Secure, sandboxed infrastructure for always-on AI agents
NVIDIA NemoClaw is an open-source reference stack that wraps OpenClaw — the viral autonomous AI agent platform — inside a secure, sandboxed runtime. It bundles the NVIDIA OpenShell runtime, Nemotron open-source models, and a single-command installer so you can deploy always-on AI agents with policy-based privacy and security controls baked in from the start.
Think of it this way: OpenClaw is the engine. NemoClaw is the engine plus the chassis, seatbelts, and airbags. It doesn't change what the agent can do — it controls what the agent is allowed to do, at the infrastructure level rather than the application level. That distinction matters enormously when your agent has access to your filesystem, email, calendar, and API keys.
OpenClaw agents run as a local Node.js process with access to your shell, files, browser, and messaging apps. Gartner called the default setup "insecure by design." Security researchers at Cisco found skills performing data exfiltration without user awareness.
NemoClaw installs the OpenShell runtime — which sandboxes every agent in its own container with kernel-level filesystem, network, and process constraints. Security policies sit outside the agent's reach. The agent can't override its own guardrails.
One-command setup gives you a sandboxed OpenClaw instance with YAML-defined policies, inference routing through Nemotron or cloud models, and a full audit trail. Enterprise-grade security without the enterprise-grade headache.
The gap between what AI agents can do and what they should be allowed to do is widening fast. NemoClaw exists because the industry needed a security-first deployment model for autonomous agents — and it needed it yesterday.
Because application-level security is structurally flawed for autonomous agents. If the agent is compromised, its own guardrails are compromised too. NemoClaw moves security outside the agent, into the infrastructure — the same principle that made containers safer than bare-metal processes. The agent doesn't get to decide its own permissions. The runtime does.
NemoClaw combines a lightweight CLI plugin with a versioned blueprint to move OpenClaw into a controlled sandbox. Here are the core concepts.
Each agent runs inside its own isolated container with Landlock + seccomp + network namespace enforcement. The filesystem is locked at creation, the network is blocked by default, and API keys are injected as runtime environment variables — they never touch disk.
# Create your first sandboxed agent curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash nemoclaw onboard
Security rules are defined in human-readable YAML, version-controllable alongside your project. Policies govern filesystem access, network egress, process execution, and inference routing. Updates happen live — no sandbox restart needed.
Inference requests from the agent never leave the sandbox directly. OpenShell intercepts every call and routes it to your configured provider — local Nemotron models for privacy-sensitive work, or cloud frontier models (Claude, GPT) when policy allows. The router makes decisions based on your policy, not the agent's preferences.
The NemoClaw CLI is a thin layer. Heavy lifting lives in versioned "blueprints" — Python artifacts that orchestrate sandbox creation, policy application, and inference configuration. Blueprints are immutable, digest-verified, and evolve on their own release cadence. The plugin (TypeScript) handles user interaction inside the sandbox.
Understanding NemoClaw means understanding the layers around it. Each component has a distinct role.
The open-source autonomous agent runtime. Connects LLMs to local tools via messaging platforms. 250K+ GitHub stars, 100+ skills, model-agnostic. Created by Peter Steinberger.
The sandboxing layer. Agent-agnostic runtime that works with OpenClaw, Claude Code, Codex, and others. Enforces policies at kernel level via containers, seccomp, and Landlock. Apache 2.0.
The glue. Bundles OpenShell + Nemotron models + one-command installer specifically for OpenClaw. Think of it as the opinionated "batteries included" distribution for secure agent deployment.
| Need | Use This | Why |
|---|---|---|
| Secure OpenClaw fast | NemoClaw | One command, bundled models, pre-configured policies |
| Sandbox any agent (Claude Code, Codex, etc.) | OpenShell | Agent-agnostic runtime; use standalone without NemoClaw |
| Run an unmanaged personal agent | OpenClaw (bare) | Maximum flexibility, but accept the security trade-offs |
| Enterprise agent governance | OpenShell + Cisco/CrowdStrike | OpenShell integrates with third-party SIEM and policy engines |
NemoClaw's value is clearest when agents need persistent access to sensitive systems — and you need confidence they won't leak, exfiltrate, or act beyond their mandate.
Let an always-on agent run tests, debug code, and deploy updates — while policy ensures it can't access production secrets or push to unauthorized repos.
Deploy agents that triage support tickets, query knowledge bases, and manage workflows — with network egress locked to approved domains and inference routed locally.
