NemoClaw Security Controls, Risks, and Posture Profiles
NemoClaw ships with deny-by-default security controls across five layers: network, filesystem, process, gateway authentication, and inference. You can tune every control, but each change shifts the risk profile. This page documents each configurable control, its default, what it protects, the concrete risk of relaxing it, and a recommendation for common use cases.
For background on how the layers fit together, refer to How It Works.
OpenShell enforces the platform-level mechanisms that NemoClaw configures, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication. For the full platform-level controls reference, refer to OpenShell Security Best Practices.
Protection Layers at a Glance
NemoClaw enforces security at five layers. NemoClaw locks some controls when it creates the sandbox and requires a restart to change them. You can hot-reload others while the sandbox runs.
The following diagram shows the default posture immediately after onboarding, before you approve any endpoints or apply any presets.
Network Controls
NemoClaw controls which hosts, ports, and HTTP methods the sandbox can reach, and lets you approve or deny requests in real time. Network policy allowlists do not disable OpenShellโs SSRF guard, so internal-address blocking remains active even when an endpoint matches an egress rule.
OpenShell provides additional network enforcement mechanisms not covered here, including network namespace isolation, SSRF protection, TLS auto-detection and termination, and audit-vs-enforce modes. Refer to the Network Controls section of the OpenShell Security Best Practices.
Deny-by-Default Egress
The sandbox blocks all outbound connections unless you explicitly list the endpoint in the applicable baseline policy files.
Credential Discovery Boundaries
Credential probes are active network behavior, not harmless fallback checks. NemoClaw allows a credential source only in the process that is intended to hold those credentials and can reach that source.
Network policy remains a second enforcement layer, not a substitute for disabling an impossible credential provider. Adding support for a new metadata-backed source requires a separately designed broker and explicit credential-boundary review.
Deep Agents Managed Inference Credential Discovery
NemoClaw configures the managed dcode runtime with a generated OpenAI-compatible route through inference.local.
The sandbox receives a placeholder route key, not the upstream provider credential.
The managed launchers reject credential-shaped environment values and upstream auth files before Deep Agents Code starts, so provider discovery stays on the host-side OpenShell boundary.
If you need a new sandbox-direct credential source, design it as an explicit provider or MCP integration instead of placing secrets in /sandbox/.deepagents.
Binary-Scoped Endpoint Rules
Each network policy entry uses the binaries field to restrict which executables can reach the endpoint.
OpenShell identifies the calling binary by reading /proc/<pid>/exe (the kernel-trusted executable path, not argv[0]), walking the process tree for ancestor binaries, and computing a SHA256 hash of each binary on first use.
If someone replaces a binary while the sandbox runs, the hash mismatch immediately denies the request.
Path-Scoped HTTP Rules
Endpoint rules restrict allowed HTTP methods and URL paths.
L4-Only vs L7 Inspection (protocol Field)
All sandbox egress goes through OpenShellโs CONNECT proxy.
The protocol field on an endpoint controls whether the proxy also inspects individual HTTP requests inside the tunnel.
Operator Approval Flow
When the agent reaches an unlisted endpoint, OpenShell blocks the request and prompts you in the TUI.
Policy Presets
NemoClaw ships preset policy files in nemoclaw-blueprint/policies/presets/ for common integrations.
Apply presets only when the agentโs task requires the integration. Review the presetโs YAML file before applying to understand the endpoints, methods, and binary restrictions it adds.
Web Search Credential Rewriting
NemoClaw registers each selected web search credential in a sandbox-scoped OpenShell provider and writes a resolver placeholder into the agent configuration.
Deep Agents uses the NemoClaw-managed Tavily opt-in path.
The managed dcode launchers reject direct TAVILY_API_KEY injection, and the sandbox can reach api.tavily.com only after you apply the tavily preset and attach the tavily-search OpenShell provider.
Because OpenShell attributes these calls to the sandbox Python interpreter, the Tavily egress grant is process-wide for managed sandbox Python, not a dcode-only boundary.
OpenShell replaces these placeholders only when the request reaches the matching egress policy path.
The raw TAVILY_API_KEY is not written into the managed Deep Agents configuration.
The tavily preset restricts agent egress to the maintained Python and Node.js paths used by the supported agents.
Its exact curl paths are used only by onboardingโs post-create verifier.
