A subprocess CLI wrapper and a BYOK agent platform are not the same tool. Here is when each one is actually the right choice — post-April-4 ToS change, written for developers evaluating agent platforms.
ClaudeClaw (github.com/moazbuilds/claudeclaw) is a ~6,500-line Bun/TypeScript daemon that wraps the local claude CLI as a subprocess and adds cron, heartbeat, Telegram/Discord bridges, and a small web dashboard. It piggy-backs on your Claude Pro or Max subscription, is MIT-licensed, and Moaz Mali has shipped it fast and clean — it genuinely punches above its weight.
Nestor is a larger agent platform: Rust security core, BYOK HTTP API over nine LLM providers (Claude, OpenAI, Gemini, Grok, Mistral, Ollama, OpenRouter + two compatibility modes), mission system, DAG workflows, multi-tenant RBAC, and a web Studio. It assumes you bring your own API key and pay per token.
If you’re a solo dev with an active Max plan who wants a personal butler that texts you from one cron script, ClaudeClaw is faster to set up and cheaper to run. If you need multi-model, audit trails, or any form of team or enterprise use after Anthropic’s April 4 ToS update, Nestor is the one that actually fits.
This page is not a hit piece. Moaz did good work and we’ve taken notes. What follows is an honest map of where each tool wins.
--dangerously-skip-permissions.If you genuinely don’t know — start with ClaudeClaw for an afternoon to feel the relationship-mode UX, then migrate when you hit the first wall (second model, second user, or first audit question).
Adapted from the internal ClaudeClaw audit report (April 17, 2026). Claude Code Channels is included as a third column because it’s the elephant that stepped on ClaudeClaw’s marquee feature in March 2026.
| ClaudeClaw | Claude Code Channels | Nestor | |
|---|---|---|---|
| Models supported | Claude only (GLM swap via env) | Claude only | Claude + GPT-4o + Gemini + Grok + Mistral + Ollama + OpenRouter |
| April 4 ToS risk | Grey zone (wraps local CLI) | None (Anthropic-native) | None (BYOK HTTP API) |
| Self-hosted | Yes | Partial | Fully |
| Sandbox | None (--dangerously-skip-permissions) |
Anthropic-run | Rust core + Docker cap-drop ALL |
| Messaging bridges | Telegram, Discord | Telegram, Discord, iMessage | Telegram, Discord, Slack (WhatsApp on roadmap) |
| Multi-agent handoff | No | Cowork mode | BMAD+ roles with explicit handoff |
| Voice in | Yes (bundled whisper.cpp) | No | On roadmap (@nestor/voice) |
| Heartbeat / proactive loop | Yes (configurable tick) | No | Shipping next sprint |
| Per-thread session isolation | Yes (20-line thread queue) | Native | Shipping next sprint |
| Knowledge graph | No (delegates to CLAUDE.md) |
No | Yes (entities + relations + facts) |
| Mission system | No | No | Yes |
| DAG workflows | No | No | Yes + visual editor |
| Multi-tenant + RBAC | No | Cowork workspace | Yes (OAuth + audit log) |
| Test coverage | 0 tests | Closed source | 153 tests |
| Codebase size | ~6,500 LOC | Closed source | ~114,000 LOC (14 packages) |
| License | MIT | Proprietary | MIT (OSS tier) |
claude CLIClaudeClaw does not talk to Anthropic’s API directly. For every turn, it spawns the local claude binary as a subprocess, passes --append-system-prompt for the persona stack, --resume <session-id> to preserve conversation state, and parses the CLI’s output stream. This is the key design decision and the source of both its strengths and its constraints.
Pros: you inherit Claude Code’s session system, tool registry, and permission prompts for free. Your Pro/Max subscription pays for everything — no per-token billing. The whole daemon fits in about 6k LOC because 90% of the work is delegated to claude. Brilliant restraint.
Cons: you’re married to Anthropic’s CLI release cadence and CLI flags. You can’t plug in a second provider without rewriting the core. Every agent turn pays the cold-start cost of a child process. And the subscription-reuse move sits in a regulatory grey zone after April 4.
