The Building Blocks
NemoClaw is built from a small set of core abstractions, each addressing a specific aspect of secure AI agent deployment. Understanding these concepts is essential before diving into architecture or configuration.
The Sandbox
The sandbox is an isolated container environment where the OpenClawAn autonomous AI assistant built by NVIDIA that can write code, execute tasks, and operate continuously. NemoClaw secures OpenClaw deployments. agent lives and operates. It is created from a hardened Docker image with strict filesystem, network, and process restrictions applied from first boot.
Think of a bank vault with a teller inside. The teller can do useful work -- answer questions, process requests, write code -- but the vault walls physically prevent them from accessing other vaults, walking into the back office, or leaving without going through the controlled entrance. Even if the teller decided to misbehave, the vault constrains what is possible.
Why it matters: Traditional AI agent deployments rely on the agent "choosing" not to do harmful things. NemoClaw's sandbox enforces restrictions at the operating system level using LandlockA Linux Security Module (LSM) that allows unprivileged processes to restrict their own filesystem access. Used by NemoClaw to confine the agent to specific directories., seccompA Linux kernel feature that filters system calls, preventing processes from invoking dangerous operations like ptrace, mount, or reboot., and network namespaces, making restrictions physically impossible to bypass from inside.
The Blueprint
The blueprint is a versioned Python artifact containing the complete recipe for creating a NemoClaw sandbox: the Dockerfile, security policies, network configurations, and inference setup. The CLI plugin resolves, verifies, and executes the blueprint as a subprocess.
If the sandbox is a secure facility, the blueprint is the architectural plan and building code combined. It specifies exactly how the walls should be built, where the doors go, what locks to use, and what security systems to install. The blueprint has its own version number, so security improvements ship independently from the CLI tool.
Why it matters: Separating the blueprint from the CLI keeps the user-facing tool small and stable while allowing the security-critical sandbox definition to evolve rapidly on its own release cadence.
The Privacy Router
The privacy router is a component of OpenShellNVIDIA's general-purpose agent security runtime that provides sandboxing, policy enforcement, and privacy routing. NemoClaw is built on top of OpenShell. that intercepts every inference API call made by the agent and routes it to either a local model or a cloud-based model, based on policies you define rather than the agent's preferences.
Imagine a corporate mail room that inspects every outgoing letter. Sensitive documents get hand-delivered by a trusted courier (local inference), while routine correspondence goes through regular mail (cloud API). The mail room makes the routing decision based on company policy -- the letter writer has no say.
Why it matters: Without a privacy router, every prompt and context window gets sent to a cloud API, potentially leaking sensitive data. The privacy router lets you keep sensitive inference local while still accessing powerful frontier models for non-sensitive tasks.
Policy Enforcement Layers
NemoClaw enforces security through four distinct layers: network policies (controlling outbound connections), filesystem policies (restricting file access), process policies (preventing privilege escalation), and inference policies (routing model API calls).
Think of airport security with multiple checkpoints. The perimeter fence (network policy) controls who enters. The boarding pass check (filesystem policy) restricts which areas you access. Security screening (process policy) prevents prohibited items. The gate agent (inference policy) verifies you board the right plane. Each layer catches different threats.
Why it matters: No single security mechanism catches everything. By layering four independent enforcement mechanisms, NemoClaw creates defense in depth -- compromising one layer does not compromise the others.
OpenShell Runtime
OpenShell is the NVIDIA Agent Toolkit runtime that sits between the agent and host infrastructure. It provides the sandbox container, policy engine, privacy router, and credential management. NemoClaw is a pre-configured deployment of OpenShell tailored for OpenClaw.
If NemoClaw is a turnkey security system for your home, OpenShell is the underlying smart-home platform. OpenShell provides the cameras, locks, alarm sensors, and control panel. NemoClaw configures them specifically for the OpenClaw use case -- which doors to lock, which cameras to activate, which alarms to set.
Why it matters: OpenShell works with multiple agent types (OpenClaw, Claude Code, Cursor, Codex). NemoClaw's value is the opinionated, pre-configured deployment that eliminates writing security policies from scratch.
Inference Providers
Inference providers are the backends that run language model inference. NemoClaw supports NVIDIA EndpointsCloud-hosted API endpoints for running NVIDIA models like Nemotron. Pay-per-use pricing with enterprise SLAs., OpenAI, Anthropic, Google Gemini, and local providers like Ollama and vLLM.
Think of inference providers as different phone carriers. Your phone (agent) dials a number (sends a prompt), and the carrier (provider) connects the call (runs inference). NemoClaw is the corporate IT department that decides which carrier handles which calls based on cost, privacy, and capability policies.
Why it matters: Different tasks have different requirements. NemoClaw lets you define which provider handles which requests, and manages credentials so the agent never sees API keys directly.
How They Fit Together
When you run nemoclaw onboard, the CLI plugin downloads and verifies the blueprint, which creates an OpenShell sandbox pre-configured for OpenClaw. Inside the sandbox, the agent runs with all four enforcement layers active: filesystem is restricted to /sandbox and /tmp, network egress is blocked except for an operator-defined allowlist, dangerous system calls are filtered, and all inference API calls are intercepted by the privacy router.
The agent operates freely within these boundaries -- it can write files, execute code, and reason about tasks -- but it cannot access data outside the sandbox, make unapproved network connections, escalate privileges, or choose where its inference calls go. The operator controls everything through YAML-based policy files that can be updated at runtime.