Do not replace these paths with a broad /** binary rule.
Broader binary access would let unrelated sandbox processes send data to Tavily through the same allowed endpoint.
Filesystem Controls
NemoClaw restricts which paths the agent can read and write, protecting system binaries, configuration files, and gateway credentials.
OpenShell covers additional filesystem enforcement details, including hard_requirement compatibility mode for Landlock and policy path validation rules.
Refer to the Filesystem Controls section of the OpenShell Security Best Practices.
Read-Only System Paths
The container mounts system directories read-only to prevent the agent from modifying binaries, libraries, or configuration files.
Agent Config Directory
The /sandbox/.deepagents directory contains Deep Agents Code runtime state and NemoClaw-generated configuration.
NemoClaw writes config.toml during onboarding and rebuilds.
Direct edits to this file can be overwritten when NemoClaw regenerates the managed inference route.
The managed Deep Agents image deliberately omits raw provider and service credentials from generated configuration.
Credential-bearing files such as .deepagents/.env and user-authored .deepagents/.mcp.json are treated as user-managed files and are not included in NemoClaw snapshots.
The managed .deepagents/.nemoclaw-mcp.json projection contains OpenShell placeholders and is reconstructed from host-side registry state.
Writable Paths
The agent has read-write access to /sandbox, /tmp, /dev/null, and /dev/pts.
Landlock LSM Enforcement
Landlock is a Linux Security Module that enforces filesystem access rules at the kernel level.
Process Controls
NemoClaw limits the capabilities, user privileges, and resource quotas available to processes inside the sandbox.
OpenShell enforces additional process-level controls not covered here, including seccomp BPF socket domain filters and a specific enforcement application order (namespace entry, privilege drop, Landlock, seccomp). Refer to the Process Controls section of the OpenShell Security Best Practices.
Capability Drops
The entrypoint drops dangerous Linux capabilities from the bounding set at startup using capsh.
This limits what capabilities any child process (gateway, sandbox, agent) can ever acquire.
When the entrypoint switches from root to the sandbox and gateway users, it uses setpriv when available to remove the remaining privilege-separation capabilities from the child process at the same time as the user change.
The initial entrypoint drop removes cap_sys_admin, cap_sys_ptrace, cap_net_raw, cap_dac_override, cap_sys_chroot, cap_fsetid, cap_setfcap, cap_mknod, cap_audit_write, and cap_net_bind_service.
During setpriv step-down, the child process also loses cap_setuid, cap_setgid, cap_fowner, cap_chown, and cap_kill.
This behavior is best effort.
If capsh is not available or CAP_SETPCAP is not in the bounding set, the entrypoint logs a warning and continues with the default capability set.
If setpriv is unavailable, the entrypoint falls back to gosu and logs a warning that the remaining bounding-set capabilities were retained for the child process.
To make the drop fail-closed instead of best-effort, set NEMOCLAW_REQUIRE_CAP_DROP=1 in the entrypoint environment.
The agent then refuses to start unless it verifies that the agent process treeโs bounding set is free of dangerous capabilities.
It does not boot on a host whose bounding set still holds them, typically one that cannot perform the drop because CAP_SETPCAP or capsh is missing and the container runtime did not provide a clean bounding set.
This is opt-in because such hosts are common, including many cloud VMs, Docker Desktop, and WSL.
Leaving it unset preserves the best-effort default.
The check covers the agent process tree only.
The container runtime spawns a nemo-deepagents connect shell outside that tree, so the check does not affect it (tracked in NVIDIA/OpenShell#1452).
Gateway Process Isolation
Gateway and agent UID isolation depends on the container process topology.
A direct root-entrypoint container runs the gateway as the separate gateway user and the agent as the sandbox user.
An OpenShell-managed container has OpenShell as PID 1 and launches nonroot nemoclaw-start, so the supervisor, gateway, and agent all use the sandbox UID.
No New Privileges
The no-new-privileges flag prevents processes from gaining additional privileges through setuid binaries or capability inheritance.
Process Limit
A process limit caps the number of processes the sandbox user can spawn.
The entrypoint sets both soft and hard limits using ulimit -u 512.
This behavior is best effort.
If the container runtime restricts ulimit modification, the entrypoint logs a security warning and continues without the limit.
