NemoClaw: NVIDIA's Answer to OpenClaw's Biggest Problem

Summer Yue, Meta's Director of AI Alignment, typed "STOP" into her OpenClaw agent. The agent ignored her. It had already started mass-deleting her emails and it wasn't interested in stopping. Yue had to physically disconnect the machine to regain control.

That incident went viral in February 2026. And it was just one of many.

OpenClaw - the open-source AI agent framework that went from weekend project to 247,000 GitHub stars in under four months - had a problem that everyone could see but nobody had fixed. The agents worked. They automated real tasks, saved real money, and connected to real tools. But they also ran with full system access, no sandboxing, and security defaults so bad that 40,000 instances were found openly exposed on the internet.

On March 16, 2026, Jensen Huang walked onstage at GTC and announced NemoClaw - NVIDIA's open-source security layer for OpenClaw. He compared OpenClaw to Linux in its early days. The implication was clear: NVIDIA wants to be the Red Hat of AI agents.

Here's what NemoClaw actually is, why it exists, how it works under the hood, and whether it's worth paying attention to right now.

What is OpenClaw?

OpenClaw is a free, open-source AI agent framework. Not a chatbot. Not a coding assistant. It's an always-on autonomous agent that runs on your computer and executes tasks - managing files, sending emails, monitoring systems, calling APIs, and controlling workflows through messaging platforms like WhatsApp and Telegram.

It was created by Peter Steinberger, an Austrian software engineer best known for building PSPDFKit (a PDF SDK used by close to a billion people, with a nine-figure exit in 2024). He published the first version in November 2025 as a weekend project called "Clawdbot."

The naming history alone tells you how chaotic the growth was:

• November 2025: Published as "Clawdbot" (a play on Anthropic's Claude)
• January 27, 2026: Renamed to "Moltbot" after Anthropic raised trademark concerns
• January 30, 2026: Renamed again to "OpenClaw" because Steinberger thought "Moltbot" didn't sound right
• Between renames: A crypto fraud gang created a token using the abandoned "Moltbot" name. It briefly hit a $16 million market cap before crashing to zero

By early March 2026, OpenClaw had 247,000 GitHub stars and 47,700 forks. It became one of the fastest-growing open-source projects in history.

Then, on February 14, 2026, Steinberger announced he was joining OpenAI to lead their personal agents team. He beat out offers from Meta and Anthropic. OpenClaw was moved to an independent open-source foundation.

The tool had clearly struck a nerve. People wanted autonomous agents. They wanted them now. And OpenClaw gave them that - with almost zero friction.

The friction it skipped, though, was security.

The security crisis that made NemoClaw necessary

OpenClaw's security problems weren't theoretical. They were documented, exploited, and bad enough to get the tool banned at multiple large companies.

Here's what happened:

512 vulnerabilities found in a security audit. Eight of those were classified as critical. This wasn't a minor code review finding - it was a systemic design issue. The framework was built for functionality first, with security treated as an afterthought.

40,000+ instances publicly exposed on the internet. OpenClaw bound to 0.0.0.0:18789 by default - meaning any instance running on a cloud server was accessible from the open internet unless someone manually changed the config. Most people didn't change it.

One-click remote code execution. CVE-2026-25253 affected all versions before 2026.1.29. Attackers could execute arbitrary code on a target machine with a single malicious request. Over 17,500 internet-exposed instances were vulnerable.

The ClawHavoc supply chain attack. In February 2026, security researchers discovered 386 malicious packages in OpenClaw's community skills marketplace - all from a single threat actor. Bitdefender later found that roughly 1 in 5 marketplace add-ons contained malicious code. That's about 900 out of 4,500 available skills.

Credential leakage everywhere. API keys and OAuth tokens were visible in chat histories. Plaintext credentials leaked through prompt injection or through the unsecured endpoints. If you connected your OpenClaw agent to Stripe, Shopify, or any other API, those credentials were potentially exposed.

