Back to garden
Evergreen··4 min read

Finding Nemo-Claw

NemoClaw puts OpenClaw inside a secure container so you can use it more safely.

K
Kevin De Asis
aiindustryopinion
Share

Still thinking through this one... The ideas here might look different tomorrow.

Finding Nemo-Claw

OpenClaw became popular a few months ago and it raised the bar for what A.I. could do. This agent felt like a virtual assistant. OpenClaw agents could manage calendars, write and deploy code, send emails, or help you go viral in r/WallStreetBets.

OpenClaw's potential had obvious issues in terms of privacy & security. For agents to be useful, a person needs explicit controls over what the agent can access. Like control over it's access to files, shell commands, APIs, and credentials. When it hallucinates, gets prompt injected, or just makes a bad call, things can go downhill pretty fast. Like your leaked crypto wallet aint't coming back.

Yesterday at GTC 2026, NVIDIA announced NemoClaw, an open-source security and deployment stack built for OpenClaw agents. It doesn't replace OpenClaw. But, it wraps it in a controlled runtime, so agents can vibe-code securely even while you sleep.

Why this matters

The real shift is moving security out of the application layer and into a different layer. Early agent architectures placed guardrails inside the same process they were meant to constrain. You told the agent not to do dangerous things in a system prompt and hoped that would be enough.

OpenShell takes a different approach. It treats the agent as an untrusted process, much like a browser treats a tab. Inside the sandbox, the agent has room to operate. It can install tools, write scripts, and learn new interfaces. But the moment it tries to cross a boundary by opening a file, making a network call, or executing a binary, it runs into kernel level enforcement.

Now You can leave an OpenClaw to vibe code overnight to and act as your virtual assistant while you sleep. If something goes wrong, the damage remains contained.

NemoClaw may become the standard for this. Either way, it provides an alternative to running Vanilla OpenClaw on your personal device.

Technical Architecture

NemoClaw ain't just a wrapper. It also has a policy enforcement runtime for the agentic workflow. Nemoclaw has two main components: a TypeScript plugin that integrates with the OpenClaw CLI, and a Python blueprint that orchestrates OpenShell resources.

What's underneath the hood

NemoClaw forces the OpenClaw agent to run inside NVIDIA OpenShell, a purpose-built secure runtime. Here's an analogy, imagine OpenClaw as a capable but unpredictable employee. Now imagine NemoClaw as the secure office building they work in. A building with keycard readers on every door and a security desk monitoring the exits. So, OpenShell puts OpenClaw in a sandboxed environment with kernel level isolation. So you can configure how OpenClaw works without giving it unrestricted access to local files, credentials, and external networks.

The sandbox. The agent runs in an isolated container. By default, it can only read and write to /sandbox and /tmp. Everything else on your system is either invisible or read-only. This isn't just container isolation. OpenShell uses Landlock for filesystem access control, seccomp filters to restrict system calls, and Linux network namespaces. The agent physically cannot touch what it hasn't been granted access to. The sandbox is meant for "self evolving" agents. An agent can experiment, install skills, and learn new software interfaces within the sandbox without touching the host system. But it cannot execute an unreviewed binary. If it hits a constraint, it can reason about the roadblock and propose a policy update to the developer for approval, but it cannot bypass the constraint itself.

The network policy. All outbound traffic is deny-by-default. The agent can only reach domains and IPs explicitly listed in a YAML policy file. If the agent tries to connect somewhere new, the request gets blocked and a notification pops up on the host. You have to manually approve it. This is hot-reloadable, so you can grant access on the fly without restarting anything.

The inference router. Agents constantly call LLMs to reason and plan. NemoClaw intercepts those calls and routes them to approved backends. For example NVIDIA's cloud APIs (Nemotron) or local models running on your own GPU (Ollama). This keeps your prompt data from getting leaked to third parties. Outgoing prompts are also scanned for personal info and proprietary code. Depending on the data loss prevention rules you set it can block or mask the payload.

Out-of-Process Policy Enforcement

This is the architectural decision that makes the whole thing work.

OpenShell borrows the browser-tab isolation model and applies it to AI agents. Enforcement happens outside the agent's process, so even if the agent is fully compromised, it cannot override the rules.

The policy engine evaluates every action at the binary, destination, method, and path level. Constraints are enforced across the filesystem, network, and process layers. Policy updates happen live at the sandbox scope, creating an immutable audit trail of every "allow" and "deny" decision. The agent cannot tamper with this trail.

What's in store for the future: The technical architecture of OpenShell, NemoClaw, OpenClaw

You might also like

Blog

Anthropic's Walkie Talkie

Claude Code can now listen to the outside world. Channels let Telegram, Discord, CI pipelines, and other tools push events into a live session.

Blog

On Building your own Lobster Trap

Blog

Build Your Own GREMLIN IN THE SHELL

A hands-on guide to building your own shell-based AI agent that haunts your terminal and gets things done.