~/blog/nemoclaw-what-it-is-why-it-exists

NemoClaw · part 1

[AI Agent] NemoClaw: What It Is, Why It Exists, and How It Works

2026-03-234 min read#nemoclaw#openclaw#openshell#ai-agent中文版

OpenClaw has been running as my personal AI agent on the local Mac for a while. Then at GTC 2026, NVIDIA announced NemoClaw — and at first it looked like the same thing with a different name. It isn't.

TL;DR

NemoClaw (v0.1.0, GTC 2026) bundles OpenClaw agent core + OpenShell security sandbox + NVIDIA Agent Toolkit into a single installable framework. The key addition is OpenShell: a policy enforcement layer that runs between the user and the agent, sandboxing file access and restricting tool execution. Without it, OpenClaw is a capable but permissive agent runtime. With it, OpenClaw becomes deployable in contexts where you can't trust the agent to self-limit.

What NemoClaw Actually Is

NemoClaw is a composition of three things:

  1. OpenClaw — the open-source AI agent framework. It handles the agent loop: tool calls, reasoning, memory, conversation context. If you've used it, it feels similar to LangGraph or AutoGen but with a focus on local/private inference.

  2. OpenShell — a security sandbox layer that sits in front of OpenClaw. It runs as a separate process (port 8080 by default) and intercepts all agent-initiated tool calls. File system access is scoped to /sandbox and /tmp. Commands that aren't in the policy allowlist are blocked before they reach the agent core.

  3. NVIDIA Agent Toolkit — a set of NVIDIA-maintained integrations and utilities: Nemotron model connectors, tool adapters, and onboarding scaffolding.

The short version: NemoClaw = OpenClaw + containment layer + NVIDIA batteries.

Why This Exists

OpenClaw was already open source before NemoClaw shipped. You could run it today without NemoClaw. So why does NemoClaw exist?

The honest answer is that OpenClaw alone has no security boundary. The agent can read files, execute shell commands, make network requests — bounded only by what tools you define for it. For personal use, this is fine. For anything where you'd hand the agent a real filesystem or let it act on behalf of someone else, it's a problem.

OpenShell is the answer to that problem. It enforces that the agent operates inside a defined perimeter. The sandbox restriction isn't just "we recommend you scope this" — it's enforced at the gateway level. The agent doesn't get to negotiate.

The NVIDIA Agent Toolkit wraps this in tooling that makes it easier to go from zero to a running, policy-enforced agent without writing the plumbing yourself.

So the real question NemoClaw answers isn't "how do I run an agent" — it's "how do I run an agent I can actually give to someone else."

Architecture: How It Works

The request flow through NemoClaw looks like this:

User / Client
    ↓
OpenShell Gateway  (port 8080)
    │  - policy enforcement
    │  - file access restriction (/sandbox, /tmp only)
    │  - tool allowlist
    ↓
OpenClaw Agent Core
    │  - agent loop
    │  - tool execution
    │  - context management
    ↓
Inference Backend
    │  - Nemotron (NVIDIA cloud, requires account)
    └─ or local vLLM endpoint (e.g., qwen3.5-35b on port 8000)

OpenShell is not optional scaffolding — it's the intended entry point. The NemoClaw CLI (nemoclaw onboard) configures both layers together. You're not meant to bypass it and talk to OpenClaw directly.

The inference backend is pluggable. NemoClaw defaults to Nemotron cloud endpoints (which do require a paid NVIDIA account), but the configuration accepts any OpenAI-compatible API endpoint. Running it against a local vLLM instance works, which is what I'll cover in the next part.

What Was Gained

What cost the most time: Separating OpenClaw from NemoClaw in documentation. NVIDIA's announcement materials treat them as one thing. The distinction only becomes clear when you ask "what does NemoClaw add that OpenClaw doesn't already have" — and the answer is entirely OpenShell.

Transferable diagnostic: When a tool is described as "built on X," the interesting question is always what the wrapper adds, not what it inherits. In NemoClaw's case, the wrapper is the entire security story. Strip it, and you're back to a general-purpose agent with no deployment boundary.

The pattern that applies everywhere: Open-source agent framework + containment layer is the recurring pattern for every agent tool trying to move from personal use to something you'd hand to someone else. NemoClaw isn't the first to do this, and the specific shape of OpenShell (gateway process, policy file, scoped filesystem) is worth noting as a reference point for anyone designing the same thing.

What's Next

Installation and first run on the GX10 are covered in Part 2 — including the actual bugs, and pointing NemoClaw at a local vLLM instance instead of the Nemotron cloud.

Also in this series: Part 2 — NemoClaw Onboard: Pointing It at Local vLLM Instead of Nemotron Cloud (coming soon)

← back to blog