Nestor talks HTTP directly to each provider (Claude, OpenAI, Gemini, Grok, Mistral, Ollama, OpenRouter, plus two OpenAI-compatible fallback modes). You bring your API key, we stream tokens, you pay the provider. No subprocess, no subscription inheritance, no grey zone.
Pros: multi-model is a first-class primitive, not a retrofit. Rate-limit fallback can move a run from Claude to GPT-4o to Gemini mid-mission. You can run fully offline on Ollama. BYOK sidesteps every “is this OK under the consumer ToS” question.
Cons: more code (nine adapters, a runtime, a security core, a Studio — about 17× the size of ClaudeClaw). You pay per token, which matters at small scale. Setup is a CLI wizard, not a single git clone.
On April 4, 2026 at 12:00 PT, Anthropic updated its Consumer Terms of Service: OAuth tokens from Free, Pro, and Max plans cannot be used inside third-party products. Within days, OpenClaw’s creator was temporarily banned from Claude for exactly this reason. VentureBeat covered the wider crackdown.
Here is the updated compliance map:
| Category | Status | Examples |
|---|---|---|
| Reusing OAuth tokens from Free/Pro/Max inside a third-party harness | Banned | OpenClaw-style quota borrowing |
| Direct API key (BYOK) against the Anthropic API | Allowed | Nestor, NanoClaw, NextClaude |
Local CLI wrapper that subprocess’s your own claude binary |
Grey zone | ClaudeClaw, similar Bun wrappers |
| Pay-as-you-go API credits on top of a subscription | Allowed | Any harness once billing is enabled |
Why this matters. The “grey” label is not a lawyer’s trick — it means Anthropic has not explicitly stated whether a local CLI wrapper violates the ToS. Moaz is acting in good faith and the community reading so far is cautiously positive, but if Anthropic tightens the rule again, every ClaudeClaw install on a Max plan is in the blast radius. For a personal side-project that’s fine. For anything that might be invoiced, audited, or SOC-2’d, it is not.
Nestor is BYOK end-to-end. You hold the API keys, you pay Anthropic (or OpenAI, or Google, or your self-hosted Ollama) directly, and the compliance boundary is clear. That is the primary reason the security page leads with BYOK rather than with sandboxing.
--dangerously-skip-permissionsClaudeClaw invokes claude with --dangerously-skip-permissions so the daemon itself doesn’t get blocked by Claude Code’s per-tool prompts. Safety then lives in two places:
This is prompt-level scoping. It works because Claude is a well-behaved model most of the time. It does not survive prompt-injection from a rogue webpage, a Telegram voice message with hidden instructions, or a CLAUDE.md edit from a compromised dependency. Moaz knows this — the README says as much — and it’s a reasonable tradeoff for a personal butler. It is not a tradeoff you can make for a multi-tenant product.
Nestor’s nestor-core crate (Rust, compiled to N-API) runs below the JavaScript layer. Primitives it enforces that cannot be bypassed from TypeScript:
.. rejection before any file I/O.On top of the Rust layer: an optional Docker sandbox with cap-drop ALL, read-only root FS, network=none by default, and tmpfs-scoped writes. Every sensitive tool call routes through the approval engine, which writes to an append-only audit log with tenant attribution and cost attribution.
ClaudeClaw concatenates five markdown files and pipes them into --append-system-prompt:
const layers = [
read("IDENTITY.md"), // empty, user fills
read("USER.md"), // who the human is
read("SOUL.md"), // doctrine: no filler, have opinions
projectClaudeMd(), // project-local memory
directoryScopePrompt() // “stay within this folder”
].filter(Boolean).join("\n\n---\n\n");
spawn("claude", ["--append-system-prompt", layers, "--resume", sid]);
Nestor layers the persona through a prompt-layer resolver that BMAD+ roles dispatch into, then sends a normal HTTP request to the provider:
const system = buildSystem([
SHARED_SOUL, // cross-agent doctrine
USER_CARD, // who the human is
ROLE_SWITCH, // Atlas / Forge / Sentinel / Nexus / Shadow
agents[activeRole].identity, // active persona
project.CLAUDE_md_managedBlock,// managed, write-locked by default
securityPrompt(scope) // per-tenant scope + egress allowlist
]);
await llm(provider).stream({ system, messages, tools });
ClaudeClaw’s thread queue is famously 14 lines — same session is serial (no --resume corruption), different sessions run in parallel. We’re porting this pattern verbatim for Nestor’s messaging bridge:
const threadQueues = new Map<string, Promise<unknown>>();
function enqueue<T>(fn: () => Promise<T>, threadId?: string) {
if (threadId) {
const current = threadQueues.get(threadId) ?? Promise.resolve();
const task = current.then(fn, fn);
threadQueues.set(threadId, task.catch(() => {}));
return task;
}
// global queue fallback
}
ClaudeClaw: “trust the model, scope the prompt.”
claude --dangerously-skip-permissions \
--append-system-prompt "$PERSONA + directory_scope=$CWD" \
--resume "$SESSION_ID"
Nestor: compiled security primitives, declarative guardrails, explicit approval flow.
sandbox:
enabled: true
capabilities: { drop: [ALL] }
filesystem: { read_only: true, tmpfs: /tmp }
network: none
guardrails:
require_approval: [file_write, shell_exec, web_fetch]
blocked_paths: [.env, .credentials/, CLAUDE.md, .ssh/, .git/config]
blocked_commands: ["rm -rf", sudo, "curl | sh"]
budget:
daily_usd: 10
per_session_usd: 2
| Tier | ClaudeClaw | Nestor |
|---|---|---|
| Free / OSS | MIT (free) | MIT — npx nestor-sh, localhost Studio, all adapters |
| Solo Pro | “ProClaw” stealth enterprise (no public pricing) | $19/mo — hosted Studio, config sync, priority support |
| Team | Not available | $49/user/mo (5 min) — RBAC, SSO, audit log, shared agents |
| Enterprise | Not available | $30–75k/yr — on-prem, SOC2 pack, custom sandbox, dedicated engineer |
| Consulting / Build-With-Me | Not offered | $2.5–10k one-shot — install + custom skills + security review |
Plus your provider costs in either case. On ClaudeClaw that’s your Claude Max subscription; on Nestor that’s whatever the providers bill per token, with Ollama at $0 for fully-local runs.
If you’re on ClaudeClaw today and want to move, the translation is straightforward because the concepts overlap:
npx nestor-sh install. Both can run on the same machine; Nestor defaults to port 3100.SOUL.md, USER.md, and BOOTSTRAP.md into .nestor/prompts/. Nestor loads them through the same concatenation pattern.--dangerously-skip-permissions Max subscription with ANTHROPIC_API_KEY (or OpenAI / Gemini / Ollama if you want to diversify). BYOK cleanly exits the ToS grey zone.packages/agent/src/heartbeat.ts will accept a compatible YAML config; until then, npx nestor-sh agent schedule covers cron-like triggers.CLAUDE.md as an L0 memory layer but write-locks it by default. You’ll need to explicitly approve agent-initiated edits — by design, because unscoped CLAUDE.md writes are a documented prompt-injection vector.Typical migration time for a solo user: about half a day, most of it spent deciding which providers to enable.
Credit where it’s due. ClaudeClaw got three things so right that Nestor is actively building them in:
packages/messaging/src/bridge.ts — this is the kind of small idea that beats 200 lines of careful locking.The ClaudeClaw team ships fast and thinks clearly. If you’re an Anthropic Max subscriber looking for a small, elegant personal agent and the April 4 grey zone doesn’t worry you, it’s a very good choice — go read the source, it’s short enough that you should.
When you hit the wall where you need a second model, a second user, or a first audit question, Nestor is the bigger platform on the other side of that wall — and we’ll have kept the parts of the ClaudeClaw DNA that made the butler feel real in the first place.