The problem: agents install packages you never approved

When a NanoClaw agent receives a task it can't handle natively — say, transcribing a voice note — it doesn't stop and ask for help. It identifies a package that can do the job, downloads it, installs it, and runs it. That autonomy is the point. It's also the attack surface.

Software supply-chain attacks work by poisoning open-source registries with malicious packages that mimic legitimate ones. A human developer might pause before installing an unfamiliar library. An autonomous agent won't. And the person operating the agent — who may have no development background — is unlikely to notice that anything happened at all.

"The people who are operating the agents are not necessarily developers, and they are not even aware of the implications," said Gavriel Cohen, CEO and co-founder of NanoCo AI, in an interview with VentureBeat.

How the integration works

NanoCo AI, the commercial entity behind NanoClaw — an enterprise-oriented, open-source variant of the OpenClaw agent framework — has partnered with JFrog, whose platform manages software artifact storage, distribution, and security scanning across the supply chain.

Under the integration, NanoClaw agents no longer reach out to arbitrary public registries. Every request for a package, CLI tool, or Model Context Protocol (MCP) server — MCP being the emerging standard for connecting AI agents to external tools and data sources — is routed through a JFrog registry first.

If JFrog's scanning flags a package as malicious or policy-violating, it returns a 403 security-policy error to the agent. Critically, the system doesn't just block and stop: it notifies the agent of the vulnerability and steers it toward an approved, clean version of the same dependency. That correction loop keeps the agent functional without requiring a human to intervene.

Visibility as a compliance requirement

For enterprises, the value isn't only threat prevention. "We need a system of record, we need somewhere to track what agents are running by whom and consuming what packages and using what skills and using what MCPs," JFrog Chief Strategy Officer Gal Marder told VentureBeat.

Routing agent activity through an internal JFrog registry gives security and compliance teams a full audit trail — something that's effectively impossible when agents pull dependencies from arbitrary public sources.

Licensing and access

The integration uses a dual-track model. Open-source NanoClaw users get free access to JFrog's vetted public registry. Community-contributed agent "skills" are uploaded, scanned, and cleared before they're available to other users — directly addressing the poisoned-repository threat.

Enterprise users point their NanoClaw agents at their own internal JFrog registries, keeping all agent activity inside existing security perimeters and subject to existing commercial-license governance.

The partnership follows NanoCo's recent moves to add permissions dialogs via Vercel and to support isolated agent execution inside Docker containers — a pattern of layering environmental controls around agents rather than relying solely on the agent's own judgment about what's safe to run.