Skip to main content

What Is NemoClaw?

NemoClaw is NVIDIA's open-source reference stack for running OpenClaw agents inside a hardened security sandbox. Jensen Huang announced it at the GTC 2026 keynote on March 16, 2026. It integrates OpenClaw with NVIDIA OpenShell (the kernel-level sandbox runtime), the Nemotron 120B MoE model for policy evaluation, and a privacy router that decides whether a task runs locally or in the cloud. NVIDIA built it with CrowdStrike, Cisco, and Microsoft Security so the sandbox plugs into existing enterprise EDR and SIEM tooling.

OpenClaw is powerful but permissive: when an agent can browse the web, run shell commands, and call external APIs, the blast radius of a compromised or misbehaving agent is significant. NemoClaw adds a mandatory process-level security layer without requiring developers to rewrite OpenClaw configs.

Current status: Alpha. APIs and policy schemas change between releases. Pin versions and test every upgrade in staging before production.

  • GitHub: github.com/NVIDIA/NemoClaw
  • License: Apache 2.0
  • Hardware: Runs on GeForce RTX, RTX PRO workstations, DGX Station, and DGX Spark; optimized for NVIDIA Vera CPUs

Why NemoClaw Exists

Two things happened in early 2026 that made enterprise-grade OpenClaw security urgent:

The OpenAI acquisition (February 2026). OpenClaw's creator Peter Steinberger joined OpenAI in February 2026 in a talent acquisition deal. OpenAI committed to keeping OpenClaw open-source under a foundation structure, but the change in stewardship created real uncertainty for enterprises running OpenClaw on sensitive workloads. Teams that had bet on OpenClaw as an independent project suddenly had questions about data handling, long-term licensing, and whether OpenAI-hosted cloud APIs would become the default inference path.

The ClawHub supply chain crisis. Security researchers identified 341 malicious skills in the ClawHub marketplace (OpenClaw's community extension registry) and over 135,000 exposed OpenClaw instances reachable from the internet without authentication. A single compromised skill can exfiltrate any file the agent process can read, make arbitrary outbound network calls, and persist across restarts. Base OpenClaw has no mechanism to prevent this.

NVIDIA built NemoClaw to address both concerns: process-level sandboxing that contains any compromised skill, and network egress policies that ensure agents cannot phone home to unauthorized endpoints, regardless of what the skill code does.

NemoClaw vs. Bare OpenClaw

CapabilityOpenClaw (bare)OpenClaw + NemoClaw
Filesystem access controlNone: agent reads any file the process user can accessLandlock restricts agent to its workspace directory only
Network egress controlNone: agent can call any hostPolicy-based allowlist; all other connections blocked at kernel level
Malicious skill containmentNo: a compromised skill runs with full process privilegesSandboxed: Landlock + seccomp limits blast radius
Audit trailNo structured loggingStructured JSON audit log of every file access and network attempt
PHI suitabilityNo: data can leave the server at any timeYes, with egress policy blocking all cloud endpoints
Skills supply chain riskHigh: 341 malicious skills identified on ClawHubMitigated: sandboxing limits what any skill can do
Inference portabilityFixed per config restartSwitch between cloud, NIM, and vLLM at runtime

How NemoClaw Relates to OpenClaw

NemoClaw is not a fork or replacement. It is a runtime wrapper. You install NemoClaw on top of an existing OpenClaw setup. NemoClaw intercepts the agent runtime start, runs it inside an OpenShell sandbox with your configured policies, and routes inference through your chosen provider.

Your OpenClaw config (~/.openclaw/config.yaml) remains unchanged. NemoClaw's policies are defined separately in /etc/nemoclaw/policy.yaml.

OpenClaw Gateway → NemoClaw Policy Engine → OpenShell Sandbox → Agent Runtime

Inference Router (cloud / NIM / vLLM)

OpenShell Sandboxing

OpenShell is NVIDIA's container-based process isolation runtime. NemoClaw uses it to enforce three layers of sandboxing:

1. Landlock (Filesystem Access Control)

Landlock is a Linux kernel feature that restricts which files and directories a process can read or write. NemoClaw configures Landlock rules so the agent can only access:

  • Its own workspace directory (~/.openclaw/workspace/)
  • Explicitly whitelisted paths

The agent cannot read /etc/passwd, /home/other-user/, SSH keys, or any path outside its sandbox.

