NemoClaw: NVIDIA's Answer to the Agentic AI Security Problem
OpenClaw became the fastest-growing open-source project in history. Over 250,000 GitHub stars. More popular than React. An AI agent that actually does things -- manages files, executes commands, browses the web, automates workflows.
Then came the CVEs.
One-click remote code execution. Command injection. Authentication bypass. Path traversal. 17,500 internet-exposed instances vulnerable to a single bug. 80 confirmed malicious payloads sitting on OpenClaw's central extension hub.
The agent that everyone loved was also the agent that could be weaponized.
At GTC 2026, NVIDIA's answer landed: NemoClaw -- an open-source security stack that wraps OpenClaw with enterprise-grade privacy and security guardrails. One command to install. Three isolation layers between your agent and the outside world.
Huang is right about the opportunity. But operating systems need security. And until NemoClaw, OpenClaw did not have it.
What Exactly Is NemoClaw?
NemoClaw is not a replacement for OpenClaw. It is a security wrapper -- a stack that sits around OpenClaw and enforces rules about what the agent can and cannot do.
Think of it like this: OpenClaw is the engine. NemoClaw is the seatbelt, the airbag, and the guardrails on the highway.
The stack has four core components:
- OpenShell -- a runtime that creates an isolated sandbox for every agent session. Kernel-level isolation, not just application-layer controls.
- NVIDIA Agent Toolkit -- the foundational safety architecture that connects everything.
- Privacy Router -- monitors all agent behavior and routes model calls through approved channels. When the agent needs a cloud model, the privacy router enforces guardrails on what data leaves the machine.
- Nemotron models (Nemotron 3 Super 120B) -- open models that run locally on your hardware for private inference. No data leaves your machine unless you explicitly allow it.
The full source code is on GitHub. Installation is deliberately simple:
curl -fsSL https://nvidia.com/nemoclaw.sh | bash
nemoclaw onboard
One command installs the stack. The second configures your security policies. That is a deliberate design choice -- if security is hard to set up, people skip it.
How It Actually Works: Three Isolation Layers
Under the hood, NemoClaw uses a two-part architecture: a lightweight TypeScript plugin handles the CLI, while a versioned Python blueprint orchestrates sandbox creation. The blueprint verifies its own digest integrity before execution -- supply chain safety baked into the install process.
Every agent session runs inside an OpenShell sandbox with three isolation mechanisms:
1. Network Policy
A YAML-based configuration file (openclaw-sandbox.yaml) defines exactly which endpoints the agent can reach. Everything else is blocked by default. If the agent tries to call an unapproved URL, the request surfaces in the terminal UI for the operator to approve or deny.
Approved endpoints persist only for the current session. Next session, the baseline resets. Reproducible, auditable security.
2. Filesystem Isolation
Write access is limited to /sandbox and /tmp. System paths are read-only. The agent cannot modify your operating system, install packages system-wide, or touch files outside its sandbox. This alone eliminates entire categories of the attacks that plagued OpenClaw.
3. Inference Routing
All model calls route through OpenShell. By default, inference goes to NVIDIA's Nemotron 3 Super 120B via their cloud endpoint. Models can be switched at runtime without restarting the sandbox. The key point: the agent never makes direct external inference requests. Every call is mediated.
Why OpenClaw Needed This (The Security Breakdown)
If you have been following the OpenClaw story, you know the trajectory: weekend project, viral sensation, critical vulnerabilities.
Here is what researchers found:
- CVE-2026-25253: A one-click remote code execution flaw affecting every OpenClaw version before 2026.1.29. Researchers identified 17,500 internet-exposed instances vulnerable to this single bug.
- Six additional CVEs covering command injection, server-side request forgery, authentication bypass, and path traversal.
- 80 confirmed malicious payloads on OpenClaw's central hub for agent extensions -- the equivalent of a malware-infested app store.
- Indirect prompt injection enabling persistent attacker control over agents.
The root cause is architectural. OpenClaw has roughly 500,000 lines of code, over 70 software dependencies, and 53 configuration files. It uses application-layer security controls (whitelists, pairing codes) rather than OS-level isolation. This means every vulnerability in any dependency becomes a potential attack vector.
The Real Risk
An unsecured AI agent with system access is not just a software vulnerability -- it is a door into your entire infrastructure. File access, command execution, browser control, API keys -- everything the agent can reach, an attacker can reach through the agent.
NemoClaw vs. OpenClaw vs. NanoClaw
NemoClaw is not the only response to OpenClaw's security gaps. The landscape now includes three distinct approaches:
| App | Codebase Size | Security Model | Model Support | Best For |
|---|---|---|---|---|
| OpenClaw | ~500K lines | Application-layer | OpenAI, Anthropic, local | Developers, hobbyists |
| NanoClaw | ~500 lines | OS-level containers | Optimized for Claude | Security-first teams |
| NemoClaw | OpenClaw + security stack | Kernel-level sandbox | Vendor-agnostic + Nemotron | Enterprise deployment |
OpenClaw remains the most feature-rich option with 50+ native integrations and support for every major model provider. But it requires significant external hardening -- VLANs, read-only filesystems, custom infrastructure -- to run safely.
