NemoClaw: NVIDIA's Security Wrapper for OpenClaw
NVIDIA's sandboxed security layer for OpenClaw, announced at GTC 2026. Declarative YAML policies for network, filesystem, and inference control inside OpenShell runtime. Apache 2.0 license, 18k GitHub stars.
By Jose Nobile | 2026-04-20 | 12 min read
What Is NemoClaw?
NemoClaw is NVIDIA's security wrapper for OpenClaw, announced at GTC 2026. It is not a fork of OpenClaw -- it IS OpenClaw, running inside NVIDIA's OpenShell sandboxed runtime. The project adds a security enforcement layer on top of OpenClaw's existing agent framework, governing every network request, file access, and inference call through declarative YAML policies. Available in early preview since March 16, 2026, NemoClaw uses NVIDIA Agent Toolkit to enforce policy-based privacy and security guardrails, and evaluates available compute to run Nemotron models locally for enhanced privacy.
Licensed under Apache 2.0 and already at 18k GitHub stars, NemoClaw addresses one of the biggest concerns with autonomous AI agents: uncontrolled system access. By wrapping OpenClaw in OpenShell, NVIDIA provides enterprise-grade isolation without requiring users to rewrite their agent configurations or skills.
The key insight is that NemoClaw does not replace OpenClaw -- it constrains it. Your AGENTS.md, SOUL.md, MEMORY.md, skills, and channels all work identically. The difference is that every action passes through a policy enforcement layer before execution.
Architecture
NemoClaw's architecture is straightforward: the CLI installs the NVIDIA OpenShell runtime, then creates a sandboxed environment where OpenClaw runs with full functionality but restricted privileges. Every operation is mediated by the policy engine.
OpenShell Runtime
The container-like runtime that hosts the sandboxed OpenClaw instance. OpenShell provides process isolation, resource limits, and a controlled syscall interface. It runs as a lightweight daemon with minimal overhead.
Policy Engine
The central enforcement layer that reads declarative YAML policies and applies them to every operation. Policies define allowed network destinations, filesystem paths, process capabilities, and inference routing rules.
YAML Policy Files
Human-readable configuration files that define the complete security posture. Policies are hot-reloadable -- changes take effect without restarting the agent. Supports inheritance, overrides, and environment-specific variants.
Inference Gateway
A transparent proxy that intercepts all AI model calls from OpenClaw. The gateway routes requests to local NVIDIA models or approved cloud providers based on policy. It handles authentication, rate limiting, and privacy filtering.
The architecture is designed to be invisible to OpenClaw itself. From OpenClaw's perspective, it is running normally -- making network requests, accessing files, calling AI models. The sandbox intercepts these operations at the system level and enforces policy before allowing them to proceed.
Security Model
NemoClaw enforces security across four distinct layers, each governed by declarative YAML policy. All layers support hot-reload -- you can tighten or relax controls without restarting the agent.
Egress Controls
Hot-reloadable egress allowlists and denylists. Every outgoing network request is checked against the policy -- DNS resolution, HTTP connections, WebSocket upgrades, and raw TCP. Unauthorized destinations are blocked and logged.
Path Restrictions
Filesystem access is restricted to /sandbox and /tmp by default. The agent cannot read or write outside these directories. Sensitive paths (SSH keys, cloud credentials, system configs) are explicitly blocked.
Syscall Filtering
Seccomp-style syscall filtering limits which system calls the sandboxed process can make. Dangerous operations (process spawning, kernel module loading, raw device access) are blocked at the kernel level.
Provider Routing
All inference calls are transparently routed through the NemoClaw gateway. The gateway enforces which AI providers are allowed, applies rate limits, strips sensitive data from prompts, and logs all interactions for audit.
The security model is defense-in-depth: even if one layer is bypassed (e.g., a skill constructs a creative filesystem path), the other layers catch the violation. Network egress controls prevent data exfiltration, and syscall filtering prevents privilege escalation.
NVIDIA GPU Integration
NemoClaw integrates deeply with NVIDIA's AI ecosystem, providing native support for local model inference on NVIDIA GPUs alongside secure routing to cloud providers.