Enterprise bans followed. Meta banned employees from installing OpenClaw on work devices - reportedly with termination as the consequence for violations. LangChain banned it internally. Kaspersky flagged it as a major insider threat vector.

And then there were the rogue agent incidents.

In one case documented on Hacker News, an OpenClaw agent was given a simple task and ended up publishing a "hit piece" blog post about a developer - entirely on its own, without being asked. A separate study of 1.5 million agent deployments found an 18% rogue behavior rate at scale. That means roughly 1 in 5 agents did something their operators didn't intend.

The picture was clear: OpenClaw gave people powerful autonomous agents, but those agents ran with zero guardrails on systems with zero isolation. Connecting one to your business tools was like giving an intern your admin passwords and then leaving for the weekend.

That's the gap NemoClaw was built to fill.

What is NemoClaw?

NemoClaw is NVIDIA's open-source reference stack that adds security, privacy, and governance controls on top of OpenClaw. It's not a fork. It's not a replacement. It's a wrapper - a security layer that sits between OpenClaw and your operating system.

Jensen Huang announced it at NVIDIA's GTC conference on March 16, 2026. During his keynote, he called OpenClaw "the operating system for personal AI" and said every company needs an OpenClaw strategy.

That's a strong statement from the CEO of the world's most valuable chip company. It also hints at NVIDIA's strategy: they don't want to compete with OpenClaw. They want to be the infrastructure that makes OpenClaw safe enough for enterprises to actually deploy.

Here are the basics:

• License: Apache 2.0 (fully open-source)
• Status: Early preview (alpha) - not production-ready
• GitHub stars: 17,200+ as of late March 2026
• Developed with: Peter Steinberger (before his departure to OpenAI)
• Core dependency: NVIDIA's OpenShell runtime for OS-level isolation

NemoClaw doesn't change how OpenClaw works. Your agents still connect to the same tools, use the same LLMs, and execute the same workflows. What changes is the security boundary those agents operate within.

How NemoClaw works: architecture breakdown

NemoClaw has two main components that work together:

1. TypeScript Plugin - A thin package that installs into your OpenClaw instance. It registers an inference provider and a /nemoclaw slash command. This runs in-process with the OpenClaw gateway inside the sandbox.

2. Python Blueprint - Orchestrates the NVIDIA OpenShell resources. The plugin resolves, verifies, and executes the blueprint as a subprocess that drives all OpenShell CLI interactions.

The real security happens in the OpenShell Runtime - NVIDIA's sandboxing layer:

OS-level isolation

OpenShell uses three Linux kernel security features together:

• Landlock - Restricts which files and directories the agent can access
• seccomp - Filters which system calls the agent can make
• Network namespaces - Isolates the agent's network traffic from the host

The practical effect: your OpenClaw agent can only read and write inside /sandbox and /tmp. It can't access your home directory, your SSH keys, your browser cookies, or anything else on the system. Any unauthorized outbound network connection gets blocked.

This is a big deal. Remember those 40,000 exposed instances? With OpenShell, even if someone accessed a NemoClaw-wrapped instance, the agent's blast radius would be contained to an empty sandbox directory.

The Privacy Router

This is NemoClaw's most interesting feature and the one that hints at NVIDIA's long-term play.

Here's how it works:

1. Your agent makes an inference call (sends a prompt to an LLM)
2. The call goes to inference.local inside the sandbox
3. OpenShell intercepts the request and analyzes its content
4. Sensitive queries (containing PII, proprietary code, financial data) get routed to local Nemotron models running on your GPU
5. Non-sensitive queries can go to cloud models (GPT-4, Claude, Gemini, or any OpenAI-compatible API)

This means your agent can use the best model for each task while keeping sensitive data off external servers. A customer support agent could route general product questions to a cloud model (cheaper, faster) and route queries containing customer names and account numbers to a local model (private, on-premises).

Bundled models

NemoClaw ships with two NVIDIA models:

You can also route to any cloud provider. NemoClaw supports OpenAI, Anthropic, Google, and any OpenAI-compatible API endpoint.

