.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
When OpenClaw went from zero to 247,000 GitHub stars in a matter of weeks, it was clear the project had touched something real. People wanted always-on AI agents running on their own hardware, talking to them through Telegram and WhatsApp, doing actual work. The problem is that an agent with full system access, running 24/7, handling emails and executing code, is also a significant attack surface. NVIDIA noticed. On March 16, 2026, at GTC, they shipped an answer: NemoClaw.
NemoClaw is an open-source reference stack that wraps OpenClaw with kernel-level sandboxing, a declarative policy engine, and a privacy router. It doesn't replace the agent or change how it behaves from the user's perspective. The agent still runs on OpenClaw. What changes is the environment around it — specifically what the agent is physically allowed to do at the OS level, where its inference requests go, and whether your credentials ever touch the sandbox at all.
Jensen Huang's framing at the announcement: "Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI. This is the moment the industry has been waiting for — the beginning of a new renaissance in software." NemoClaw is NVIDIA's attempt to add the missing infrastructure layer underneath that, the part that makes always-on agents suitable for environments beyond a personal laptop.
Why NemoClaw exists
OpenClaw's design is built around a single trusted operator: one person, one agent, one machine. That works well for personal use because you're the operator and you presumably know what you're running. But OpenClaw gives the agent broad access by default — read/write files, execute shell commands, browse the web, call APIs. The security boundary is mostly configuration: allowlists, tool restrictions, and how carefully you've set things up.
That model breaks down in shared environments, business deployments, or anywhere sensitive data is involved. A misconfigured tool permission, a prompt injection in an email the agent reads, a skill that does something unexpected — any of these can have consequences that extend well beyond the conversation window. OpenClaw's architecture was never designed to contain that. It wasn't a criticism of the project; it just wasn't the goal.
NemoClaw specifically addresses this with out-of-process policy enforcement. Instead of relying on how the agent is configured to behave, you enforce constraints on the environment the agent runs in. The agent can't override these. Prompt injection can't override them. Even if the agent process is compromised, it's still operating inside a box defined by the OS kernel. That's the architectural difference that matters here.
The architecture
NemoClaw has three distinct layers. Understanding all of them is worth the effort because they handle different parts of the security problem, and they're easy to conflate if you only look at the install command.
The TypeScript CLI
This is the nemoclaw command you interact with from the host machine. It's a lightweight plugin that extends the OpenClaw CLI and orchestrates everything else. After install you use commands like nemoclaw my-assistant connect, nemoclaw my-assistant status, and nemoclaw my-assistant logs --follow. The CLI itself doesn't do heavy processing — it hands off to the blueprint layer.
The Python blueprint
This is the orchestrator that actually sets up the sandbox. It follows a four-stage lifecycle: resolve the artifact, verify its digest, plan resources, apply through the OpenShell CLI. It handles sandbox creation, policy configuration, and inference setup. The blueprint YAML and network policies are separate files you can read, modify, and version-control — which matters a lot for teams that need to audit policy changes.
OpenShell (the enforcement engine)
This is where the actual security lives. OpenShell is part of the NVIDIA Agent Toolkit, open-sourced under Apache 2.0. It's purpose-built for autonomous agents, not a generic container runtime. When the agent runs, it's inside an OpenShell sandbox that applies three Linux kernel-level mechanisms simultaneously:
- Landlock: filesystem restrictions that limit the agent to reading and writing inside
/sandboxand/tmp. Everything else is off-limits regardless of what the agent tries. - seccomp: syscall filtering that blocks the agent from executing unauthorized system calls at the kernel level. Even if malicious code runs inside the agent process, the OS rejects the call.
- Network namespace isolation: controls which network endpoints the agent can reach. Unknown hosts are blocked by default and surfaced for operator approval rather than silently allowed.
The default posture is deny-by-default. The agent can only do what the policy explicitly permits. Critically, credentials (API keys, passwords) are never stored inside the sandbox filesystem - they're injected at runtime as environment variables from the host. A compromised sandbox doesn't automatically mean compromised credentials, which is a meaningful improvement over the standard OpenClaw setup where secrets management depends entirely on how carefully you've configured things.
