NVIDIA NemoClaw — Reference Stack for Running OpenClaw Securely in OpenShell

Source: ai-research/nvidia-nemoclaw-product-page-2026-05-21.md — nvidia.com/en-us/ai/nemoclaw, ai-research/nvidia-nemoclaw-github-readme-2026-05-21.md — github.com/NVIDIA/NemoClaw (Apache 2.0, 20,575★ at ingest, created 2026-03-15, last push 2026-05-21).

NVIDIA NemoClaw is NVIDIA’s first-party open-source reference stack for running OpenClaw assistants more safely. It bundles the NVIDIA OpenShell runtime (part of NVIDIA Agent Toolkit), a hardened sandbox blueprint, guided onboarding, OpenShell-managed channel messaging, and an experimental cost-routing model router behind a single curl | bash install. Alpha software — early preview since March 16, 2026, “not production-ready.” The repo crossed 20K stars in roughly two months — the loudest signal yet that OpenClaw has matured from community project to infrastructure that hyperscalers are willing to wrap their first-party stack around. NemoClaw is the open + self-hosted + NVIDIA-blessed counterpart to Anthropic’s Managed Agents (same agent-infrastructure cluster, opposite trust model — you own the box, NVIDIA owns the hardening defaults).

Key Takeaways

• NVIDIA’s first-party endorsement of OpenClaw as personal-AI OS. The product page calls it out explicitly: “OpenClaw has become the operating system for personal AI. NemoClaw adds security and privacy controls.” The architectural choice is significant — NVIDIA didn’t fork or replace OpenClaw, they built the hardening layer that lets enterprises and individuals run it confidently. Reference stack ≠ rewrite. This is the same posture VMware/Red Hat took toward Linux 20 years ago.
• Defense in depth, baked in. Default sandbox combines three Linux kernel mechanisms: Landlock (filesystem access control) + seccomp (syscall filtering) + netns (network namespace isolation). The install summary names all three explicitly — Sandbox my-assistant (Landlock + seccomp + netns). Compare with Alex Krantz’s observation that baseline OpenClaw security is mostly delegated to model reasoning + openclaw.json allow/deny lists — NemoClaw materially upgrades the floor.
• Single-command install. curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash. The installer installs Node.js via nvm if absent, then runs a guided onboard wizard that creates the sandbox, configures inference, and applies security policies. Headless/CI form: NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1. Runs as the user, no sudo — installs Node.js via nvm and NemoClaw via npm, both user-local. Docker must already be running.
• Default model: nvidia/nemotron-3-super-120b-a12b via NVIDIA Endpoints. The a12b suffix indicates an MoE architecture with ~12B active parameters out of 120B total. The pool also includes nvidia/Nemotron-3-Nano-30B-A3B (3B active / 30B total) for cheap path. Pool pricing exposed in pool-config.yaml: Nano = $0.05/Minputtokens,Super=$0.10 / M input tokens. Sandbox can call cloud frontier models through the privacy router OR run Nemotron locally for privacy + cost — NemoClaw decides based on available compute.
• Model Router (experimental) implements the cost-routing thesis. Uses NVIDIA LLM Router v3’s prefill routing engine — a lightweight Qwen3.5-0.8B encoder predicts which model in a pool can answer correctly, then routes to the cheapest one that meets the accuracy threshold. tolerance: 0.20 default allows up to 20 percentage points below the best model for a cheaper one (0.0 = always-most-accurate, 1.0 = always-cheapest). Runs on the host as a LiteLLM proxy on port 4000; sandbox calls https://inference.local/v1 via the OpenShell gateway and never sees raw API keys. Same “router selects model per query” pattern as commercial products (OpenRouter, Portkey) but self-hosted and with NVIDIA’s own checkpoint.
• Architecturally a stack, not a fork. NemoClaw composes three NVIDIA layers underneath OpenClaw: NemoClaw (this — onboarding wizard, hardened blueprint, state, router) → OpenShell (the runtime — gateway, sandbox provisioning, policy enforcement) → NVIDIA Agent Toolkit (the broader software family). OpenClaw runs inside the sandbox that OpenShell provisions and NemoClaw configures. The lifecycle warning is explicit: use nemoclaw onboard to create/recreate the sandbox; avoid openshell self-update / openshell sandbox create / npm update -g openshell directly, or you’ll desync NemoClaw’s blueprint from OpenShell’s actual state.
• OpenShell gateway = L7 proxy with credential isolation. Every outbound call from the sandbox to inference (local or cloud) passes through the gateway. Routed-inference flow: Sandbox (OpenClaw) → OpenShell Gateway (L7 proxy) → Model Router (:4000) → NVIDIA API. Sandbox cannot probe localhost:4000 or host.openshell.internal directly; gateway terminates and re-emits credentials from the OpenShell provider system. This is the structural reason a NemoClaw sandbox is meaningfully safer than openclaw install && openclaw run on bare host.
• Hardware: from RTX laptops to DGX Spark. Product page lists GeForce RTX PCs/laptops, RTX PRO workstations, DGX Station, DGX Spark. README adds tested matrix: Linux Docker (primary), macOS Apple Silicon via Colima/Docker Desktop (tested with limitations), DGX Spark via Docker (tested, with a dedicated Spark playbook for local Ollama inference), Windows WSL2 (tested with limitations). Note the DGX Spark fit — NVIDIA’s personal-AI workstation explicitly positioned as a NemoClaw host.
• Resource floor is approachable. Minimum 4 vCPU / 8 GB RAM / 20 GB disk; recommended 4+ vCPU / 16 GB RAM / 40 GB disk. Sandbox image ~2.4 GB compressed. OOM-killer warning baked into the README — on <8GB-RAM machines the Docker daemon + k3s + OpenShell gateway + decompressed image layers can combine to trigger OOM during image push; 8 GB of swap is the documented workaround. Honest about its rough edges.
• Same-week launch family with Anthropic Managed Agents self-hosted sandboxes. Anthropic shipped self-hosted sandboxes for Managed Agents on 2026-05-19 (CMA agent loop on Anthropic orchestration + tool execution on customer infra via outbound-polling worker). NemoClaw is the opposite trust model on the same week of the same problem: NVIDIA ships the orchestration layer as open source, you run the whole stack on your hardware. Both converge on “the agent runs against tools on infrastructure the user controls” but split on who owns the orchestration plane (Anthropic-managed vs. user-managed).
• OSS license + transparent project structure. Apache 2.0. Primary language TypeScript. Repo structure (bin/ CJS CLI + nemoclaw/ TS plugin + nemoclaw-blueprint/ YAML/policies + nemoclaw-blueprint/router/llm-router/ LLM Router v3 submodule + scripts/ + test/ + fern/ + docs/) is conventional and inspectable. Security reports go through NVIDIA PSIRT + GitHub private vulnerability reporting — same posture as the rest of NVIDIA’s OSS portfolio.
• The agent infrastructure cluster keeps converging. This wiki has been tracking the infrastructure-was-the-wall thesis articulated in the Anthropic Platform team interview across multiple data points: Crabbox (OpenClaw-native ephemeral testboxes on Hetzner/AWS Spot), Anthropic Managed Agents (managed-tier sandboxed execution), Hermes seven-layer defense-in-depth (self-hosted self-improving), now NemoClaw (NVIDIA-blessed hardening of OpenClaw). The cluster is mature enough that a connections article on “agent-infrastructure trust-model spectrum 2026” is increasingly load-bearing.

