Overview

NemoClaw is the OpenClaw plugin for NVIDIA OpenShell. It moves OpenClaw into a sandboxed environment where every network request, file access, and inference call is governed by declarative policy.

Capability	Description
Sandbox OpenClaw	Creates an OpenShell sandbox pre-configured for OpenClaw, with strict filesystem and network policies applied from the first boot.
Route inference	Configures OpenShell inference routing so agent traffic flows through cloud-hosted Nemotron 3 Super 120B via build.nvidia.com.
Manage the lifecycle	Handles blueprint versioning, digest verification, and sandbox setup.

Challenge

Autonomous AI agents like OpenClaw can make arbitrary network requests, access the host filesystem, and call any inference endpoint. Without guardrails, this creates security, cost, and compliance risks that grow as agents run unattended.

Benefits

NemoClaw provides the following benefits.

Benefit	Description
Sandboxed execution	Every agent runs inside an OpenShell sandbox with Landlock, seccomp, and network namespace isolation. No access is granted by default.
NVIDIA cloud inference	Agent traffic routes through cloud-hosted Nemotron 3 Super 120B via build.nvidia.com, transparent to the agent.
Declarative network policy	Egress rules are defined in YAML. Unknown hosts are blocked and surfaced to the operator for approval.
Single CLI	The nemoclaw command orchestrates the full stack: gateway, sandbox, inference provider, and network policy.
Blueprint lifecycle	Versioned blueprints handle sandbox creation, digest verification, and reproducible setup.

Use Cases

You can use NemoClaw for various use cases including the following.

Use Case	Description
Always-on assistant	Run an OpenClaw assistant with controlled network access and operator-approved egress.
Sandboxed testing	Test agent behavior in a locked-down environment before granting broader permissions.
Remote GPU deployment	Deploy a sandboxed agent to a remote GPU instance for persistent operation.

Next Steps

Explore the following pages to learn more about NemoClaw.

• How It Works to understand the key concepts behind NemoClaw.

• Quickstart to install NemoClaw and run your first agent.

• Switch Inference Providers to configure the inference provider.

• Approve or Deny Network Requests to manage egress approvals.

• Deploy to a Remote GPU Instance for persistent operation.

• Monitor Sandbox Activity to observe agent behavior.