# NVIDIA NemoClaw Explained > Secure, sandboxed infrastructure for always-on AI agents **Source:** [know.imbila.ai/nemoclaw-explainer](https://know.imbila.ai/nemoclaw-explainer) **Validated:** March 2026 | **Author:** [Imbila.AI](https://imbila.ai) | **License:** CC-BY-SA-4.0 **Structured data:** [nemoclaw.json](https://raw.githubusercontent.com/imbilawork/know.agent/main/agentapi/data/nemoclaw.json) --- ## What Is NemoClaw NVIDIA NemoClaw is an open-source reference stack that wraps OpenClaw — the viral autonomous AI agent platform — inside a secure, sandboxed runtime. It bundles the NVIDIA OpenShell runtime, Nemotron open-source models, and a single-command installer so you can deploy always-on AI agents with policy-based privacy and security controls baked in from the start. Think of it this way: OpenClaw is the engine. NemoClaw is the engine plus the chassis, seatbelts, and airbags. It doesn't change what the agent can do — it controls what the agent is *allowed* to do, at the infrastructure level rather than the application level. That distinction matters enormously when your agent has access to your filesystem, email, calendar, and API keys. **The Problem:** OpenClaw agents run as a local Node.js process with access to your shell, files, browser, and messaging apps. Gartner called the default setup "insecure by design." Security researchers at Cisco found skills performing data exfiltration without user awareness. **The Solution:** NemoClaw installs the OpenShell runtime — which sandboxes every agent in its own container with kernel-level filesystem, network, and process constraints. Security policies sit outside the agent's reach. The agent can't override its own guardrails. **The Result:** One-command setup gives you a sandboxed OpenClaw instance with YAML-defined policies, inference routing through Nemotron or cloud models, and a full audit trail. Enterprise-grade security without the enterprise-grade headache. **Key stats:** 250K+ GitHub stars for OpenClaw in under 4 months · 100+ built-in skills accessing your system · 1 command to install NemoClaw to sandboxed agent · 0 code changes needed in your agent --- ## Why It Matters OpenClaw grew faster than any open-source project in history. Security didn't keep up. The gap between what AI agents can do and what they should be allowed to do is widening fast. NemoClaw exists because the industry needed a security-first deployment model for autonomous agents — and it needed it yesterday. Why not just harden OpenClaw itself? Because application-level security is structurally flawed for autonomous agents. If the agent is compromised, its own guardrails are compromised too. NemoClaw moves security outside the agent, into the infrastructure — the same principle that made containers safer than bare-metal processes. The agent doesn't get to decide its own permissions. The runtime does. --- ## How It Works NemoClaw combines a lightweight CLI plugin with a versioned blueprint to move OpenClaw into a controlled sandbox. Four layers sit between your agent and your data. ### OpenShell Sandbox Each agent runs inside its own isolated container with Landlock + seccomp + network namespace enforcement. The filesystem is locked at creation, the network is blocked by default, and API keys are injected as runtime environment variables — they never touch disk. ```bash # Create your first sandboxed agent curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash nemoclaw onboard ``` ### Declarative YAML Policies Security rules are defined in human-readable YAML, version-controllable alongside your project. Policies govern filesystem access, network egress, process execution, and inference routing. Updates happen live — no sandbox restart needed. ### Privacy Router Inference requests from the agent never leave the sandbox directly. OpenShell intercepts every call and routes it to your configured provider — local Nemotron models for privacy-sensitive work, or cloud frontier models (Claude, GPT) when policy allows. The router makes decisions based on your policy, not the agent's preferences. ### Blueprint + Plugin Architecture The NemoClaw CLI is a thin layer. Heavy lifting lives in versioned "blueprints" — Python artifacts that orchestrate sandbox creation, policy application, and inference configuration. Blueprints are immutable, digest-verified, and evolve on their own release cadence. The plugin (TypeScript) handles user interaction inside the sandbox. --- ## Ecosystem NemoClaw sits inside a growing stack. Each component has a distinct role. | Layer | Component | Description | |-------|-----------|-------------| | Agent Platform | OpenClaw | The open-source autonomous agent runtime. Connects LLMs to local tools via messaging platforms. 250K+ GitHub stars, 100+ skills, model-agnostic. Created by Peter Steinberger. | | Security Runtime | NVIDIA OpenShell | The sandboxing layer. Agent-agnostic runtime that works with OpenClaw, Claude Code, Codex, and others. Enforces policies at kernel level via containers, seccomp, and Landlock. Apache 2.0. | | Reference Stack | NemoClaw | The glue. Bundles OpenShell + Nemotron models + one-command installer specifically for OpenClaw. The opinionated "batteries included" distribution for secure agent deployment. | ### When to use what | Need | Use This | Why | |------|----------|-----| | Secure OpenClaw fast | NemoClaw | One command, bundled models, pre-configured policies | | Sandbox any agent (Claude Code, Codex, etc.) | OpenShell | Agent-agnostic runtime; use standalone without NemoClaw | | Run an unmanaged personal agent | OpenClaw (bare) | Maximum flexibility, but accept the security trade-offs | | Enterprise agent governance | OpenShell + Cisco/CrowdStrike | OpenShell integrates with third-party SIEM and policy engines | --- ## Use Cases - **Sandboxed Coding Agents** — Let an always-on agent run tests, debug code, and deploy updates — while policy ensures it can't access production secrets or push to unauthorized repos. - **Secure Internal Assistants** — Deploy agents