Cisco has already demo'd an agent inside OpenShell that reads security advisories, maps them against device state, and plans remediation — all within auditable constraints.
Route inference through on-device Nemotron models so no patient records, legal documents, or financial data ever leave your machine. The privacy router enforces this at the infrastructure level.
Run a 24/7 agent that manages email, calendar, and messaging — on your DGX Spark or RTX PC — with policies that prevent it from oversharing your data with external services.
Test new skills and multi-agent configurations in a sandboxed environment. If the agent breaks something, it breaks the sandbox — not your host system.
The NemoClaw story is inseparable from the OpenClaw phenomenon. It's one of the fastest open-source→enterprise arcs in software history.
Peter Steinberger releases a personal AI assistant originally named Clawdbot (derived from "Claude"). It connects LLMs to local tools via messaging apps.
Trademark complaints from Anthropic force a rename to Moltbot, then quickly to OpenClaw. The lobster mascot sticks. Moltbook — an agent social network — launches alongside.
OpenClaw surpasses 100K GitHub stars. Goes from 9K to 60K stars in 72 hours. Security researchers raise alarms. Steinberger joins OpenAI; project moves to an open-source foundation.
NVIDIA announces NemoClaw and OpenShell at GTC 2026. Jensen Huang calls OpenClaw "the operating system for personal AI." NemoClaw enters alpha/early preview on March 16. China restricts state use of OpenClaw agents, citing security concerns.
NemoClaw solves a real problem, but it's not magic — and it's not production-ready yet. Here's when it makes sense and when it doesn't.
You're running OpenClaw agents and want sandboxed security without building your own isolation layer.
You need a privacy router to keep sensitive inference on-device with Nemotron models while still accessing cloud models when appropriate.
You want declarative, version-controlled security policies that sit outside the agent's reach.
You're experimenting with always-on agents and want a safety net during development.
You need production-ready, multi-tenant deployment today. NemoClaw is alpha software — NVIDIA's own docs say "single-player mode" and "expect rough edges."
Your hardware can't handle it. The sandbox image is ~2.4 GB compressed, and machines with less than 8 GB RAM may hit OOM issues. Local Nemotron models need 25–70 GB of memory.
You're not using OpenClaw. OpenShell (standalone) is the better choice for sandboxing Claude Code, Codex, or other agents.
Your team doesn't have someone comfortable with Docker, YAML, and container networking. As one OpenClaw maintainer warned: "if you can't run a command line, this is too dangerous for you."
NemoClaw signals a shift: the industry is moving toward treating agent security as an infrastructure problem rather than an application feature. The principle that security should sit outside the agent's reach is architecturally sound. However, this is alpha software announced in March 2026. The architecture is promising, the execution is early. Worth tracking closely, but not yet production-ready.
The same shift happened with containers (Docker), then orchestration (Kubernetes), then networking (service meshes). Every time a new computing paradigm emerges, security starts inside the app and eventually migrates to the runtime. NemoClaw is that migration moment for AI agents.
GPUs at the bottom, Nemotron models in the middle, OpenShell/NemoClaw at the top. This is NVIDIA building a full-stack play for autonomous agents — hardware-agnostic on paper, but optimised for their silicon in practice. Jensen's comparison to Linux and HTML is aspirational, but the strategy is clear.
Single-player mode. No multi-tenant support. K3s running inside Docker for one sandbox. The architecture is heavyweight and the docs say "expect rough edges." Enterprise teams should evaluate the design, contribute to the project, and plan for maturity — but keep their current security posture until this hardens.
NVIDIA NemoClaw — Official product page ↗
NemoClaw Developer Guide — Full documentation ↗
NemoClaw GitHub — Source code and issues ↗
OpenShell GitHub — The underlying security runtime ↗
OpenClaw GitHub — The agent platform ↗
NVIDIA Technical Blog — Detailed OpenShell architecture walkthrough ↗
Cisco Blog — Enterprise integration with AI Defense ↗
The Next Platform — Jensen Huang's GTC keynote analysis ↗
TechCrunch — NemoClaw launch coverage ↗
NVIDIA Newsroom · NemoClaw Docs · NVIDIA Technical Blog · NVIDIA Blog · TechCrunch · Wikipedia — OpenClaw · Cisco Blog
Content validated March 2026. NVIDIA, NemoClaw, OpenShell, Nemotron, DGX Spark, and DGX Station are trademarks of NVIDIA Corporation. OpenClaw is an independent open-source project. This is an independent educational explainer by Imbila.AI.