NanoClaw took the opposite approach: just 500 lines of code, native Docker/Apple Container sandboxing, and a focus on code readability. A developer can understand the entire codebase in eight minutes. The tradeoff is fewer integrations and optimization primarily for Anthropic's Claude.
NemoClaw sits in the middle. It keeps OpenClaw's full feature set and wraps it in NVIDIA's enterprise security stack. Vendor-agnostic model support (including local Nemotron inference), kernel-level isolation, and a privacy router that governs all external communication.
For personal projects, OpenClaw with basic hardening is fine. For anything touching production systems, customer data, or regulated environments, NemoClaw is the clear choice today.
The Bigger Picture: Why Agentic Security Is Now a Board-Level Priority
NemoClaw matters beyond NVIDIA and OpenClaw. It signals a shift in how the industry thinks about AI agents.
We spent 2024 and 2025 asking: Can we build agents that actually work? The answer turned out to be yes -- faster than anyone expected.
Now the question is: Can we secure them?
The governance gap is real. According to Deloitte's 2026 AI report, only 20% of organizations have mature governance models for their AI deployments. The other 80% are either ignoring the problem or improvising.
And the attack surface is growing. In September 2025, Salesforce's Agentforce had its "ForcedLeak" incident -- malicious inputs designed to exfiltrate CRM data through an AI agent. This was not a theoretical risk. It happened.
The competitive landscape for agentic security is filling up fast:
- Galileo Agent Control -- an open-source control plane for governing AI agents at scale
- Microsoft Agent 365 -- launching May 1, 2026, a unified control plane for agent governance
- Netskope One AI Security Suite -- covering discovery, guardrails, gateway, and red teaming
- PointGuard AI -- the first platform with a fully integrated MCP Security Gateway
Every major infrastructure vendor is building guardrails for AI agents. This is not a trend -- it is infrastructure becoming mandatory.
What This Means for Your Business
If you are running AI agents in production -- or planning to -- here is what NemoClaw's launch signals:
Security is no longer optional. The Wild West phase of "deploy fast, secure later" is ending. Every agent that touches your systems, your data, or your customers needs isolation, monitoring, and policy controls. NemoClaw makes this accessible for OpenClaw users, but the principle applies regardless of which framework you use.
Local inference changes the calculus. NemoClaw's ability to run Nemotron models locally means sensitive data never has to leave your infrastructure. For companies in regulated industries -- healthcare, finance, legal -- this removes one of the biggest objections to deploying AI agents.
The agent stack is maturing. We are moving from "cool demos" to "production infrastructure." OpenShell, YAML-based policies, reproducible sandbox configurations -- these are the building blocks of enterprise-grade agent deployments. If your current setup does not include sandboxing, network policies, and inference routing, you are already behind.
Where We Come In
At IJONIS, we build secure agentic workflows for businesses. From selecting the right agent framework (NemoClaw, NanoClaw, or custom architectures) to implementing sandbox policies, inference routing, and compliance controls -- we help companies move from AI experimentation to production deployment. If you are evaluating how to bring AI agents into your operations securely, let's talk.
FAQ
What is NemoClaw?
NemoClaw is an open-source security stack from NVIDIA that wraps OpenClaw with enterprise-grade privacy and security guardrails. It adds kernel-level sandboxing via OpenShell, a privacy router for controlling data flow, and local inference via Nemotron models.
What is the difference between NemoClaw and OpenClaw?
OpenClaw is the AI agent framework itself -- it runs tasks, manages files, and automates workflows. NemoClaw does not replace OpenClaw. It adds three security layers on top: network policy controls, filesystem isolation, and inference routing. Think of OpenClaw as the engine and NemoClaw as the safety system.
Is NemoClaw free?
Yes. NemoClaw is fully open source and available on GitHub. It runs on NVIDIA GeForce RTX, RTX PRO, DGX Station, and DGX Spark hardware.
Do I need NVIDIA hardware to run NemoClaw?
NemoClaw is optimized for NVIDIA GPUs (GeForce RTX, RTX PRO, DGX) for local model inference. Cloud inference via NVIDIA's endpoints works on any hardware, but local inference -- the privacy advantage -- requires NVIDIA GPUs.
How does NemoClaw handle data privacy?
NemoClaw routes all model calls through its privacy router. Sensitive data can stay on your local machine using Nemotron models. When cloud models are needed, the privacy router enforces YAML-based policies that control exactly what data leaves your infrastructure.
The Bottom Line
NemoClaw is exactly what the agentic AI ecosystem needed: a credible security layer from a company with the resources and incentive to maintain it. OpenClaw proved that autonomous AI agents work. NemoClaw proves that they can work safely.
The companies that figure out secure agent deployment first will have a structural advantage. Not because they have better AI models -- everyone has access to the same models. But because they will deploy those models into production faster, with fewer incidents, and with the governance frameworks that regulators increasingly require.
The race is no longer about building agents. It is about operating them responsibly.
And that race started at GTC 2026.