that triage support tickets, query knowledge bases, and manage workflows — with network egress locked to approved domains and inference routed locally. - **Vulnerability Response Agents** — Cisco has already demo'd an agent inside OpenShell that reads security advisories, maps them against device state, and plans remediation — all within auditable constraints. - **Local Inference for Regulated Data** — Route inference through on-device Nemotron models so no patient records, legal documents, or financial data ever leave your machine. The privacy router enforces this at the infrastructure level. - **Always-On Personal Assistant** — Run a 24/7 agent that manages email, calendar, and messaging — on your DGX Spark or RTX PC — with policies that prevent it from oversharing your data with external services. - **Safe Agent Development** — Test new skills and multi-agent configurations in a sandboxed environment. If the agent breaks something, it breaks the sandbox — not your host system. --- ## Decision Guide ### Use NemoClaw when - You're running OpenClaw agents and want sandboxed security without building your own isolation layer. - You need a privacy router to keep sensitive inference on-device with Nemotron models while still accessing cloud models when appropriate. - You want declarative, version-controlled security policies that sit outside the agent's reach. - You're experimenting with always-on agents and want a safety net during development. ### Skip NemoClaw when - You need production-ready, multi-tenant deployment today. NemoClaw is alpha software — NVIDIA's own docs say "single-player mode" and "expect rough edges." - Your hardware can't handle it. The sandbox image is ~2.4 GB compressed, and machines with less than 8 GB RAM may hit OOM issues. Local Nemotron models need 25-70 GB of memory. - You're not using OpenClaw. OpenShell (standalone) is the better choice for sandboxing Claude Code, Codex, or other agents. - Your team doesn't have someone comfortable with Docker, YAML, and container networking. As one OpenClaw maintainer warned: "if you can't run a command line, this is too dangerous for you." --- ## Practical Guidance NemoClaw signals a shift: the industry is moving toward treating agent security as an infrastructure problem rather than an application feature. The principle that security should sit outside the agent's reach is architecturally sound. However, this is alpha software announced in March 2026. The architecture is promising, the execution is early. Worth tracking closely, but not yet production-ready. **The Pattern — Security moves to infrastructure.** The same shift happened with containers (Docker), then orchestration (Kubernetes), then networking (service meshes). Every time a new computing paradigm emerges, security starts inside the app and eventually migrates to the runtime. NemoClaw is that migration moment for AI agents. **The Bet — NVIDIA wants to own the agent stack.** GPUs at the bottom, Nemotron models in the middle, OpenShell/NemoClaw at the top. This is NVIDIA building a full-stack play for autonomous agents — hardware-agnostic on paper, but optimised for their silicon in practice. Jensen's comparison to Linux and HTML is aspirational, but the strategy is clear. **The Gap — Alpha does not equal production.** Single-player mode. No multi-tenant support. K3s running inside Docker for one sandbox. The architecture is heavyweight and the docs say "expect rough edges." Enterprise teams should evaluate the design, contribute to the project, and plan for maturity — but keep their current security posture until this hardens. --- ## Timeline | Date | Milestone | |------|-----------| | Nov 2025 | Clawdbot Launched — Peter Steinberger releases a personal AI assistant originally named Clawdbot (derived from "Claude"). It connects LLMs to local tools via messaging apps. | | Jan 2026 | Moltbot to OpenClaw — Trademark complaints from Anthropic force a rename to Moltbot, then quickly to OpenClaw. The lobster mascot sticks. Moltbook — an agent social network — launches alongside. | | Feb 2026 | Viral Explosion — OpenClaw surpasses 100K GitHub stars. Goes from 9K to 60K stars in 72 hours. Security researchers raise alarms. Steinberger joins OpenAI; project moves to an open-source foundation. | | Mar 2026 | GTC: NemoClaw + OpenShell Announced — NVIDIA announces NemoClaw and OpenShell at GTC 2026. Jensen Huang calls OpenClaw "the operating system for personal AI." NemoClaw enters alpha/early preview on March 16. China restricts state use of OpenClaw agents, citing security concerns. | --- ## Resources ### Official - [NVIDIA NemoClaw](https://www.nvidia.com/en-us/ai/nemoclaw/) — Official product page - [NemoClaw Developer Guide](https://docs.nvidia.com/nemoclaw/latest/index.html) — Full documentation - [NemoClaw GitHub](https://github.com/NVIDIA/NemoClaw) — Source code and issues - [OpenShell GitHub](https://github.com/NVIDIA/OpenShell) — The underlying security runtime - [OpenClaw GitHub](https://github.com/openclaw/openclaw) — The agent platform ### Sources - [NVIDIA Technical Blog](https://developer.nvidia.com/blog/run-autonomous-self-evolving-agents-more-safely-with-nvidia-openshell/) — Detailed OpenShell architecture walkthrough - [Cisco Blog](https://blogs.cisco.com/ai/securing-enterprise-agents-with-nvidia-and-cisco-ai-defense) — Enterprise integration with AI Defense - [The Next Platform](https://www.nextplatform.com/ai/2026/03/17/nvidia-says-openclaw-is-to-agentic-ai-what-gpt-was-to-chattybots/5209428) — Jensen Huang's GTC keynote analysis - [TechCrunch](https://techcrunch.com/2026/03/16/nvidias-version-of-openclaw-could-solve-its-biggest-problem-security/) — NemoClaw launch coverage - [NVIDIA Newsroom](https://nvidianews.nvidia.com/news/nvidia-announces-nemoclaw) - [NVIDIA Blog](https://blogs.nvidia.com/blog/secure-autonomous-ai-agents-openshell/) - [Wikipedia — OpenClaw](https://en.wikipedia.org/wiki/OpenClaw) --- *Content validated March 2026. Independent educational explainer by [Imbila.AI](https://imbila.ai).*