Implementation

Tool/Service: NVIDIA NemoClaw (Apache 2.0, alpha software, early preview)

Setup:

# Standard install (interactive)
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
 
# Headless / CI install
curl -fsSL https://www.nvidia.com/nemoclaw.sh \
  | NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash
 
# After install — connect to the sandbox + open OpenClaw TUI
nemoclaw my-assistant connect
openclaw tui

Pre-reqs: Node.js 22.16+, npm 10+, Docker running before the installer. Min 4 vCPU / 8 GB RAM / 20 GB free disk (recommended 16 GB / 40 GB).

Cost: NemoClaw itself is free (Apache 2.0). Inference cost depends on path:

• Local Nemotron via Ollama on DGX Spark / RTX hardware — hardware-only cost, no per-token fee. (See Spark playbook for end-to-end local-inference walkthrough.)
• NVIDIA Endpoints (default cloud path) — nemotron-3-super-120b-a12b at the super tier ($0.10/Minputtokens)or‘Nemotron-3-Nano-30B-A3B‘at‘nano‘($0.05 / M input tokens) per pool-config.yaml defaults.
• Cloud frontier models via the privacy router — passthrough to whatever you configure via OpenShell provider system; sandbox never sees raw keys.

Integration notes:

• The sandbox image is ~2.4 GB compressed. First-run image push needs 8+ GB RAM or 8 GB of configured swap to avoid the documented OOM-killer scenario.
• Sandbox-internal hostname is inference.local/v1. Never probe localhost:4000 or host.openshell.internal from inside the sandbox — gateway terminates those.
• Lifecycle commands route through nemoclaw, not bare openshell. Running openshell self-update or openshell sandbox create directly will desync NemoClaw’s blueprint state.
• Model swap post-onboard: nemoclaw inference set --model <model> --provider <provider> --sandbox my-assistant. Inspect with nemoclaw inference get.
• Uninstall via nemoclaw uninstall (with optional --keep-openshell + --delete-models). Fallback if CLI is broken: curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash.
• Docs at docs.nvidia.com/nemoclaw/latest/ (Fern-built, redirects to app.buildwithfern.com for the canonical render).
• Community: Discord, GitHub Discussions, GitHub Issues.

