back to top
HomeTechNVIDIA NemoClaw runs OpenClaw inside a secure sandbox and setup takes one...

NVIDIA NemoClaw runs OpenClaw inside a secure sandbox and setup takes one command

NVIDIA NemoClaw runs OpenClaw inside a secure sandbox and setup takes one command
Mohit Geryani
By Mohit Geryani
0
Last updated:
- Advertisement -

Earlier this year OpenClaw became the most starred project on GitHub faster than anything before it. Developers loved it. Companies started deploying it. Then a senior AI safety researcher at Meta let it run on her machine and it deleted her emails. A security researcher hijacked a running instance in under two hours.

Enterprises wanted AI agents. They just did not want ones they could not control.

NVIDIA’s answer to that is NemoClaw. One curl command and you have OpenClaw running inside a sandbox where it cannot touch your files, cannot make unauthorized network calls, and cannot escalate privileges without your approval.

Table of contents

What NemoClaw actually is

NemoClaw is an open source reference stack built by NVIDIA that runs OpenClaw inside a secure sandboxed environment. Think of it as a controlled container where your AI agent can work freely without being able to touch anything it should not.

It is not a replacement for OpenClaw. It is a secure wrapper around it. When you install NemoClaw it actually creates a fresh OpenClaw instance inside the sandbox automatically. The agent still does everything OpenClaw does. It just cannot go rogue while doing it.

NVIDIA released it on March 16 as an early alpha preview under Apache 2.0 license. It is not production ready yet and NVIDIA is upfront about that. Interfaces and APIs may change as they iterate. But it is available now for developers and enterprises who want to start experimenting with safe agent deployment.

NemoClaw

What makes it different from just running OpenClaw directly

Running OpenClaw directly means trusting the agent completely. It can read your files, make network requests, install things, cross into systems it probably should not touch. That is exactly what happened at Meta.

NemoClaw puts three walls around that.

The first is network control. Every outbound connection the agent tries to make is blocked by default unless you have explicitly allowed it. If the agent tries to reach an unlisted host, OpenShell blocks the request and surfaces it in the interface for you to approve or deny in real time. You see exactly what your agent is trying to connect to before it connects.

The second is filesystem isolation. The agent only has access to the sandbox and tmp directories. Everything else on your machine is locked. It cannot read your documents, cannot touch your code outside the sandbox, cannot access anything you have not deliberately placed inside its reach.

The third is process protection. Privilege escalation is blocked. Dangerous system calls are blocked. The agent cannot quietly give itself more permissions than it started with.

What makes this genuinely useful is that all three layers are declarative. You define the policy in a YAML file. You can update network rules while the sandbox is running without restarting anything. You are in control of exactly what the agent can and cannot do at all times. That is the thing OpenClaw never had.

What you actually get when you install it

Before you install, check your hardware. You need at least 4 vCPU, 8GB RAM and 20GB free disk space. NVIDIA recommends 16GB RAM and 40GB disk for comfortable use. The sandbox image alone is around 2.4GB compressed and during setup Docker, k3s and the OpenShell gateway all run simultaneously, so machines with less than 8GB RAM can run into memory issues.

For software you need Linux Ubuntu 22.04 or later, Node.js 20 or later, npm 10 or later and Docker installed and running. On macOS Apple Silicon, Colima and Docker Desktop are the recommended runtimes. Windows WSL users need Docker Desktop with WSL backend. Podman on macOS is not supported yet.

Once installed you get a running sandbox environment with a fresh OpenClaw instance inside it, the OpenShell gateway managing all security policies, and NVIDIA’s Nemotron model connected via the NVIDIA Endpoint API. You will need a free NVIDIA API key from nvidia which the installer prompts you for during setup.

After setup your terminal confirms everything running with a summary showing your sandbox name, the model connected and the commands to get started.

How to get it running

This one is genuinely simple compared to most open source setups. If you are comfortable with terminal you will be up and running in minutes.