2. seccomp (System Call Filtering)

seccomp restricts which Linux system calls the sandboxed process can make. NemoClaw applies a curated allowlist that permits file I/O, networking within policy, and process spawning, but blocks raw socket access, ptrace, and other syscalls with no legitimate agent use case.

3. Network Namespaces and Egress Policies

Each agent session runs in its own network namespace. Outbound connections are gated by an operator-controlled policy file:

# /etc/nemoclaw/policy.yaml
network:
egress:
allow:
- host: "api.anthropic.com"
port: 443
- host: "clawhub.dev"
port: 443
deny_all_other: true

This prevents the agent from making unexpected outbound calls, which matters when the agent handles internal data or PHI.

Inference Providers

NemoClaw supports three inference backends. You switch between them at runtime without restarting the gateway.

Provider 1: NVIDIA Cloud (Default)

Routes inference to NVIDIA's managed cloud via build.nvidia.com. Uses the Nemotron model family by default.

openshell inference set --provider nvidia-cloud --model nvidia/nemotron-3-super-120b-a12b

Best for: Getting started quickly, no local GPU required, lowest ops overhead.

Liquid Web fit: Any Liquid Web VPS works. The 4 GB plan ($8.50/mo on the current 50%-off-for-2-months promo, $17/mo list) is sufficient for the gateway and sandbox, since inference runs on NVIDIA's cloud.

Provider 2: Local NIM Service

NVIDIA NIM (NVIDIA Inference Microservice) is a containerized inference server with enterprise SLAs. It runs on your hardware and requires an NVIDIA GPU.

openshell inference set --provider nim-local --model nvidia/nemotron-3-super-120b-a12b

Configuration:

# /etc/nemoclaw/inference.yaml
nim_local:
endpoint: nim-service.local:8000
api_key: "${NIM_API_KEY}"

Best for: Teams that need on-prem inference with NVIDIA-supported models and enterprise support contracts.

Liquid Web fit: H100 NVL 94 GB ($2.98/hr on the current 25% promo, $3.97/hr list) or H200 NVL 141 GB ($3.87/hr promo, $4.38/hr list). Nemotron 3 Super 120B-A12B is a mixture-of-experts model with ~12B active parameters per token; the full weights require ~80 GB VRAM at FP8, so an H100 94 GB handles it and an H200 141 GB leaves headroom for longer context.

Provider 3: Local vLLM

vLLM is an open-source high-throughput inference server. It supports a wider range of models than NIM and is free to use.

openshell inference set --provider vllm-local --model meta-llama/Llama-3.3-70B-Instruct

Configuration:

# /etc/nemoclaw/inference.yaml
vllm_local:
endpoint: host.openshell.internal:8000
model: meta-llama/Llama-3.3-70B-Instruct

Requirements:

  • vLLM server must bind to 0.0.0.0 (not localhost)
  • Host firewall must allow bridge subnet to port 8000
  • The model listed in config must match the model loaded in vLLM

Best for: Development and teams that want model flexibility and open-source tooling.

Liquid Web fit: L40S Ada 48 GB ($1.44/hr promo, $1.92/hr list) handles 70B models at 4-bit quantization. H100 NVL 94 GB handles 70B at full precision or 120B+ quantized.

Switching Inference Providers at Runtime

One of NemoClaw's notable capabilities is switching the inference provider without restarting the OpenClaw gateway. All active sessions continue; only new inference calls go to the new provider.

# Switch to local vLLM
openshell inference set --provider vllm-local --model meta-llama/Llama-3.3-70B-Instruct

# Switch back to NVIDIA cloud
openshell inference set --provider nvidia-cloud

# Check current provider
openshell inference status

This is useful for cost management: use the cloud during low-traffic hours when local GPU costs exceed inference costs, and switch to local during peak usage.

System Requirements

Minimum

ResourceRequirement
OSUbuntu 22.04 LTS or later
CPU4 vCPU
RAM8 GB (16 GB recommended)
Disk20 GB free (40 GB recommended; sandbox image is ~2.4 GB)
Node.js20+
npm10+
Container runtimeDocker (primary), Docker Desktop (macOS/Windows WSL), Colima (Apple Silicon)

With Local NIM or vLLM

Add GPU requirements per the inference provider section above. NemoClaw itself adds ~200 MB overhead to the base OpenClaw deployment.

