Blog

What is NemoClaw by NVIDIA?

NVIDIA NemoClaw is an open-source security stack that adds privacy controls, sandboxing, and policy-based guardrails to OpenClaw AI agents. Announced at GTC 2026, it addresses the single biggest concern enterprises have about autonomous AI agents: how do you run them safely?

Short answer

NemoClaw installs NVIDIA OpenShell (a secure sandbox runtime) and Nemotron models with a single command, giving OpenClaw agents controlled file access, network boundaries, and inference routing — all governed by declarative YAML policies.

Key resources

Official page: nvidia.com/en-us/ai/nemoclaw
GitHub: github.com/NVIDIA/NemoClaw
OpenShell: github.com/NVIDIA/OpenShell

Why NemoClaw matters: the agent security problem

OpenClaw became the fastest-growing open-source project in history by giving everyone access to autonomous AI agents that can read files, execute commands, browse the web, and send messages. But that power comes with risk. An agent that can read your files can also exfiltrate them. An agent that can execute commands can run the wrong ones. An agent that can browse can phone home to unexpected endpoints.

This is why companies like Meta have asked employees to avoid using OpenClaw on work computers. WIRED reported on agents going rogue and mass-deleting emails. The industry needed a way to let agents be useful and safe.

NVIDIA NemoClaw is NVIDIA's answer. Instead of asking teams to build their own security layers, NemoClaw provides a pre-built stack that wraps OpenClaw in a hardened, policy-controlled environment — installable in one command.

What is NemoClaw, technically?

NemoClaw is a plugin for OpenClaw that orchestrates three things:

  • OpenShell runtime: A sandboxed execution environment that isolates each agent instance with filesystem, network, and process constraints.
  • Nemotron models: NVIDIA's family of open models (Nano, Super, Ultra) optimized for agentic reasoning, available via cloud API or local inference.
  • Policy engine: Declarative YAML policies that control what agents can access, where they can connect, and how inference calls are routed.

The architecture is built on K3s (lightweight Kubernetes) running inside a single Docker container. This means you get container orchestration and policy enforcement without managing a full Kubernetes cluster.

Component breakdown

Component Role
Plugin TypeScript CLI commands for launch, connect, status, and logs.
Blueprint Versioned Python artifact that orchestrates sandbox creation, policy, and inference setup.
Sandbox Isolated OpenShell container running OpenClaw with policy-enforced egress and filesystem.
Inference NVIDIA cloud model calls, routed through the OpenShell gateway, transparent to the agent.

How NemoClaw works: four-layer defense

OpenShell (the runtime underneath NemoClaw) applies defense in depth across four policy domains:

1. Filesystem isolation

Sandboxes start with a strict baseline: reads and writes are only allowed inside /sandbox and /tmp. This prevents agents from accessing sensitive files like ~/.ssh/keys, ~/.aws/credentials, or any other data outside the allowed paths. Filesystem policies are locked at sandbox creation and cannot be changed at runtime.

2. Network policy enforcement

By default, sandboxes have minimal outbound access. When an agent tries to reach an unlisted host, OpenShell blocks the request and surfaces it in the TUI (terminal UI) for operator approval. Network policies are hot-reloadable — you can add or remove allowed endpoints without restarting the sandbox.

Example policy in YAML: 

# Allow read-only access to GitHub API
egress:
  - host: api.github.com
    methods: [GET]
    paths: ["/*"]

3. Process constraints

OpenShell uses Landlock and seccomp to block privilege escalation and dangerous syscalls. This means even if an agent (or compromised dependency) tries to escalate privileges or execute kernel-level operations, the sandbox prevents it. Like filesystem policies, process constraints are locked at creation time.

4. Inference routing

Inference requests from the agent never leave the sandbox directly. OpenShell intercepts every model API call and routes it through the privacy router to the configured backend (NVIDIA cloud or local model). This gives you control over which models agents can use and ensures API keys are managed centrally, not embedded in agent code.

Getting started with NemoClaw

NemoClaw is designed for single-command installation. The process installs Node.js (if needed), sets up the OpenShell gateway, creates a sandbox, configures inference, and applies security policies.

Prerequisites

Resource Minimum Recommended
CPU 4 vCPU 4+ vCPU
RAM 8 GB 16 GB
Disk 20 GB free 40 GB free

You also need Ubuntu 22.04+ (or compatible Linux), Node.js 20+, npm 10+, and Docker running. The sandbox image is approximately 2.4 GB compressed.

Installation

# Download and run the installer
$ curl -fsSL https://nvidia.com/nemoclaw.sh | bash

# Run the guided setup wizard
$ nemoclaw onboard

The nemoclaw onboard command prompts for your NVIDIA API key (from build.nvidia.com), creates a sandbox, and configures the default model (Nemotron-3-Super-120B via NVIDIA cloud).

Connecting to your sandbox

# Open an interactive shell inside the sandbox
$ nemoclaw my-assistant connect

# Start the OpenClaw TUI for chat
sandbox@my-assistant:~$ openclaw tui

# Or send a single message via CLI
sandbox@my-assistant:~$ openclaw agent --agent main --local -m "hello" --session-id test

NemoClaw vs vanilla OpenClaw: what changes?