Open File Descriptor Limit
An open file descriptor limit caps the number of files, sockets, and pipes the sandbox user can hold open at once.
The entrypoint sets both soft and hard limits using ulimit -n 65536.
This behavior is best effort.
If the container runtime restricts ulimit modification, the entrypoint logs a security warning and continues without the limit.
Headless Deep Agents Approval Boundary
Interactive dcode sessions keep destructive tools behind the Deep Agents Code approval UI.
Headless dcode -n is an explicit automation boundary with no approval UI.
The managed headless path automatically approves non-shell tool requests such as file writes and edits, while still disabling shell execution, startup commands, interpreter tool calling, executable hooks, unmanaged MCP files, nested remote sandboxes, remote async subagents, and alternate model routes.
Non-Root User
The sandbox runs agent processes as a dedicated sandbox user and group.
The entrypoint starts as root for privilege separation, then drops to the sandbox user for all agent commands.
PATH Hardening
The entrypoint locks the PATH environment variable to system directories, preventing the agent from injecting malicious binaries into command resolution.
Build Toolchain Removal
The Dockerfile removes compilers and network probes from the runtime image.
Image Digest Pinning
The blueprint references the sandbox image by an immutable @sha256: digest instead of a mutable tag such as :latest.
A registry compromise or accidental force-push cannot silently swap the sandbox image.
Gateway Authentication Controls
CLI Secret Redaction
The CLI automatically redacts secret patterns (API keys, bearer tokens, provider credentials) from command output and error messages before logging them.
Memory Secret Scanner
Deep Agents does not use the OpenClaw NemoClaw plugin memory scanner.
The managed dcode launchers reject credential-shaped environment values and upstream auth files before startup, but Deep Agents memory and skill files remain user-authored content.
Keep secrets in OpenShell providers and avoid writing raw credentials to /sandbox/.deepagents, project .deepagents/, or skill files.
Inference Controls
OpenShell routes all inference traffic through the gateway to isolate provider credentials from the sandbox.
Routed Inference through inference.local
The OpenShell gateway intercepts all inference requests from the agent and routes them to the configured provider. The agent never receives the provider API key.
Provider Trust Tiers
Different inference providers have different trust and cost profiles.
For sensitive workloads, use local Ollama to keep data on-premise. For general use, NVIDIA Endpoints provide a balance of capability and trust. Review the data policies of any cloud provider you use.
Experimental Providers
The NEMOCLAW_EXPERIMENTAL=1 environment variable gates local NVIDIA NIM and generic Linux managed vLLM install/start.
DGX Spark and DGX Station managed vLLM entries appear by default.
An already-running vLLM server on localhost:8000 also appears in the menu without a flag because selecting it is an explicit user action.
Posture Profiles
The following profiles describe how to configure NemoClaw for different use cases. These are not separate policy files. They provide guidance on which controls to keep tight or relax.
Locked-Down (Default)
Use for always-on assistants with minimal external access.
- Keep all defaults and do not add presets.
- Use operator approval for any endpoint the agent requests.
- Use NVIDIA Endpoints or local Ollama for inference.
- Monitor the TUI for unexpected network requests.
Development
Use when the agent needs package registries, Docker Hub, or broader GitHub access during development tasks.
- Apply the
pypiandnpmpresets for package installation. - Keep binary restrictions on all presets.
- Review the agentโs network activity periodically with
openshell term. - Use operator approval for any endpoint not covered by a preset.
Integration Testing
Use when the agent talks to internal APIs or third-party services during testing.
- Add custom endpoint entries with tight path and method restrictions.
- Use
protocol: restfor all HTTP APIs to maintain inspection. - Use operator approval for unknown endpoints during test runs.
- Review and clean up the baseline policy after testing by removing endpoints that are no longer needed.
Common Mistakes
The following patterns weaken security without providing meaningful benefit.
Known Limitations
Related Topics
- Network Policies for the full Deep Agents baseline policy reference.
- Credential Storage for provider and managed MCP credential handling.
- Workspace Files for Deep Agents state and credential-bearing file exclusions.
- Set Up MCP Servers for managed MCP credential replacement.
- Inference Options for provider configuration details.
- How It Works for the protection layer architecture.
- OpenShell Security Best Practices for the platform-level controls reference, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication.