In early Feb 2026, CVE-2026-25253 (CVSS 8.8) highlighted risks in shared-memory AI agent runtimes where API-layer controls govern a single-process execution model.

Several forks have since diverged along isolation boundaries rather than feature sets.

The primary architectural distinctions:

Application-level enforcement (OpenClaw)
– Single process, shared memory
– API-layer allowlists and approvals

Process-boundary isolation (NanoBot, ZeroClaw, PicoClaw)
– Separate OS process
– Reduced runtime surface

Kernel-enforced container isolation (NanoClaw)
– Per-group Linux container
– Filesystem namespace separation

Capability-based sandboxing (IronClaw)
– WASM per tool execution
– Explicit endpoint and resource caps

Key observation:
Isolation enforced below the application layer (process, kernel, capability runtime) reduces blast radius when control-plane validation fails.

Additional risk vectors in shared-plugin ecosystems:

– Supply-chain injection
– Credential exfiltration via tool execution
– Context-window replay amplification

This is not a commentary on patch status.
It’s an architectural comparison of enforcement layers.

Interested in feedback from practitioners on whether WASM capability models provide materially stronger containment guarantees than container isolation in this context, or if the difference is primarily operational rather than structural.