Installation Overview

Full installation walkthrough is in the VPS deployment guide. Brief steps:

  1. Install OpenShell following the NVIDIA OpenShell docs (verify the install command against the current NVIDIA docs, since NemoClaw is Alpha and install paths change)
  2. Install NemoClaw from github.com/NVIDIA/NemoClaw
  3. Configure policy: edit /etc/nemoclaw/policy.yaml
  4. Configure inference: edit /etc/nemoclaw/inference.yaml
  5. Start: nemoclaw start

NemoClaw installs as a system service and starts automatically on boot.

Alpha Caveats

NemoClaw is Alpha software. Before adopting it:

  • Pin versions. nemoclaw@latest will break things. Pin to a specific release: nemoclaw@0.3.x.
  • Test upgrades. API and policy schema changes happen between minor versions.
  • Egress policy bugs. Several issues in the tracker relate to egress policy not applying correctly after provider switches. Verify with openshell network audit after any change.
  • Not audited. NemoClaw has not undergone a third-party security audit. Do not rely on it as your only control for regulated workloads. Layer it with infrastructure-level controls (see the HIPAA deployment guide).
Frequently Asked Questions

No. As of March 2026, NemoClaw is Alpha. NVIDIA has stated that APIs may change and it should not be used in production without careful version pinning and your own testing. Use it in development and staging, and plan for breaking changes.

Only for local inference providers (NIM or vLLM). The NemoClaw sandbox and OpenShell runtime are CPU-only. If you use the NVIDIA cloud inference provider, any Linux server (including a basic LiquidWeb VPS) is sufficient.

Yes, via the vLLM local provider. vLLM supports Llama, Mistral, Mixtral, Qwen, and hundreds of other open-source models from HuggingFace. You are not locked into Nemotron or NVIDIA-hosted models.

OpenShell is NVIDIA's container isolation runtime that NemoClaw uses to sandbox agent processes. It combines Landlock filesystem restrictions, seccomp syscall filtering, and network namespaces to constrain what the agent can access on the host.

They share brand lineage but are separate projects. NVIDIA NeMo is a framework for training and fine-tuning large language models. NemoClaw is a runtime security layer for OpenClaw agents. The naming reflects NVIDIA's broader Agent Toolkit branding, not a technical dependency.

Two triggers: First, OpenClaw's creator Peter Steinberger joined OpenAI in February 2026, creating enterprise uncertainty about data sovereignty and long-term open-source independence. Second, 341 malicious skills were discovered in the ClawHub marketplace with over 135,000 exposed OpenClaw instances. NVIDIA built NemoClaw to give enterprises a hardened runtime with process-level sandboxing and network egress controls, so compromised or misbehaving agents cannot exfiltrate data regardless of what skill code does.

Yes, substantially. NemoClaw's Landlock filesystem restrictions prevent an agent (including any installed skill) from reading files outside its workspace directory. Seccomp blocks raw socket access and other syscalls used for stealth exfiltration. Network egress policies prevent the agent from calling any host not explicitly allowlisted. A malicious skill running inside NemoClaw's sandbox cannot access SSH keys, environment files, or make unauthorized outbound calls, even if the skill code attempts to.

Common mistakes and fixes

NemoClaw install fails with 'OpenShell not found'.

OpenShell must be installed before NemoClaw. Follow the current install steps in the NVIDIA OpenShell docs (see developer.nvidia.com), then re-run the NemoClaw installer. Verify with: openshell --version.

vLLM inference provider returns connection refused.

vLLM must bind to 0.0.0.0 (not 127.0.0.1) so the sandbox can reach it via the bridge subnet. Set --host 0.0.0.0 when starting vLLM. Also verify your host firewall allows traffic from the Docker bridge network (172.17.0.0/16) on port 8000.

Sandbox image download is slow on first run.

The sandbox image is ~2.4 GB compressed. This only downloads once. On LiquidWeb GPU servers, the first pull takes 3–5 minutes on their 10 Gbps network. Subsequent starts use the cached image.

Apify Affiliate Banner 728x90Apify Affiliate Banner 728x90Apify Affiliate Banner 300x50Apify Affiliate Banner 300x50