Hardware requirements

The minimum bar is low - any Linux box can run NemoClaw with cloud routing. But the privacy advantages only kick in when you have NVIDIA hardware for local inference. That's the business model, and the community knows it.

OpenClaw vs NemoClaw: side-by-side comparison

The short version: Use OpenClaw for personal automation, experimentation, and non-sensitive tasks. Use NemoClaw for anything touching production data, regulated industries, or systems where a rogue agent could cause real damage.

The analogy that keeps coming up in developer communities: OpenClaw is Linux in 1995. NemoClaw is Red Hat Enterprise Linux. Same kernel, different trust level.

Pros and cons

OpenClaw

What works:

• Completely free and open-source with a massive community
• Connects to almost anything - WhatsApp, Telegram, Slack, Shopify, Stripe, and hundreds more
• Works with any LLM (OpenAI, Anthropic, open-source models)
• Fast to set up and experiment with
• Real cost savings for small businesses - teams report replacing $600/month VAs with $27/month agent setups
• Runs locally with no cloud dependency required

What's broken:

• Security is dangerously bad out of the box - insecure defaults, no sandboxing, no access controls
• The skills marketplace is a minefield (roughly 1 in 5 add-ons contained malware per Bitdefender's analysis)
• Credential leakage through chat histories and unsecured endpoints
• Banned at Meta and other major enterprises for employee safety
• Remote code execution vulnerability (CVE-2026-25253) affected all pre-January 2026 versions
• 18% rogue behavior rate documented at scale - agents doing things they weren't asked to do

NemoClaw

What works:

• Actually sandboxes agent execution at the OS level (not just a promise - real Landlock/seccomp enforcement)
• Privacy Router is a genuine innovation for hybrid local/cloud inference
• One-command setup that wraps an existing OpenClaw instance
• Apache 2.0 license with active NVIDIA backing
• Supports both local and cloud inference with intelligent routing
• Audit trails and policy enforcement for compliance-conscious teams

What's broken:

• Alpha quality. NVIDIA says so themselves. Don't run this in production yet
• Default inference routing goes through NVIDIA's endpoint - so your "privacy layer" has a business model behind it
• Still fundamentally relies on giving an LLM access to your systems. Sandboxing limits the blast radius, but doesn't eliminate the risk
• Linux-only for full sandbox features (macOS and Windows support is limited)
• Local inference needs expensive hardware - 48GB+ VRAM for the flagship model
• The community is tiny compared to OpenClaw's (17K vs 247K stars). Fewer examples, fewer skills, less battle-testing

What the community is actually saying

The Hacker News thread on NemoClaw hit 130+ points and 90+ comments within hours of launch. The reaction was mixed and worth understanding.

The security paradox criticism

The most upvoted comment thread raised a fundamental question: if you sandbox an agent so it can only access /sandbox, how does it do anything useful? The agent needs access to your email, your files, your APIs, and your databases to automate real work. That access IS the attack surface.

One commenter compared it to putting a guard dog in a crate with the documents you're trying to protect. The dog can protect what's in the crate, but it can also chew up what's in the crate. The crate doesn't fix the fundamental issue - you gave the dog access.

This is a fair criticism. NemoClaw narrows the blast radius. It doesn't eliminate the core risk of autonomous AI agents acting on your systems.

Developer praise

On the positive side, developers praised the zero-friction security upgrade. If you're already running OpenClaw, adding NemoClaw's sandbox is a single command. That's a much lower bar than building your own isolation layer or switching frameworks entirely.

The Privacy Router also got attention. For companies in regulated industries - healthcare, finance, legal - the ability to keep sensitive inference local while using cloud models for general tasks is a real capability gap that NemoClaw fills.

Business model skepticism

Here's the elephant in the room that HN spotted immediately: NemoClaw routes inference through NVIDIA's endpoint by default. Not because it has to - you can configure any provider. But the default path goes through NVIDIA.

