TL;DR: NVIDIA NemoClaw wraps OpenClaw with enterprise security. Sandboxed agents, kernel-level isolation, zero-permission defaults. Free, open source, alpha stage.
OpenClaw became the fastest-growing open-source project in history. Over 4,600 GitHub stars. Thousands of developers building autonomous agents that write code, browse the web, and chain actions for hours without human input.
But enterprises stayed away. The reason was simple. No security guardrails. No sandboxing. No audit trails. One compromised agent could access your entire system.
On March 16, 2026, NVIDIA announced NemoClaw at GTC 2026. It solves this exact problem. NemoClaw adds enterprise-grade privacy and security controls to OpenClaw. It is not a replacement. It is a wrapper that makes autonomous agents safe for production.
Jensen Huang put it directly: “OpenClaw opened the next frontier of AI to everyone.” NemoClaw makes that frontier safe for business.
What’s your NemoClaw priority?
Select your situation below.
You’re building autonomous agents with NemoClaw and need specialized talent. Our AI/ML developers in Southeast Asia average $4,200/month—60% less than US rates. They have hands-on experience with NVIDIA frameworks and enterprise security implementations. Hire AI developers →
You need to deploy NemoClaw in production with proper sandboxing and security layers. Our DevOps engineers handle NVIDIA ecosystem integrations, kernel-level isolation, and audit trail configurations. Average rate: $3,800/month across Vietnam and Philippines. Find DevOps engineers →
Your NemoClaw agents need robust backend systems for API integrations and data processing. Our backend developers build production-grade infrastructure at $3,500-$5,200/month. They work with Python, Node.js, and enterprise security frameworks daily. Hire backend developers →
You’re budgeting for an AI development team and need accurate salary data. Our 2026 rate card shows AI engineers range from $3,200 in Vietnam to $6,800 in Singapore. Get country-by-country breakdowns for 12+ tech roles. View Asia salary data →
NemoClaw at a Glance
| Feature | Details |
|---|---|
| Released | March 16, 2026 (GTC 2026) |
| License | Apache 2.0 (free, open source) |
| Status | Alpha / early-access preview |
| Default Model | Nemotron 3 Super 120B (12B active parameters) |
| Security | 4-layer isolation (network, filesystem, process, inference) |
| GitHub Stars | 4,600+ |
| Install | Single command (curl -fsSL https://nvidia.com/nemoclaw.sh | bash) |
| Hardware | 4+ vCPUs, 8 GB RAM minimum |
| OS | Ubuntu 22.04 LTS or later |
What Is NVIDIA NemoClaw?
NemoClaw is an open-source software stack built on top of OpenClaw. It adds security infrastructure that enterprises need before deploying autonomous agents in production.
Think of it like browser tab isolation. Each tab runs in its own sandbox. If one tab gets compromised, it cannot touch the others. NemoClaw does the same thing for AI agents.
With a single command, NemoClaw installs NVIDIA Nemotron models and the NVIDIA OpenShell runtime. This creates a sandboxed environment for running “claws” (what OpenClaw calls its autonomous agents).
Peter Steinberger, creator of OpenClaw, said: “We’re building the claws and guardrails that let anyone create powerful, secure AI assistants.”
A Quick History of OpenClaw
Understanding NemoClaw requires understanding OpenClaw. Austrian developer Peter Steinberger published the original project in November 2025. He called it “Clawdbot.” It went viral in January 2026.
Anthropic filed trademark complaints. Steinberger renamed it to “Moltbot” on January 27, 2026. Three days later, it became “OpenClaw.” On February 14, 2026, Steinberger announced he was joining OpenAI. The project moved to an open-source foundation.
OpenClaw agents are persistent programs that use tools. They write code, browse the web, manipulate files, call APIs, and chain actions together. They can run for hours or days without human input. That power made enterprises nervous. NemoClaw is the answer to that nervousness.
How NemoClaw Works
NemoClaw has two main components. A TypeScript plugin and a Python blueprint. They work together but serve different purposes.