The YAML policy engine
OpenShell's policies are configured in YAML and evaluate at four levels: binary (allow or deny), destination (which services are reachable), method (which HTTP methods are permitted), and path (which API endpoints specifically). Your security team writes these in plain YAML files, not a proprietary configuration language, which makes them reviewable by anyone familiar with basic config syntax.
Policies support hot-reload — you can update them without restarting the sandbox. This is practically useful when you need to approve a new endpoint the agent needs to reach, or tighten a rule after finding something unexpected in the logs. And because they're YAML files, you can manage them with Git, review changes in pull requests, and maintain an audit trail. For anyone operating in a regulated industry, being able to show auditors a deny-by-default policy file with a record of every change is a much stronger answer than "trust the prompt."
The privacy router
Every inference request from inside the sandbox flows through the OpenShell gateway before reaching any model. The agent can't route around this. The privacy router classifies requests and applies routing rules based on data sensitivity. Sensitive data, PII, confidential content, anything that matches your classification policy, gets routed to local Nemotron models running on the host. General reasoning tasks route to cloud providers. PII detection and routing happen before data leaves your network boundary.
Supported backends include NVIDIA Endpoints (Nemotron), OpenAI, Anthropic, Google Gemini, local Ollama and vLLM servers. The hybrid setup - sensitive queries stay local, general queries use frontier cloud models - is one of the more compelling things about the architecture. For organizations dealing with data residency requirements like GDPR or HIPAA, you can point to a policy file and describe exactly where each class of data goes. That's the kind of answer compliance conversations require, and it's much harder to construct when running plain OpenClaw without explicit data routing controls.
NemoClaw vs plain OpenClaw: The honest comparison
The analogy that's been circulating in the community is a good one: if OpenClaw is the Linux kernel, NemoClaw is Red Hat Enterprise Linux. The agent runs identically in both cases. What changes is the security posture, the audit capability, and the governance layer.
Plain OpenClaw gives the agent full system access. It can browse the web, install packages, run arbitrary code, and touch any file the OS user can access. The security model is application-level - you configure allowlists and tool restrictions, and you trust the agent to stay within them. For personal use with non-sensitive data, this is fine and often preferable. The freedom is part of the point, and adding NemoClaw's constraints to a personal setup is adding overhead without much benefit.
NemoClaw replaces that application-level trust with kernel-level enforcement. The agent can't override the sandbox through prompts or behavior. The privacy router intercepts inference calls the agent doesn't even know about. The tradeoff is real: the sandbox is more constrained and configuring it correctly takes specialist work. But the question "can you prove the agent won't exfiltrate data?" gets a fundamentally different answer. You can show a YAML file with deny-by-default networking and say "it's only allowed to reach what's on this list."
For context: 48% of CISOs currently rank agentic AI as their number-one attack vector according to Dark Reading's 2026 survey. NemoClaw is a direct response to that concern at the infrastructure layer rather than the prompt layer.
System requirements
The sandbox uses Linux kernel features, so the host must be Linux. macOS and Windows are not supported for sandbox enforcement — Landlock and seccomp are Linux-only. If you're running OpenClaw on a Mac Mini and want to move to NemoClaw, that means moving to a Linux VPS or NVIDIA DGX Spark hardware.
Minimum specs for running NemoClaw:
- RAM: 8 GB minimum. The sandbox image is approximately 2.4 GB compressed. During image push, Docker, k3s, and the OpenShell gateway run concurrently and buffer decompressed layers in memory. Below 8 GB, the OOM killer will terminate the process. Configuring 8 GB of swap is an acceptable workaround at the cost of slower startup performance.
- CPU: 4 vCPU recommended
- Node.js: 20 or later
- npm: 10 or later
- Kernel: 5.13+ (required for Landlock); seccomp is available in all modern kernels
- Docker: Required (k3s runs alongside it)
NVIDIA officially documents deployment to RTX PCs and laptops, RTX PRO workstations, DGX Station, DGX Spark, cloud instances, remote GPU instances, on-premises Linux servers, and generic Linux VPS. The stack is hardware-agnostic — you don't need NVIDIA hardware to run NemoClaw. Without a CUDA-capable GPU, local Nemotron inference isn't available, but inference routes to cloud providers through the privacy router instead. If you want to run local models for privacy reasons, GPU matters. For the sandbox and policy enforcement, it doesn't.
