What Is NemoClaw?

The Problem: OpenClaw Without a Safety Net

OpenClaw is genuinely powerful. An AI agent that lives on your machine, connects to your messaging apps, reads your files, browses the web, and can take action on your behalf. It changes how work gets done.

But that power comes with a serious problem: there are no guardrails.

A standard OpenClaw agent has access to:

• Your entire filesystem, every file on your computer
• The open internet, connecting to any server anywhere
• Your shell, running any command your account can run
• Your installed tools: npm, git, Python scripts, whatever's there

For a single user automating personal tasks, this is acceptable. For a business running client data through an AI agent? It's a non-starter. IT departments called it exactly what it is: a security nightmare.

Harrison Chase (founder of LangChain, whose frameworks have been downloaded over a billion times) put it plainly: "I guarantee that every enterprise developer out there wants to put a safe version of OpenClaw onto their computer. The bottleneck has never been interest. It has been the absence of a credible security and governance layer underneath it."

NemoClaw is that missing layer.

What NemoClaw Actually Is

NemoClaw is a security wrapper for OpenClaw. It takes the raw, powerful-but-unsandboxed OpenClaw agent and runs it inside a tamper-resistant container where every action is governed by rules you set.

The jail cell analogy: Imagine OpenClaw is a brilliant contractor with master keys to your office building. NemoClaw puts that contractor in a specific wing of the building with a specific badge. The badge only opens certain doors. A security camera logs everything they do. The network phone in that wing only calls pre-approved numbers. And the contractor physically cannot leave that wing, not as a matter of policy, but because the building's physical infrastructure prevents it.

NemoClaw has four interlocking parts:

1. The Plugin (TypeScript): Runs on your host machine. Provides the CLI commands you interact with (nemoclaw onboard, nemoclaw connect, nemoclaw status, nemoclaw logs). The control panel you use from the outside.
2. The Blueprint (Python): A versioned artifact stored in NVIDIA's container registry. Contains the real logic for sandbox creation, policy application, and inference setup. Cryptographically verified before execution and can't be tampered with.
3. The Sandbox (OpenShell Container): The actual jail. A ~2.4GB container image running inside lightweight Kubernetes (k3s) managed by OpenShell. OpenClaw runs inside this container with the security policies applied. The agent can't see outside the container.
4. The Inference Gateway (OpenShell Gateway): All AI model calls from the agent go through this gateway. It's the only door that connects the sandbox to the outside world. The gateway enforces network policies and routes to approved AI endpoints only.

What OpenShell Is

NemoClaw is built on top of OpenShell, NVIDIA's containerization platform for AI workloads. Think of OpenShell as the foundation that NemoClaw uses to do its work.

OpenShell manages:

• The container (the sandbox itself)
• The network gateway (traffic control)
• The inference routing (model API management)
• The k3s Kubernetes cluster that orchestrates it all

You interact with OpenShell through the openshell CLI for advanced operations. For most users, the nemoclaw CLI wraps everything you need without requiring you to know OpenShell's internals.

The 4 Security Layers

NemoClaw's security isn't a single feature. It's four interlocking layers, each addressing a different attack surface. Here's each one explained without the engineering jargon:

Layer 1: Landlock (Filesystem Jail) 🗝️

Analogy: A locked room.

The agent lives in a room. Landlock is the walls, ceiling, and floor. The agent physically cannot reach files outside of its allowed directories, not as a policy rule, but because the Linux kernel itself enforces the boundary. It's not that the agent is "not allowed" to read your tax returns. It literally cannot see them. They don't exist from inside the container.

What the agent CAN access: /sandbox (its home, read+write), /tmp (temporary storage), plus read-only access to standard system files it needs to function.

What it CANNOT access: Everything else on your machine: personal documents, other users' files, system configuration files, your OpenClaw workspace outside the sandbox.

Layer 2: seccomp (System Call Filter) 🔧

Analogy: A list of allowed tools.

Every program communicates with the operating system through "system calls": asking to create a file, open a network connection, spawn a new process. seccomp is a whitelist of which system calls the agent is allowed to make. Dangerous calls (like becoming root/admin, attaching to other processes, or running arbitrary programs) are blocked at the kernel level. Even if something inside the sandbox wanted to escalate privileges, the kernel would refuse. No exceptions.