The TypeScript Plugin
This is a thin CLI package. It integrates with the OpenClaw CLI and registers commands under the openclaw nemoclaw namespace. It runs in-process with the OpenClaw gateway. It handles all user-facing interactions.
Commands include launch (fresh install), connect (interactive shell), status (state reporting), logs (streaming), and slash (chat handler).
The Python Blueprint
This is where the real security logic lives. It is a versioned artifact that contains all logic for creating sandboxes, applying policies, and configuring inference. The plugin resolves, verifies, and executes the blueprint as a subprocess.
This separation is smart. The plugin stays stable. The blueprint evolves on its own release cycle. Security patches ship without touching the CLI.
Blueprint Lifecycle
Every NemoClaw deployment follows five stages:
- Resolve. Locates the artifact. Validates against version constraints in
blueprint.yaml. - Verify. Confirms the artifact digest. Every artifact is immutable and digest-verified.
- Plan. Determines what OpenShell resources are needed. Gateway, inference, sandbox, policy.
- Apply. Executes the plan via
openshellCLI commands. - Status. Reports current state of the deployment.
Inference Routing
Agent requests never leave the sandbox directly. The flow is: Agent (inside sandbox) goes to the OpenShell gateway, then to NVIDIA cloud (build.nvidia.com). This keeps sensitive data contained.
NemoClaw also includes a privacy router. It keeps sensitive context on-device using local open models. It only routes to frontier models (like Claude or GPT) when policy allows. Routing decisions are based on cost and privacy policies. Not agent preferences.
The Four Security Layers
This is what makes NemoClaw different from running raw OpenClaw. Four layers of isolation protect your systems.
| Layer | What It Does | Can Be Changed at Runtime? |
|---|---|---|
| Network | Blocks unauthorized outbound connections. Uses allowlist. | Yes (hot-reloadable) |
| Filesystem | Restricts access outside /sandbox and /tmp. System paths are read-only. | No (locked at creation) |
| Process | Blocks privilege escalation and dangerous syscalls. Uses Landlock, seccomp, and netns. | No (locked at creation) |
| Inference | Reroutes API calls to controlled backends. | Yes (hot-reloadable) |
These constraints exist in the environment itself. Even if an agent gets compromised, it cannot override them. The agent does not control its own sandbox. The operator does.
Key Features
Zero-Permission Default
Agents start with zero permissions. They only get what the policy explicitly allows. This is the opposite of most tools where agents start with full access and you try to restrict them.
Operator Approval TUI
When an agent tries to reach an unlisted host, OpenShell blocks it. Then it surfaces the request in a terminal UI for human approval. You see exactly what the agent wants to access. You decide yes or no.
Credential Management
API keys, tokens, and service accounts are injected as environment variables at runtime. They never leak into the sandbox filesystem. If the sandbox is compromised, credentials are not exposed.
Full Audit Trail
Every allow/deny decision gets logged. For compliance-heavy industries like finance and healthcare, this is not optional. It is required.
GPU Passthrough
OpenShell can pass host GPUs into sandboxes. This lets agents run local inference or fine-tuning inside the secure environment. No need to send data to the cloud.
Policy as Code
Security policies are written in declarative YAML (openclaw-sandbox.yaml). Version them. Review them. Audit them. Treat security like you treat infrastructure. As code.
Out-of-Process Enforcement
This is the design decision that matters most. Security constraints live outside the agent process. The agent cannot disable its own guardrails. Even if the agent is compromised through prompt injection or a malicious tool, the sandbox holds.
Compare this to application-level security. If an agent manages its own permissions, a clever prompt can trick it into removing restrictions. With out-of-process enforcement, there is nothing for the agent to trick. The walls are part of the building, not part of the furniture.
