NemoClaw Security Best Practices: Controls, Risks, and Posture Profiles
NemoClaw Security Best Practices: Controls, Risks, and Posture Profiles
NemoClawNemoClaw Security Best Practices: Controls, Risks, and Posture Profiles
NemoClaw ships with deny-by-default security controls across four layers: network, filesystem, process, and inference. You can tune every control, but each change shifts the risk profile. This page documents each configurable control, its default, what it protects, the concrete risk of relaxing it, and a recommendation for common use cases.
For background on how the layers fit together, refer to How It Works.
NemoClaw enforces security at four layers. NemoClaw locks some controls when it creates the sandbox and requires a restart to change them. You can hot-reload others while the sandbox runs.
The following diagram shows the default posture immediately after onboarding, before you approve any endpoints or apply any presets.
NemoClaw controls which hosts, ports, and HTTP methods the sandbox can reach, and lets operators approve or deny requests in real time. Network policy allowlists do not disable OpenShellโs SSRF guard; see Customize the Network Policy for the interaction between egress rules and internal-address blocking.
The sandbox blocks all outbound connections unless you explicitly list the endpoint in the applicable baseline policy files.
Each network policy entry restricts which executables can reach the endpoint using the binaries field.
OpenShell identifies the calling binary by reading /proc/<pid>/exe (the kernel-trusted executable path, not argv[0]), walking the process tree for ancestor binaries, and computing a SHA256 hash of each binary on first use.
If someone replaces a binary while the sandbox runs, the hash mismatch immediately denies the request.
Endpoint rules restrict allowed HTTP methods and URL paths.
protocol Field)All sandbox egress goes through OpenShellโs CONNECT proxy.
The protocol field on an endpoint controls whether the proxy also inspects individual HTTP requests inside the tunnel.
When the agent reaches an unlisted endpoint, OpenShell blocks the request and prompts you in the TUI.
NemoClaw ships preset policy files in nemoclaw-blueprint/policies/presets/ for common integrations.
Recommendation: Apply presets only when the agentโs task requires the integration. Review the presetโs YAML file before applying to understand the endpoints, methods, and binary restrictions it adds.
NemoClaw restricts which paths the agent can read and write, protecting system binaries, configuration files, and gateway credentials.
The container mounts system directories read-only to prevent the agent from modifying binaries, libraries, or configuration files.
The /sandbox/.hermes directory contains Hermes runtime configuration, generated environment settings, logs, platform state, and durable database state.
NemoClaw writes config.yaml and .env during onboarding and rebuilds.
Direct edits to these files can be overwritten when NemoClaw regenerates the image.
Hermes also stores runtime state such as state.db, logs, and platform sessions under the .hermes tree.
Messaging sessions such as WhatsApp pairing can remain mutable by design so they survive rebuilds.
The agent has read-write access to /sandbox, /tmp, and /dev/null.
Landlock is a Linux Security Module that enforces filesystem access rules at the kernel level.
NemoClaw limits the capabilities, user privileges, and resource quotas available to processes inside the sandbox.
The entrypoint drops dangerous Linux capabilities from the bounding set at startup using capsh.
This limits what capabilities any child process (gateway, sandbox, agent) can ever acquire.
When the entrypoint switches from root to the sandbox and gateway users, it uses setpriv when available to remove the remaining privilege-separation capabilities from the child process at the same time as the user change.
The initial entrypoint drop removes cap_sys_admin, cap_sys_ptrace, cap_net_raw, cap_dac_override, cap_sys_chroot, cap_fsetid, cap_setfcap, cap_mknod, cap_audit_write, and cap_net_bind_service.
During setpriv step-down, the child process also loses cap_setuid, cap_setgid, cap_fowner, cap_chown, and cap_kill.
This behavior is best effort: if capsh is not available or CAP_SETPCAP is not in the bounding set, the entrypoint logs a warning and continues with the default capability set.
If setpriv is unavailable, the entrypoint falls back to gosu and logs a warning that the remaining bounding-set capabilities were retained for the child process.
To make the drop fail-closed instead of best-effort, set NEMOCLAW_REQUIRE_CAP_DROP=1 in the entrypoint environment.
The agent then refuses to start unless the agent process treeโs bounding set is verified free of the dangerous capabilities, so it will not boot on a host whose bounding set still holds them โ typically one that cannot perform the drop (no CAP_SETPCAP, or capsh missing) and was not given a clean bounding set by the container runtime.
This is opt-in because such hosts are common (many cloud VMs, Docker Desktop, WSL); leaving it unset preserves the best-effort default.
The check covers the agent process tree only โ a nemohermes connect shell is spawned by the container runtime outside that tree and is not affected (tracked in NVIDIA/OpenShell#1452).
The in-sandbox gateway runs as a separate gateway user, not as the sandbox user that runs the agent.
The no-new-privileges flag prevents processes from gaining additional privileges through setuid binaries or capability inheritance.
A process limit caps the number of processes the sandbox user can spawn.
The entrypoint sets both soft and hard limits using ulimit -u 512.
This behavior is best effort: if the container runtime restricts ulimit modification, the entrypoint logs a security warning and continues without the limit.
The sandbox runs agent processes as a dedicated sandbox user and group.
The entrypoint starts as root for privilege separation, then drops to the sandbox user for all agent commands.
The entrypoint locks the PATH environment variable to system directories, preventing the agent from injecting malicious binaries into command resolution.
The Dockerfile removes compilers and network probes from the runtime image.
The blueprint references the sandbox image by an immutable @sha256: digest instead of a mutable tag such as :latest.
A registry compromise or accidental force-push cannot silently swap the sandbox image.
The entrypoint and migration flows enforce chmod 600 on all auth-profiles.json files under ~/.openclaw.
This prevents other users on the host from reading stored credentials.
Hermes exposes an OpenAI-compatible API on the forwarded Hermes port and can optionally expose the native Hermes dashboard.
Do not publish those endpoints on shared or public networks unless you put them behind your own access controls.
NemoClaw still keeps provider credentials in OpenShell and routes model traffic through inference.local.
The CLI automatically redacts secret patterns (API keys, bearer tokens, provider credentials) from command output and error messages before logging them.
Hermes does not use the OpenClaw NemoClaw plugin memory scanner. Keep secrets in environment variables or OpenShell providers, and avoid writing raw credentials to Hermes state files or workspace content.
OpenShell routes all inference traffic through the gateway to isolate provider credentials from the sandbox.
inference.localThe OpenShell gateway intercepts all inference requests from the agent and routes them to the configured provider. The agent never receives the provider API key.
Different inference providers have different trust and cost profiles.
Recommendation: For sensitive workloads, use local Ollama to keep data on-premise. For general use, NVIDIA Endpoints provide a good balance of capability and trust. Review the data policies of any cloud provider you use.
The NEMOCLAW_EXPERIMENTAL=1 environment variable gates local NVIDIA NIM and generic Linux managed vLLM install/start.
DGX Spark and DGX Station managed vLLM entries appear by default.
An already-running vLLM server on localhost:8000 also appears in the menu without a flag because selecting it is an explicit user action.
The following profiles describe how to configure NemoClaw for different use cases. These are not separate policy files. They provide guidance on which controls to keep tight or relax.
Use for always-on assistants with minimal external access.
Use when the agent needs package registries, Docker Hub, or broader GitHub access during development tasks.
pypi and npm presets for package installation.openshell term.Use when the agent talks to internal APIs or third-party services during testing.
protocol: rest for all HTTP APIs to maintain inspection.The following patterns weaken security without providing meaningful benefit.