If you're already running OpenClaw, you might wonder what NemoClaw actually adds. Here's the comparison:

Aspect Vanilla OpenClaw OpenClaw + NemoClaw
File access Agent can read/write workspace directory Sandboxed to /sandbox and /tmp only
Network access Unrestricted outbound (configurable per tool) Policy-enforced; blocked by default
Model API keys Stored in config files Injected at runtime; never in filesystem
Inference routing Direct to provider APIs Proxied through privacy router
Approval flow Manual intervention via chat TUI surfaces blocked actions for approval
Default model Any configured provider NVIDIA Nemotron (cloud or local)

Deployment options: cloud, on-prem, and RTX

One of NemoClaw's strengths is deployment flexibility. Always-on agents need dedicated computing, and NVIDIA supports multiple paths:

Cloud inference (default)

The simplest path: inference routes through NVIDIA cloud APIs (build.nvidia.com). You need an API key but no local GPU. This is ideal for teams that want security controls without hardware investment.

Local inference on RTX

For enhanced privacy and cost efficiency, NemoClaw can run Nemotron models locally on:

  • NVIDIA GeForce RTX PCs and laptops
  • NVIDIA RTX PRO workstations
  • NVIDIA DGX Station AI supercomputers
  • NVIDIA DGX Spark systems

Local inference keeps all context and computation on your hardware — no data leaves your premises.

Remote GPU deployment (experimental)

NemoClaw includes experimental support for deploying to remote GPU instances through Brev: 

$ nemoclaw deploy my-instance --remote

NemoClaw and the broader NVIDIA ecosystem

NemoClaw isn't a standalone product — it integrates with NVIDIA's broader AI stack:

NVIDIA NeMo framework

NemoClaw builds on the NeMo framework for model training and agent reasoning pipelines. If you're already using NeMo for custom model development, NemoClaw provides the deployment and security layer.

NVIDIA NIM microservices

NIM (NVIDIA Inference Microservices) provides the inference layer that NemoClaw routes to. This gives you optimized, production-ready model serving without managing inference infrastructure.

NVIDIA Agent Toolkit

NemoClaw is part of the NVIDIA Agent Toolkit, which includes:

  • OpenShell: The sandbox runtime (what NemoClaw installs)
  • AI-Q: For building reasoning agents that transform enterprise data into explainable results
  • Nemotron models: Open models optimized for agentic workloads

Current limitations and maturity

NemoClaw is currently in early preview (alpha). NVIDIA explicitly notes:

  • Interfaces, APIs, and behavior may change without notice
  • Not yet production-ready for multi-tenant deployments
  • Currently requires a fresh OpenClaw installation (not an in-place upgrade)
  • Some openclaw nemoclaw plugin commands are under active development

For production enterprise deployments, expect the platform to mature over the coming months. For experimentation and single-developer use, it's ready to try today.

When should you use NemoClaw?

NemoClaw makes sense if any of these apply:

You're deploying agents in enterprise environments

If your security team has questions about data exfiltration, credential handling, or network boundaries, NemoClaw provides a defensible answer: policy-controlled sandboxes with audit trails.

You need always-on agents

Agents that run 24/7 (monitoring, alerting, scheduled tasks) need isolation. You don't want a long-running agent to accumulate access or make unexpected network calls at 3 AM.

You want to use NVIDIA models

If Nemotron models fit your use case, NemoClaw gives you the easiest path to run them with OpenClaw. The privacy router handles API keys and routing automatically.

You're building multi-agent systems

Multiple agents mean multiple privilege boundaries. NemoClaw's sandbox-per-agent model lets you isolate contexts: a research agent shouldn't have the same access as a deployment agent.

Alternatives and complements

NemoClaw isn't the only way to run OpenClaw securely. Consider these alternatives:

Managed OpenClaw hosting

Services like OpenClaw Setup handle infrastructure, updates, and baseline security for you. This trades some control for operational simplicity. Compare at OpenClaw Setup vs self-hosted.

Container-based isolation

You can run OpenClaw in Docker with manual network policies and volume mounts. This works but requires more configuration and doesn't give you the policy engine or inference routing.

Virtual machine isolation

Running each agent in its own VM provides strong isolation but significant overhead. NemoClaw's container-based approach is lighter weight while still enforcing boundaries.

Frequently asked questions

Is NemoClaw only for NVIDIA hardware?

No. The default configuration uses NVIDIA cloud APIs, which work on any hardware. Local inference on NVIDIA GPUs is optional for enhanced privacy and cost efficiency.

Can I use other models besides Nemotron?

Yes. NemoClaw's privacy router can route to frontier cloud models (OpenAI, Anthropic, etc.) while maintaining your security guardrails. The default is Nemotron, but it's not the only option.

Does NemoClaw replace OpenClaw?

No — it extends OpenClaw. NemoClaw is a plugin that adds security infrastructure. You still use OpenClaw's agent capabilities; NemoClaw just wraps them in a safer execution environment.

What's the license?

NemoClaw is Apache License 2.0. OpenShell (the underlying runtime) is also Apache 2.0.

How do I get an NVIDIA API key?

Visit build.nvidia.com to create an account and generate an API key. The nemoclaw onboard command will prompt for this key.

Getting started checklist

  1. Ensure you have Ubuntu 22.04+, Node.js 20+, and Docker running
  2. Get an NVIDIA API key from build.nvidia.com
  3. Run curl -fsSL https://nvidia.com/nemoclaw.sh | bash
  4. Run nemoclaw onboard and follow the wizard
  5. Connect with nemoclaw <name> connect
  6. Start chatting with openclaw tui
  7. Customize network policies as needed for your workflow

Final take

NVIDIA NemoClaw is the missing infrastructure layer for safe autonomous AI agents. It doesn't change what OpenClaw can do — it changes where you can safely deploy it. For enterprises, teams with sensitive data, and anyone building production agent systems, NemoClaw provides a path from experimental to operational.

The single-command install, policy-based controls, and integration with NVIDIA's model ecosystem make it the most complete answer yet to the question: how do I run AI agents in production without losing sleep?

Visit NemoClaw page View on GitHub

Related reading

Cookie preferences