NemoClaw vs OpenClaw vs NanoClaw
Three versions of the same idea exist now. Each targets a different audience.
| Dimension | OpenClaw | NanoClaw | NemoClaw |
|---|---|---|---|
| Codebase | ~500K lines, 70+ dependencies | ~500 lines core logic | Enterprise wrapper around OpenClaw |
| Security | Application-layer (API whitelists) | OS-level (Docker/Apple Container) | Kernel-level sandboxing + compliance |
| Integrations | 50+ native integrations | Core messaging apps only | Emerging enterprise suite |
| LLM Support | Multi-vendor (OpenAI, Anthropic, local) | Claude-optimized | Vendor-flexible, Nemotron-optimized |
| Target User | Platform engineering teams | Developers wanting simplicity | Security-conscious enterprises |
We worked with a startup that had three autonomous agents running code deployments. They used raw OpenClaw. One agent accidentally pushed to production without review. With NemoClaw’s zero-permission default and approval TUI, that could not happen.
The Nemotron 3 Super 120B Model
NemoClaw ships with Nemotron 3 Super 120B as its default model. This is not just another large language model. It was designed specifically for agentic workloads.
The architecture is hybrid. Mamba-Transformer MoE (Mixture of Experts). It has 120 billion total parameters. But only 12 billion are active at any time. This makes it fast and efficient.
The benchmarks are strong. On PinchBench (the standard for OpenClaw agent performance), it scores 85.6%. That is the highest among all open models. It processes 442 tokens per second. It supports context windows up to 1 million tokens.
For inference throughput, it delivers 2.2x more than GPT-OSS-120B and 7.5x more than Qwen3.5-122B at 8k input / 16k output.
| Benchmark | Nemotron 3 Super 120B | Notes |
|---|---|---|
| PinchBench | 85.6% | Highest among all open models |
| Terminal-Bench Hard | 29% | Complex terminal tasks |
| GDPval-AA (ELO) | 1,027 | Real-world agentic work tasks |
| DeepResearch Bench | No. 1 | Multi-step research across large documents |
| Tokens per second | 442 | High throughput for agent workloads |
| Max context window | 1M tokens | Outperforms GPT-OSS-120B at 1M on RULER |
The active parameter count is the key detail. Only 12 billion parameters are active at any time. This means you get 120B-quality reasoning at a fraction of the compute cost. For enterprises running dozens of agents, cost efficiency matters.
Use Cases
Autonomous Software Development
This is the primary use case. Agents that write, test, and deploy code. But safely. The sandbox prevents agents from accessing production databases or pushing code without approval.
One team we spoke with runs backend development agents that generate API endpoints. Before NemoClaw, they manually reviewed every file the agent touched. Now the filesystem isolation handles that automatically.
Cybersecurity Triaging
Security teams can deploy agents that analyze threats and respond autonomously. The agent investigates. It takes action within defined guardrails. It cannot escalate its own privileges. Cisco has already announced integration with their AI Defense platform and OpenShell.
Enterprise Workflow Automation
Companies like Adobe, Salesforce, SAP, and Cisco need hardened frameworks before deploying agents at scale. NemoClaw gives them the compliance layer. Audit trails. Policy enforcement. Credential isolation.
Cisco has already announced integration between their AI Defense platform and OpenShell. This means enterprises using Cisco security infrastructure can add NemoClaw agents with native policy integration. No separate security stack needed.
Multi-Agent Orchestration
Running multiple specialized agents with isolated environments. Each agent gets its own sandbox. Its own policies. Its own permissions. One agent’s compromise does not affect the others.
This matters when you have different agents for different tasks. A code-writing agent should not access customer data. A data analysis agent should not push to production. NemoClaw makes these boundaries explicit and enforceable. Not just suggested guidelines that agents can ignore.
Personal AI Assistants
Always-on agents that access your files, apps, and workflows. The privacy router keeps sensitive data on-device. Only non-sensitive requests go to cloud models.
We worked with a development team in Vietnam that built a personal assistant agent for a SaaS founder. The agent managed calendar, email, and Slack. The privacy router kept all personal data local. Only general knowledge queries went to cloud models. The founder never worried about sensitive conversations leaving the device.
