) or leaderboard logic.