Frequently Asked Questions
Practical questions from engineers evaluating or deploying NemoClaw. Click any question to expand the answer.
▼How is NemoClaw different from just running OpenClaw in Docker?
Standard Docker containers isolate the container from the host but don't understand agent behavior. A containerized OpenClaw can still make arbitrary network calls, send prompts to any API, and access any file within the container. NemoClaw adds agent-aware security on top: network egress is deny-by-default with an operator-managed allowlist, all inference calls are intercepted and routed through policy, filesystem access is restricted via Landlock (not just container boundaries), and dangerous system calls are filtered by seccomp. Docker gives process isolation; NemoClaw gives behavioral control.
▼Can the agent override or bypass NemoClaw's security policies?
No. This is the core design principle. Security policies are enforced outside the agent's execution environment -- at the OpenShell runtime level and the Linux kernel level (Landlock, seccomp, network namespaces). The agent has no mechanism to modify the policies that constrain it, even if it achieves arbitrary code execution within the sandbox. This is fundamentally different from prompt-level guardrails, which rely on the model "choosing" to comply.
▼Does NemoClaw work with agents other than OpenClaw?
NemoClaw is specifically built for OpenClaw. However, the underlying runtime (OpenShell) supports multiple agent types including Claude Code, Cursor, and Codex. If you use a different agent, use OpenShell directly rather than NemoClaw. NemoClaw's value is the pre-configured, opinionated deployment of OpenShell tailored to OpenClaw's specific needs.
▼What happens when the agent tries to access a blocked network endpoint?
The connection is blocked at the network namespace boundary, logged, and surfaced in the operator's terminal UI (accessible via
openshell term). The operator can approve the endpoint for the current session. Session approvals persist until sandbox restart but do not modify the baseline YAML policy file, so the next restart reverts to the original allowlist.▼Can I run NemoClaw without an NVIDIA GPU?
Yes. NemoClaw works on CPU-only machines by routing inference to cloud providers (NVIDIA Endpoints, OpenAI, Anthropic, Gemini). The GPU is only needed for local inference with Nemotron or other models via Ollama/vLLM. The sandbox isolation (filesystem, network, process) is purely CPU-based.
▼How does the privacy router decide where to send inference requests?
The privacy router follows policies you configure, not heuristics or AI-based classification. You define rules that specify which requests go to local models and which go to cloud providers. The routing decision is deterministic and auditable. In the simplest configuration, all requests go to a single provider.
▼Is NemoClaw production-ready?
No. NemoClaw is in alpha (early preview since March 16, 2026). APIs, configuration schemas, and runtime behavior are subject to breaking changes. NVIDIA explicitly states it should not be used in production. Use it for development, experimentation, and security model evaluation.
▼How much overhead does NemoClaw add?
The sandbox image is approximately 2.4 GB compressed. Memory overhead is roughly 500 MB to 1 GB on top of OpenClaw's base usage. Inference latency overhead is minimal for cloud providers (one extra hop through the gateway, typically sub-millisecond). Minimum requirements: 8 GB RAM, 20 GB disk.
▼How do I update policies without restarting the agent?
Network and inference policies are hot-reloadable. Edit the YAML policy file and apply changes using OpenShell's CLI. New policies take effect immediately. However, filesystem and process policies are locked at sandbox creation and require a full rebuild to change.
▼What is the relationship between NemoClaw and NeMo Guardrails?
They address different layers of AI safety. NeMo Guardrails operates at the prompt/response level -- controlling what an LLM says. NemoClaw operates at the infrastructure level -- controlling what an AI agent can do. Think of NeMo Guardrails as a content filter and NemoClaw as a security sandbox. They can be combined for defense in depth.
▼What happens if OpenShell crashes? Does the agent escape?
No. The sandbox is a container with kernel-level restrictions (Landlock, seccomp). If OpenShell crashes, the container continues running with restrictions intact -- the agent simply loses inference and approved network connections. If the container runtime crashes, the container stops. In no scenario does a crash remove kernel-level security boundaries.