Hardware Requirements
| Requirement | Minimum | Recommended |
|---|---|---|
| CPU | 4+ vCPUs | 8+ vCPUs |
| RAM | 8 GB | 16 GB |
| Disk | 20 GB | 40 GB |
| OS | Ubuntu 22.04 LTS | Ubuntu 22.04 LTS or later |
| Dependencies | Node.js 20+, npm 10+, Docker | Same |
| Sandbox image | ~2.4 GB compressed | ~2.4 GB compressed |
For dedicated hardware, Dell is the first OEM to ship a desktop built for NemoClaw. The Dell Pro Max with NVIDIA GB300 Grace Blackwell Ultra Desktop Superchip offers 20 petaFLOPS of FP4 performance. It has 748 GB of coherent memory. Pricing is not announced yet.
You can also try NemoClaw instantly on Brev, NVIDIA’s cloud development environment. No local setup needed.
Getting Started
NemoClaw requires Ubuntu 22.04 LTS or later, Node.js 20+, npm 10+, and Docker. Minimum hardware is 4 vCPUs and 8 GB RAM. NVIDIA recommends 16 GB RAM and 40 GB disk space.
Installation takes one command:
curl -fsSL https://nvidia.com/nemoclaw.sh | bash
Then run the setup wizard:
nemoclaw onboard
Key commands after setup:
nemoclaw <name> connectto access the sandbox shellnemoclaw <name> statusfor health checksnemoclaw <name> logs --followto stream logsopenshell termto monitor and approve access requests
You need an NVIDIA API key from build.nvidia.com for cloud inference. The sandbox image is about 2.4 GB compressed.
Where NemoClaw Fits in the NVIDIA Ecosystem
NVIDIA is building a full stack for agentic AI. NemoClaw is one piece of it.
- NVIDIA NeMo. Model training and customization platform.
- NVIDIA Nemotron. Foundation models (the brains).
- NVIDIA OpenShell. Security runtime (the walls). Open-sourced alongside NemoClaw.
- NVIDIA Agent Toolkit. Optimization tools for agent performance.
- NVIDIA AI-Q. Reasoning agent builder.
NemoClaw is hardware-agnostic. But it is optimized for NVIDIA GPUs. GeForce RTX, RTX PRO, DGX Spark, and DGX Station all get special treatment. If you are building with NVIDIA hardware, NemoClaw integrates natively. If not, it still works. You just miss GPU passthrough optimizations.
What to Watch
NemoClaw is in alpha. NVIDIA says to expect rough edges. But the direction is clear. Autonomous agents need security infrastructure. Not just application-level guardrails. Kernel-level isolation.
A few things to monitor:
- Production readiness. NemoClaw needs to move from alpha to stable. Timeline is not announced.
- Pricing for NVIDIA cloud inference. Nemotron API pricing through build.nvidia.com is not disclosed yet.
- Windows and macOS support. Right now, it is Ubuntu only. That limits adoption.
- Community growth. 4,600 stars and 20 contributors is a solid start. Enterprise adoption will depend on momentum.
We placed a full-stack developer with a fintech company in Singapore last month. They are already piloting NemoClaw for automated code review agents. The audit trail feature is what convinced their compliance team to approve the pilot.
Should You Use NemoClaw?
If you are already using OpenClaw, NemoClaw is the obvious next step for production. It adds security without changing how your agents work. Unmodified agents run inside OpenShell without code changes.
If you are evaluating autonomous agents for the first time, start with NemoClaw directly. Skip the phase where your agents have unrestricted access. You will sleep better.
If you need agents in a regulated industry, NemoClaw’s audit trails and policy-as-code approach make compliance conversations much easier.
The GTC 2026 “Build-a-Claw” event (March 17-19) showed how quickly people can get started. Attendees defined personality traits for their agents, granted specific tool access, and deployed functional assistants accessible via messaging apps. All within the NemoClaw security framework.
If your team is already using autonomous agents or planning to, NemoClaw deserves a serious look. The security gap between what agents can do and what enterprises allow them to do is the biggest bottleneck in agentic AI adoption. NemoClaw closes that gap.
Building AI-powered products and need developers who understand agent frameworks? Hire vetted remote AI developers with Second Talent to deploy secure, production-ready autonomous agents.