Routed-inference architecture (when enabled):

Sandbox (OpenClaw)
   │
   │  https://inference.local/v1   (sandbox-internal hostname)
   ▼
OpenShell Gateway (L7 proxy)        # terminates TLS, injects creds from provider system
   │
   ▼
Model Router (host port 4000)       # LiteLLM proxy
   │
   │  PrefillRouter (Qwen3.5-0.8B encoder)
   │  picks cheapest model below tolerance threshold
   ▼
NVIDIA API  (or any configured api_base in pool-config.yaml)

Try It

• If you’ve been running OpenClaw on your daily-driver laptop — stop, and migrate to NemoClaw on a dedicated machine. The “treat OpenClaw like a new employee — give them their own workspace, not your laptop” rule from Jay’s primer gets meaningfully cheaper to follow now that NVIDIA ships a one-curl install with sandbox hardening on by default. Spare laptop, Mac mini, or — if you have one — a DGX Spark.
• Try the Spark playbook end-to-end if you own a DGX Spark. build.nvidia.com/spark/nemoclaw walks you through local Ollama inference, so the agent runs on your hardware with zero per-token cost. This is the strongest case for buying NVIDIA’s personal-AI workstation.
• Enable the Model Router with a 2-model pool first. Nano + Super at the default tolerance of 0.20 is a reasonable starting config — you’ll see ~half your queries route to Nano at half the input-token cost. Inspect actual routing decisions in the LiteLLM logs to validate the encoder is working as expected on your workload.
• Read the Security Best Practices page before connecting sensitive accounts. The page covers the controls reference, risk framework, and posture profiles. Then layer openclaw.json allow/deny lists on top per the OpenClaw primer.
• Don’t migrate production workloads yet. Alpha software, interfaces/APIs may change without notice. Use NemoClaw for personal assistants + experimentation; wait for GA before standing up customer-facing agents on it.
• Watch the repo for blueprint changes. NemoClaw ships the hardened blueprint as YAML under nemoclaw-blueprint/. As the project moves out of alpha, watching the diff of nemoclaw-blueprint/network-policies/ and nemoclaw-blueprint/router/pool-config.yaml is the cheapest way to track what NVIDIA’s security and routing defaults converge on.

Related

• RoboNuggets) — Beginner primer to the system NemoClaw hardens. Read first if you don’t already have a mental model of soul.md / agents.md / heartbeat / channels / gateway.
• Principles for Autonomous System Design (Alex Krantz) — Architectural deep dive on OpenClaw — explicitly notes that baseline OpenClaw security is “not a particularly secure system” (security delegated to model reasoning + openclaw.json). NemoClaw is the structural answer to that observation.
• Crabbox — OpenClaw-native ephemeral remote-testbox plugin (Hetzner / AWS Spot / Azure / static-SSH). Same project ecosystem, complementary surface: NemoClaw hardens local sandboxes; Crabbox provides remote ephemeral compute.
• Anthropic Managed Agents — The closest analog from a different vendor. Same week, opposite trust model — Anthropic manages the orchestration plane; NemoClaw lets you self-host the whole stack on NVIDIA infrastructure.
• Managed Agents — self-hosted sandboxes + MCP tunnels — Anthropic’s 2026-05-19 launch of customer-side tool execution + private MCP tunnels. Same-week sibling launch.
• Anthropic Agent Platform team interview — The infrastructure-was-the-wall thesis that motivates this entire cluster.
• Nous Research Hermes Agent — The other major self-hosted autonomous-agent framework. Often discussed alongside OpenClaw; Hermes has its own seven-layer defense-in-depth model — useful comparison for security posture between the two ecosystems.
• Reflexio — External self-improvement harness with OpenClaw integration; companion to NemoClaw at the learning-loop layer (NemoClaw hardens the runtime; Reflexio improves the agent’s strategies between runs).
• OpenClaw on Rabbit R1 — Voice-input pairing pattern; NemoClaw could plausibly host the OpenClaw side of an R1 + OpenClaw setup on a dedicated DGX Spark.

Open Questions

• Quantitative security comparison: NemoClaw sandbox vs. Anthropic Managed Agents self-hosted sandboxes. Both shipped within ~2 months and both target sandboxed agent execution, but they make different assumptions about who runs the orchestration plane. Side-by-side threat-model comparison would be a strong connections candidate once both projects are out of preview.
• Nemotron-3 family architecture details. README references nvidia/nemotron-3-super-120b-a12b (default) + Nemotron-3-Nano-30B-A3B + nemotron-3-super-v3 (latest super) in pool-config.yaml. The a12b and A3B suffixes suggest MoE active-parameter counts but the README doesn’t link to an architecture spec. Worth pulling from NVIDIA’s Nemotron technical reports during a future refresh.
• Real-world routing quality benchmarks. README claims the prefill router picks “the cheapest one that meets an accuracy threshold” with tolerance: 0.20 default — but no head-to-head benchmark numbers on what percentage of queries route to Nano vs. Super on representative workloads (coding, summarization, tool use). LLM Router v3 repo or NVIDIA blog might have these.
• GA timeline. Alpha software since March 16, 2026. When does NemoClaw graduate from “interfaces may change without notice” to production-ready? No published roadmap milestone in the README.
• OpenShell standalone vs. NemoClaw posture. The Ecosystem doc page is titled “when to use NemoClaw versus OpenShell alone” — meaning OpenShell ships as a usable agent runtime even without NemoClaw on top. Worth surfacing the OpenShell-only path explicitly in a future refresh (separate primary article candidate).