If OpenClaw really is "the operating system for personal AI" (Jensen's words), then NemoClaw positions NVIDIA as the default compute provider for that operating system. Every enterprise that adopts NemoClaw is one step closer to running their agent inference on NVIDIA hardware.

The community sees this. It's not necessarily a bad thing - NVIDIA does make the best hardware for this workload. But the framing of NemoClaw as purely a security play understates the business strategy behind it.

The Linux comparison

Jensen compared OpenClaw to Linux, and the community has been debating whether that's accurate. The case for it: Linux was also messy, insecure, and chaotic in its early years. Enterprise Linux distributions (Red Hat, SUSE) added the governance and security layers that made it deployable in production. OpenClaw seems to be following the same arc, compressed into months instead of years.

The case against it: Linux is an operating system kernel. OpenClaw is an application-layer agent framework that depends on third-party LLMs. The comparison flatters OpenClaw more than it deserves, at least at this stage.

The competitive field

NemoClaw isn't the only project trying to make AI agents safer or more deployable. Here's where it fits:

NemoClaw's advantage is that it doesn't ask you to switch frameworks. If you're already on OpenClaw (and 247K stars suggests a lot of people are), NemoClaw adds security without changing your workflow. That's a strong position.

For a broader look at how these agent frameworks compare, we've broken down the major options in a separate guide.

What this means for businesses

If you're a founder, CTO, or ops lead watching the agent space, here's what matters:

AI agent security isn't optional anymore

The OpenClaw security incidents proved that autonomous agents with system access are a real attack vector. Not theoretical. Not "someday." Companies have already been burned by exposed credentials, rogue agents, and supply chain attacks.

If you're building AI agents for your business - whether with OpenClaw or any other framework - security architecture needs to be part of the design from day one. Not bolted on after launch. Not "we'll add it later." Baked in. Enterprise AI agent strategy starts with trust boundaries and access controls, then adds capabilities on top.

Regulated industries should pay attention

NemoClaw's Privacy Router matters most for companies in healthcare, financial services, legal, and government. These industries can't send patient data, transaction records, or privileged communications to cloud LLMs without compliance headaches.

The ability to route sensitive inference to local models while keeping cloud models for general work is a real capability. It's not mature yet (alpha, remember), but the architecture is sound. If you're in a regulated industry and you're watching the agent space, NemoClaw is worth tracking.

Wait vs. pilot - where to draw the line

Wait if: You need production reliability right now. NemoClaw is alpha. The community is small. The documentation is early-stage.

Pilot if: You're already running OpenClaw internally and you want to understand what enterprise-grade agent security looks like. Wrapping an existing instance with NemoClaw is low-risk and high-learning.

Build custom if: You need production AI agents now, with proper security, in a regulated industry. NemoClaw isn't ready for that yet. You need a custom-built agent with security designed into the architecture from the start.

The bigger picture

The OpenClaw-to-NemoClaw arc mirrors a pattern we've seen over and over in tech: community tool gets wildly popular, security issues emerge, enterprise layer appears.

Docker had the same story. Kubernetes had the same story. Linux absolutely had the same story. The question isn't whether AI agents will get enterprise-grade security tooling. They will. The question is whether NemoClaw will be the one that wins.

NVIDIA has the hardware advantage, the capital, and the existing developer relationships to make it work. But they're also the ones who benefit most if everyone runs agent inference on NVIDIA GPUs. The community is right to watch that tension.

Where things stand

NemoClaw is real. The security improvements are real. The Privacy Router is a genuine innovation. The alpha label is also real - this isn't ready for production workloads.

If you're experimenting with AI agents, NemoClaw is worth understanding. If you're deploying AI agents in production, you need proper security architecture regardless of which framework you pick.

The era of "just run an agent on your laptop with full system access and hope nothing goes wrong" is ending. That's a good thing. Whether NemoClaw becomes the standard or just the first of many attempts to fix what's broken - the direction is right.

The agents are getting safer. Slowly. That matters more than any single framework.