Installation
Install with a single command:
curl -fsSL https://nvidia.com/nemoclaw.sh | bashThe script installs Node.js if it's not present, then runs the guided onboard wizard. Running nemoclaw onboard walks through sandbox creation, inference provider configuration, and network policy setup. After install, the sandbox is displayed as:
Sandbox my-assistant (Landlock + seccomp + netns)
Model nvidia/nemotron-3-super-120b-a12b (NVIDIA Endpoints)NVIDIA's official documentation recommends running in monitor-only mode for the first 48 hours. This lets you observe what the sandbox would block without actually blocking it, which makes it much easier to understand which network destinations and filesystem paths your agent actually needs before locking the policy down. Starting permissive and tightening incrementally is the right approach — not because the defaults are wrong, but because discovering a blocked workflow after it's in production is more painful than discovering it in observation mode first.
What NemoClaw is not
Worth being clear on this given how NVIDIA announced it. NemoClaw is not a general replacement for Docker or Kubernetes. It's specifically about running autonomous agents with security and policy controls, not about container orchestration for arbitrary workloads. It's also not a new agent — the OpenClaw agent runs unmodified inside the sandbox. And it's not just a Docker wrapper: Docker isolation operates at the container level, while OpenShell enforcement operates at the OS kernel level using Landlock and seccomp, below the container boundary. A container escape doesn't bypass OpenShell because the kernel restrictions are independent of the container.
Who should run NemoClaw
For personal use with non-sensitive data, plain OpenClaw is still the better choice for most people. The sandbox adds overhead, configuration is more complex, and the freedom that makes OpenClaw useful gets meaningfully constrained by the policy engine. Running NemoClaw on your personal assistant that handles your own tasks is adding friction that probably doesn't pay off yet, especially while the project is still in early preview.
NemoClaw becomes the right call when the agent handles sensitive data, touches production systems, runs in a shared environment, or needs to be auditable. That includes businesses deploying OpenClaw for automation pipelines, teams where the agent has access to customer data or internal APIs, developers who want to test agent behavior in a locked-down environment before granting broader permissions, and anyone operating in a regulated industry where "the agent is configured correctly" isn't a sufficient security posture.
For VPS users specifically, NemoClaw creates a clear need for dedicated Linux compute with persistent uptime. The sandbox requires Linux and 8 GB RAM minimum, the agent needs to run continuously for always-on automation to mean anything, and the privacy routing benefits are most relevant when the agent handles data you actually care about protecting. A dedicated Linux VPS is the natural fit, particularly for users who want NemoClaw's security controls without the hardware investment of a dedicated GPU workstation. If you do want local Nemotron inference, LumaDock also offers GPU VPS instances that can handle that workload.
Current status
NemoClaw entered early preview on March 16, 2026. NVIDIA's announcement is explicit: it's not production-ready, interfaces and APIs will change without notice, and the project is shared primarily to gather feedback and enable early experimentation. The security primitives work. The configuration management experience is still evolving.
"Installs in one command" and "production-ready" are different claims, and the gap matters. Getting Landlock policies right, writing YAML governance rules for your specific workflows, setting up privacy routing tables, integrating with existing monitoring — that's a weeks-long effort for most organizations, not an afternoon. The install is genuinely one command. The configuration is the actual work.
NVIDIA shipped with 17 launch partners including Adobe, Salesforce, SAP, CrowdStrike, Cisco, Microsoft Security, Google Cloud and TrendAI. OpenShell also runs Claude Code, Cursor, Codex and OpenCode unmodified inside the sandbox, which signals that NVIDIA intends it as a universal governance layer for agents generally, not just an OpenClaw-specific tool. That's worth paying attention to if you're thinking about where agent security infrastructure is going over the next few years.
If you're new to OpenClaw and want to understand the base platform before evaluating NemoClaw, the complete OpenClaw guide covers everything from installation through automation and security in one place.