Layer 3: Network Namespace (Private Network) 🌐

Analogy: A private phone line.

The agent runs in its own isolated network, completely separate from your real home or office network. When the agent tries to make any network request, it goes into this isolated environment first. The OpenShell gateway is the only bridge between the agent's isolated network and the real internet. Everything passes through that single controlled checkpoint.

Layer 4: Egress Policy (Hot-Reloadable Rules) 📋

Analogy: An approved contacts list.

A YAML document that says exactly which servers the agent is allowed to contact. By default, it includes: Anthropic API, NVIDIA Cloud inference, GitHub, npm registry, and Telegram. Everything else is blocked. Unlike the first three layers (locked at startup), this policy can be updated while the sandbox is running. You can add new approved endpoints without restarting anything.

When the agent tries to reach something not on the list, the OpenShell TUI (terminal interface) shows the blocked request with full details and asks you: Approve or Deny? If you approve, it's allowed for that session. Add it to the YAML file to make it permanent.

For a detailed walkthrough of each layer with configuration examples, see Security Explained →

GTC 2026 and Jensen Huang's Message

NemoClaw was announced on March 16, 2026 at NVIDIA GTC in San Jose, California, one of the most significant AI infrastructure conferences of the year.

Jensen Huang, NVIDIA's CEO, framed the announcement in terms that went far beyond a product launch:

"OpenClaw opened the next frontier of AI to everyone and became the fastest-growing open source project in history. Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI. This is the moment the industry has been waiting for — the beginning of a new renaissance in software."

"Every company in the world today needs to have an OpenClaw strategy, an agentic system strategy. This is the new computer."

Jensen Huang doesn't make these kinds of comparisons casually. Comparing OpenClaw to Windows, the operating system that defined the personal computing era, is a statement about where he believes the industry is heading. When he announces that the security layer for this "new computer" is NemoClaw, backed by NVIDIA's hardware, the message to enterprise IT is clear: this is not a side project. This is infrastructure.

Launch-day partners including Box, Cisco, Atlassian, Salesforce, SAP, Adobe, and CrowdStrike all announced NemoClaw integrations on day one. These aren't small companies making adventurous bets. They're Fortune 500 players who have extensive enterprise compliance requirements and would not attach their names to alpha software unless they were convinced of the trajectory.

Who Should Care Now vs Later

Care Now 🔥

• Businesses with sensitive data that want AI automation: law firms, medical offices, mortgage companies, accounting firms. NemoClaw is the reason you can have the conversation about AI agents with your compliance team instead of getting a flat "no."
• Early-mover technologists who want to be the first in their industry with working NemoClaw deployments. The knowledge gap right now is enormous, and there are essentially no experts yet.
• MSPs and IT consultants whose clients have been asking about AI agents but couldn't get IT sign-off. NemoClaw changes the conversation.

Can Wait (But Watch It) 👀

• Individuals using OpenClaw for personal tasks without sensitive data. Basic OpenClaw is fine for now.
• Companies still evaluating OpenClaw itself. Get OpenClaw working first, then add NemoClaw as the next step.
• Anyone who needs production-stable software. It's alpha, and that matters. Interfaces will change.

Honest Alpha Status Assessment

What this means practically:

• Commands can change between updates. Something that works today might have a different syntax next month.
• Documentation is sparse in places. The official docs exist but don't cover every scenario.
• Windows users must use WSL2. No native Windows path yet.
• macOS Podman is explicitly not supported. You must use Colima or Docker Desktop.
• Local inference (running AI models on your own GPU) is experimental. Community workarounds exist but aren't officially polished.
• Approved network endpoints are session-only by default. You must add them to the YAML file or re-approve after a sandbox restart.

What this does NOT mean:

• It's not usable. It IS working software, and people are deploying it
• The security is compromised. The security layers work; the rough edges are in UX and feature completeness, not in the core security model
• NVIDIA will abandon it. The partner ecosystem and Jensen Huang's framing make this a strategic priority, not an experiment

The honest take: NemoClaw is real, working, and meaningful technology, announced on March 16, 2026. Early adopters who engage with it now get a significant knowledge advantage before the polished version arrives and everyone's an expert. The rough edges are real but manageable for technically capable teams.