NemoClaw Tames the 320k-Star OpenClaw Beast

NVIDIA's sandboxed runtime, declarative policies, and human-in-the-loop approvals turn viral autonomous agents into something you can actually run in production.

NVIDIA/NemoClaw · 8 min read

A massive energetic lobster representing OpenClaw bursts from a cracked eggshell. A precise thin net of policy lines immediately contains it while a calm human hand holds an approval stamp nearby. Small tags on the net read network and inference.
A wild OpenClaw agent meets its first policy net. The core tension of the project in one scene.
Key Takeaways

The Security Nightmare Everyone Ignored

OpenClaw exploded to over 320,000 GitHub stars in record time. Jensen Huang called it the operating system for personal AI and said every company now needs an OpenClaw strategy.

The project delivers persistent autonomous agents that code, browse, message, and evolve across sessions. Its viral success proved the hunger for always-on personal AI.

But the same unrestricted power created obvious risks. Agents with broad system access invited prompt injection, data exfiltration, and rogue behavior. Enterprises took one look and said no.

“OpenClaw opened the next frontier of AI to everyone and became the fastest-growing open source project in history. OpenClaw is the operating system for personal AI.”

— Jensen Huang, NVIDIA CEO, GTC 2026 keynote
An anthropomorphic claw or lobster agent sits at a desk reaching through an open window to grab files from outside. A shadowy figure watches from the side. One side of the image shows chaotic crosshatched freedom while the other hints at consequences.
The security risks that made enterprises wary of raw OpenClaw agents.

“With NVIDIA and the broader ecosystem, we’re building the claws and guardrails that let anyone create powerful, secure AI assistants.”

— Peter Steinberger, OpenClaw creator

One Curl, Many Layers of Defense

NemoClaw changes the equation with a single command.

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

Behind that curl sits a carefully engineered stack. It installs the NVIDIA OpenShell runtime, creates a sandbox using Landlock, seccomp, and network namespaces, and routes inference through controlled channels.

A wide scene showing the NemoClaw installation process as a layered fortress. The curl command flows into OpenShell gateway, sandbox container, policy engine and inference router. Clean lines separate each defense layer.
The NemoClaw stack installs multiple layers of defense in one command.

Policy as Code for Agents

The heart of NemoClaw is its declarative YAML policy system. Presets cover common services including PyPI, npm, Slack, Jira, Discord, Telegram, Hugging Face and more.

Network and inference rules are hot-reloadable. Filesystem and process rules remain immutable for stronger guarantees. When an agent attempts an unlisted outbound connection, OpenShell blocks it and surfaces a terminal approval prompt.

Close-up of a human hand holding a pen hovering over a terminal screen displaying an outbound request to connect to an API. A taut thread connects the pen to an Approve button. Visible YAML policy snippet on screen.
The human-in-the-loop approval moment that makes strict sandboxing practical.

The Blueprint Pattern

NemoClaw separates concerns cleverly. A TypeScript CLI provides the user experience while a versioned, signed Python blueprint handles orchestration.

The blueprint follows a strict lifecycle: resolve the artifact, verify its digest, plan required resources, then apply the sandbox through OpenShell. This immutability for core rules combined with hot-reloading for dynamic policies creates a pragmatic balance.

How Different Is It Really?

Aspect Raw OpenClaw NemoClaw Typical Framework (LangGraph/CrewAI)
Sandboxing Basic Docker (optional) Landlock + seccomp + netns via OpenShell Usually none or minimal
Policy Model None Declarative YAML with presets Code-based or absent
Installation Complex setup Single curl command pip install + custom config
Inference Control Direct Routed through gateway with policy Direct API calls
Human Oversight None TUI approval for outbound requests Manual only
Target User Enthusiasts Production and enterprise Developers building workflows
Split composition. Left side shows a wild OpenClaw agent with tentacles reaching in all directions and chaotic lines. Right side shows the same agent contained within clean policy fences and approval checkpoints. Clear visual contrast between uncontrolled and governed.
Raw OpenClaw versus NemoClaw. The difference is visceral.

Inside the Sandbox

OpenShell acts as the fortified gateway. Every network request, file operation, process spawn, and inference call passes through policy checks. The TUI makes the approval process feel like a natural extension of the terminal workflow rather than a burdensome security tool.

Extensibility remains intact. The presets handle the common cases while custom policies let operators adapt the system to their environment.

An OpenShell gateway depicted as a fortified archway. An agent message approaches the gateway. Some messages route to a cloud icon while others trigger a TUI approval bubble. Clean lines show the flow of requests and decisions.
The OpenShell gateway intercepts and governs every outbound action.

NVIDIA's Bigger Bet

NemoClaw is not a competitor to OpenClaw. It is NVIDIA's reference implementation for making the phenomenon safe enough for real use. The collaboration with Peter Steinberger shows the project's community-first approach.

This mirrors NVIDIA's earlier playbook with PyTorch: contribute critical infrastructure to an open movement while advancing its own hardware and cloud offerings. Jensen Huang's enthusiastic framing at GTC positions claws as the next major computing platform.

Peter Steinberger

“OpenClaw brings people closer to AI and helps create a world where everyone has their own agents. With NVIDIA and the broader ecosystem, we’re building the claws and guardrails that let anyone create powerful, secure AI assistants.”

— Peter Steinberger, OpenClaw creator (steipete)