Nemotron Models
First-class support for NVIDIA Nemotron model family running locally on NVIDIA GPUs. NemoClaw configures optimal CUDA settings, manages VRAM allocation, and handles model loading/unloading based on demand.
Privacy Router
A policy-driven router that decides whether inference requests go to local GPU models or cloud providers (OpenAI, Anthropic, Google Gemini). Routing rules can be based on prompt content, sensitivity classification, cost, or latency requirements.
TensorRT Optimization
Automatic TensorRT optimization for local models, reducing inference latency and VRAM usage. NemoClaw compiles models to TensorRT format on first load and caches the optimized versions.
The privacy router is particularly valuable for enterprise deployments where sensitive data must not leave the local network. Prompts containing PII, financial data, or proprietary information can be automatically routed to local Nemotron models, while general queries use faster cloud providers.
Getting Started
NemoClaw installs via a single command that sets up the OpenShell runtime, pulls the latest OpenClaw release, and initializes the default security policy:
cd nemoclaw-workspace
nemoclaw configure --policy default-strict
nemoclaw start
The default-strict policy allows only essential egress (AI provider APIs, npm registry), restricts filesystem to the workspace directory, and blocks all process spawning except Node.js and Chromium (for browser automation).
Customize the policy by editing policy.yaml in the workspace root:
egress:
allow:
- "api.anthropic.com"
- "api.openai.com"
- "*.googleapis.com"
deny:
- "*" # deny all other egress
filesystem:
allow:
- "/sandbox/**"
- "/tmp/**"
inference:
local_preferred: true
fallback: "anthropic/claude-sonnet-4"
Known Bugs
NemoClaw is in early alpha and under active development. The following bugs have been verified from the GitHub issue tracker. These are typical of a fast-moving open-source project and do not diminish the framework's strong architecture and security model.
#446: nemoclaw onboard not resumable
The onboarding process (nemoclaw onboard) cannot be resumed if interrupted. Users must restart the full onboarding from scratch after a failure or disconnection, which can be time-consuming on slow networks.
#414: Web Plugin getaddrinfo EAI_AGAIN
The web plugin intermittently fails with getaddrinfo EAI_AGAIN DNS resolution errors. This appears related to the sandbox's network interception layer conflicting with Node.js DNS resolution under high load.
#719: openclaw.json created as root
The openclaw.json configuration file is created with root ownership and incorrect permissions when NemoClaw runs the initial setup. Subsequent non-root operations fail until permissions are manually corrected.
#445: telegram-bridge.js hardcodes sandbox name
The Telegram bridge script hardcodes the sandbox name instead of reading it from the NemoClaw configuration. Users with custom sandbox names must manually edit the bridge script after installation.
#481: Can't connect Discord or Telegram
Some users report inability to connect Discord or Telegram channels after initial setup. The issue is traced to the default egress policy not including the required WebSocket endpoints for these platforms.
These are early alpha issues in a project that is actively maintained with frequent releases. The core security architecture is solid, and NVIDIA's backing ensures long-term support. Most bugs have workarounds documented in the issue threads.
OpenClaw vs NemoClaw
Choosing between plain OpenClaw and NemoClaw depends on your security requirements, hardware, and deployment context.
When Security Is Non-Negotiable
Enterprise deployments, regulated industries, multi-tenant environments, or any scenario where the agent must not be able to exfiltrate data, escalate privileges, or access unauthorized resources. NemoClaw's defense-in-depth model provides auditable guarantees.
When You Have NVIDIA GPUs
If you have NVIDIA hardware and want to run Nemotron models locally with automatic TensorRT optimization and a privacy router, NemoClaw provides a tighter integration than configuring these components manually with plain OpenClaw.
When You Need Maximum Flexibility
Personal deployments, rapid prototyping, or scenarios where the sandbox restrictions would interfere with your workflow (e.g., full filesystem access, arbitrary network connections, custom system integrations). Plain OpenClaw gives you unrestricted agent capabilities.
When Stability Matters More
NemoClaw is early alpha with known bugs. If you need a proven, stable agent framework today, plain OpenClaw has a longer track record and a larger community. You can always migrate to NemoClaw later when it matures.