For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • About NemoClaw
    • Overview
    • Architecture Overview
    • Ecosystem
    • Release Notes
  • Get Started
    • Prerequisites
    • Quickstart with OpenClaw
    • Quickstart with Hermes
  • Inference
    • Inference Options
    • Use Local Inference
    • Tool-Calling Reliability
    • Switch Inference Providers
    • Set Up Task-Specific Sub-Agents
  • Manage Sandboxes
    • Manage Sandbox Lifecycle
    • Runtime Controls
    • Set Up Messaging Channels
    • Workspace Files
    • Backup and Restore
  • Network Policy
    • Approve or Deny Network Requests
    • Customize the Network Policy
    • Integration Policy Examples
  • Deployment
    • Deploy to Remote GPU Instances
    • Brev Web UI
    • Install OpenClaw Plugins
    • Sandbox Hardening
  • Monitoring
    • Monitor Sandbox Activity
  • Security
    • Security Best Practices
    • Credential Storage
    • OpenClaw Controls
  • Reference
    • Architecture Details
    • Commands
    • CLI Selection Guide
    • Network Policies
    • Troubleshooting
  • Resources
    • Agent Skills
    • Report Vulnerabilities
    • License
    • Discord
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogoNemoClaw
On this page
  • Prompt Injection Detection and Prevention
  • Tool Access Control and Policy Pipeline
  • Authentication Rate Limiting and Flood Protection
  • Environment Variable Security Policy
  • Security Audit Framework
  • Skill and Extension Supply Chain Scanning
  • DM and Group Messaging Access Policy
  • Context Visibility and Output Controls
  • Safe Regex (ReDoS Prevention)
  • Next Steps
Security

OpenClaw Security Controls Beyond NemoClaw's Scope

||View as Markdown|
Previous

Credential Storage

Next

Architecture Details

NemoClaw provides infrastructure-layer security through sandbox isolation, network policy, filesystem restrictions, SSRF validation, and credential handling. It delegates all application-layer security to OpenClaw. This page documents areas where NemoClaw adds no independent protection beyond what OpenClaw already provides.

The details below reflect the OpenClaw documentation at the time of writing. Consult the OpenClaw Security docs for the current state.

Prompt Injection Detection and Prevention

OpenClaw detects and neutralizes prompt injection attempts before they reach the agent.

ControlDetail
Regex detectionPattern matching detects common injection vectors such as “ignore all previous instructions” and <system> tag spoofing
Boundary wrappingUntrusted input is wrapped in randomized XML boundary markers
Unicode foldingHomoglyph folding normalizes bracket variants to prevent visual spoofing
Invisible character strippingZero-width invisible characters are removed from input
Boundary sanitizationFake boundary markers are sanitized to prevent marker injection
Auto-wrappingWeb fetch and search results are automatically wrapped as untrusted external content

Tool Access Control and Policy Pipeline

OpenClaw enforces a multi-layer tool policy pipeline that gates every tool call.

ControlDetail
Deny listHigh-risk tools (exec, spawn, shell, fs_write, fs_delete, and others) are blocked from Gateway HTTP by default
Policy pipelineMulti-layer pipeline evaluates tool calls through profile, provider, agent, sandbox, and per-provider policies
Fail-closed semanticsTool call hooks block execution on any error
Loop detectionOptional guard detects and blocks repeated identical tool call patterns (disabled by default, opt-in via tools.loopDetection.enabled)
Plugin approvalApproval workflow defaults to deny on timeout

Authentication Rate Limiting and Flood Protection

OpenClaw rate-limits authentication attempts and guards against connection floods.

ControlDetail
Auth rate limiterSliding-window rate limiter tracks failed authentication attempts per IP and per scope
Control plane limiterPer-device write rate limiting for control plane operations
WebSocket flood guardCloses connections after repeated unauthorized attempts
Pre-auth budgetLimits connections before authentication completes

Environment Variable Security Policy

OpenClaw blocks environment variables that could enable code injection, privilege escalation, or credential theft.

CategoryDetail
Always-blocked keysKeys such as NODE_OPTIONS, LD_PRELOAD, shell injection vectors, crypto mining variables, and GIT_* hijacking paths
Override-blocked keysAdditional keys blocked unless explicitly overridden
Blocked prefixesPrefixes such as GIT_CONFIG_, NPM_CONFIG_, CARGO_REGISTRIES_, TF_VAR_
Universal blocked prefixesDYLD_, LD_, BASH_FUNC_

Security Audit Framework

OpenClaw runs automated security checks (50+ distinct check types) that cover configuration, credential handling, and sandbox posture. Run openclaw security audit to see all findings for your deployment.

These checks include:

  • Synced-folder leak detection.
  • Plaintext secrets in configuration files.
  • Hooks hardening verification.
  • Gateway no-auth detection.
  • Sandbox misconfiguration scanning.
  • Weak-model susceptibility assessment.
  • Multi-user exposure matrix.
  • Node command policy validation.
  • Dangerous config flag scanning (allowInsecureAuth, dangerouslyDisableDeviceAuth, and similar flags).

Skill and Extension Supply Chain Scanning

OpenClaw scans skills and extensions with a built-in static analysis scanner before installation. Critical findings block installation by default.

The scanner checks for patterns including:

  • Direct process execution calls.
  • Dynamic code execution (eval, new Function, and similar constructs).
  • Cryptocurrency mining patterns.
  • Unexpected network activity.
  • Potential data exfiltration (file read combined with network calls).
  • Obfuscated code.
  • Environment variable harvesting combined with network calls.

DM and Group Messaging Access Policy

OpenClaw controls who can interact with the agent through direct messages and group channels.

ControlDetail
DM policy modes4 modes: open, disabled, pairing, allowlist
Group policiesPer-group access rules
Per-sender authorizationIndividual sender gating
Command authorizationCommand-level access control
Multi-user detectionHeuristic that detects multi-user scenarios

Context Visibility and Output Controls

OpenClaw restricts what supplemental context the agent can see and how it can modify outputs.

ControlDetail
Mode-based restrictionsLimits visibility of history, threads, quotes, and forwarded messages based on the active mode
Sender-based restrictionsLimits visibility based on who sent the message
Plugin output hooksPlugin hooks intercept and modify tool results before they reach the user

Safe Regex (ReDoS Prevention)

OpenClaw includes safe regex compilation to prevent Regular Expression Denial of Service (ReDoS) attacks. The implementation detects unsafe nested quantifiers, bounds input length, and caches results.

Next Steps

  • Security Best Practices for NemoClaw’s own security controls and risk framework.
  • Credential Storage for how NemoClaw stores and protects provider credentials.