NanoClaw contains a critical host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup functionality. The vulnerability allows compromised or prompt-injected containers to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this to trigger host-side reads of arbitrary files and potentially achieve recursive deletion of paths outside the intended cleanup target. This represents a significant container escape vulnerability that could lead to host system compromise.