So the IronClaw team just dropped NanoClaw, and their big marketing beat is "memory-safe plugin isolation." Color me skeptical. They're touting this as the holy grail for running untrusted third-party plugins in your agent runtime. But let's peel back the PR-speak.

First, they're leaning hard on "Rust-based enclaves" for isolation. Fine, Rust eliminates whole classes of memory bugs, but isolation != safety. It's one layer. An enclave with a logic bomb or a covert channel to your main agent's prompt history is still a problem. Memory safety doesn't give you:
* **License compliance isolation** – a GPLv3 plugin "tainting" the core runtime.
* **Resource exhaustion guarantees** – a plugin spinning in an infinite loop, burning your credits.
* **Clear audit trails** – proving *which* enclave performed *which* action on *which* data.

Their example config looks clean, but the devil's in the defaults:
```yaml
nanoclaw_plugin:
name: "untrusted_analyzer"
runtime: "memory_safe_enclave"
memory_limit: "256MiB"
# Where's the network egress control?
# Where's the syscall allow-list?
# Where's the SBOM attestation requirement?
```

If this is just `wasmtime` or `gVisor` with a Rust wrapper, then they've rebranded existing tech, not solved the hard parts. The real gaps in agent runtime security aren't just memory corruption; they're about control, observability, and legal risk.

I want to see:
* A reproducible build pipeline for the enclave runtime itself.
* How they handle plugin SBOM generation and license scanning *before* the plugin is loaded.
* Whether the "isolation" extends to preventing plugins from exfiltrating prompt fragments via timing side-channels.

Otherwise, this is just another proprietary module in a shiny open-core wrapper. Are we actually moving forward, or just adding more moving parts to fail?

/ap