Before you start, make sure you have:

  • Linux Ubuntu 22.04 or later, macOS Apple Silicon, or Windows WSL with Docker Desktop
  • Node.js 20 or later
  • npm 10 or later
  • Docker installed and running
  • A free NVIDIA API key , get this before you start, the installer will ask for it

Step 1: Install NemoClaw

curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

Get your NVIDIA API key before Step 2: Free from Nvidia. The onboard wizard asks for it and you cannot complete setup without it.

Step 2: Run the onboard wizard

nemoclaw onboard

This is where everything gets configured. Sandbox creation, inference setup, security policies and API key entry all happen here.

Step 3: Connect to your sandbox

nemoclaw my-assistant connect

This drops you into the sandbox shell where your OpenClaw agent is running.

Step 4: Start the agent

For interactive chat open the TUI:

openclaw tui

For a quick single message test:

openclaw agent --agent main --local -m "hello" --session-id test

If something goes wrong:

nemoclaw my-assistant status
openshell sandbox list

Those two commands tell you exactly what is happening at both the NemoClaw and OpenShell level.

To uninstall completely:

curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash

Should you install it today

NemoClaw is alpha software. NVIDIA says it plainly and they mean it. Do not run this in production.

But if you are a developer curious about safe agent deployment, install it today. The one command setup works, the sandbox is real and getting comfortable with this before it matures is worth your time.

Enterprises evaluating AI agents should watch this closely. The security model is exactly what the industry has been asking for. Just wait for a stable release before committing.

Don’t miss any Tech Story

Subscribe To Firethering NewsLetter

You Can Unsubscribe Anytime! Read more in our privacy policy

LEAVE A REPLY

Please enter your comment!
Please enter your name here

YOU MAY ALSO LIKE
OpenAI Built Its First AI Chip. It's Not Trying to Replace NVIDIA

OpenAI Built Its First AI Chip. It’s Not Trying to Replace NVIDIA.

Mohit Geryani - 0
When the news broke that OpenAI had built a custom chip, the instinct was to frame it as a NVIDIA story. Another lab trying to cut the cord, reduce dependence on H100s, claw back some margin from the company that's been printing money off the AI boom. That's not quite what's happening here. The chip is called Jalapeño, built with Broadcom, and it doesn't touch training at all. It's an inference chip, meaning it only runs models after they're already built, when a user sends a message and ChatGPT has to respond. The compute-heavy work of actually training those models still runs on NVIDIA hardware. OpenAI isn't replacing NVIDIA. It's going after a different part of the problem entirely, the part that happens millions of times a day, every time someone uses one of their products. That distinction matters because inference is where AI costs actually accumulate at scale. Training happens once per model. Inference never stops.
glm 5.2 ai open weights

GLM-5.2 Is the Closest an Open Model Has Come to Claude

Mohit Geryani - 0
What does it take for an open-weight model to stop chasing Claude and actually beat it? Every open-weight release for two years has told some version of the same story: closer, but not quite. The chart shrinks, the wording softens to "competitive with," and the conversation moves on until the next model repeats the cycle. GLM-5.2 breaks that pattern. The model is built to survive long, messy coding work, the kind that runs for hours without losing the thread. That's the pitch its maker is leading with. But scroll down their own benchmark table and something else is sitting there quietly: on a couple of standard math evals, this open model isn't approaching Claude Opus 4.8, GPT-5.5, or Gemini 3.1 Pro. It's beating all three, on the same table. It loses plenty of ground elsewhere, and that part matters just as much as the wins. But a model anyone can download under an MIT license, with no usage restrictions attached, coming out ahead of the lab everyone else measures themselves against, is worth pausing on before getting to what the rest of the numbers actually say.
Open-Source AI Tools Worth Trying Right Now

5 Open-Source AI Tools You Probably Haven’t Tried Yet

Mohit Geryani - 0
Every week brings another open source AI release, and most of them require setting up a Python environment. Find out the model card lied about VRAM requirements. By the time something actually runs, the appeal has mostly worn off. The five tools below skip most of that. One turns image and video generation into something closer to a desktop app. One gives DeepSeek an actual workspace instead of a browser tab. One builds UI prototypes using coding agents you probably already have installed. One quietly builds a memory system out of your own apps. And one is, literally, a desktop pet.