Skip to main content
What this unit solvesNemoClaw is an open-source reference stack released by NVIDIA in March 2026. It runs always-on AI agents (OpenClaw, Hermes) inside an OpenShell sandbox. Rather than reinventing an agent framework, it provides a CLI onboarding flow, YAML blueprints, SSRF validation, network policies, and managed inference — all of which transform an existing agent into a persistent service that an enterprise operations team can actually trust. This unit dissects NemoClaw from six angles: origins, core technology, system structure, configuration files, security, and design lessons, and positions it against 05-1, 05-2, and 05-4.

Learning objectives

  • Explain where NemoClaw sits in the stack (not another agent framework — it is the hardening layer above OpenClaw/Hermes)
  • Describe the three-layer architecture: OpenShell sandbox, NemoClaw CLI/Blueprint, and the OpenClaw or Hermes agent inside
  • State the responsibilities of blueprint.yaml, policies/, and model-specific-setup/
  • List NemoClaw’s four security guardrails (network policies, credential sanitization, SSRF validation, Docker capability drops) and the attack surface each addresses
  • Evaluate the trade-offs of running your own agent inside NemoClaw

1. Origins and positioning

  • Release date: 2026-03-16, open-sourced by NVIDIA at GTC 2026, Apache 2.0 license (as of 2026-06)
  • Why it exists: always-on agents (persistent connections, message-triggered) introduce new enterprise attack surfaces: prompt injection coercing the agent to call external APIs, dependency upgrades smuggling backdoors, container escapes, and credentials leaking through error messages. NemoClaw provides a hardening template that keeps full agentic capability while satisfying an ops team
  • Relationship with 05-1 (OpenClaw) and 05-2 (Hermes-Agent): wraps both, does not replace either. Without an agent running inside it, NemoClaw has no purpose
  • Selection rationale: OpenShell (NVIDIA’s own sandbox engine) + Claude Code-style sub-agent + default OpenClaw compatibility + dual CLI alias support for Hermes
  • Compatibility with existing OpenClaw mechanisms: the nemoclaw/ Commander plugin injects commands; OpenClaw’s heartbeat, SOUL.md, and skills mechanisms require no modification

2. Core technology

  • Dual-language stack (per the official AGENTS.md):
    • TypeScript: CLI core (src/lib/) and OpenClaw plugin (nemoclaw/src/)
    • YAML: blueprints (nemoclaw-blueprint/blueprint.yaml) and policies (nemoclaw-blueprint/policies/)
    • Bash/Python: scripts, E2E tooling
    • CommonJS (bin/): stable entry-point launcher, versioned separately from the TypeScript build output
  • OpenShell sandbox: each agent runs in an isolated runtime; toolset and network access are constrained (sandbox details discussed in 05-4)
  • Managed inference: @aws-sdk/client-bedrock-runtime + routing layer + model-specific-setup registry handles cross-provider compatibility for the same agent
  • Four security guardrails: network policies, credential sanitization, SSRF validation, Docker capability drops (Section 5)
  • Multi-agent support: native OpenClaw (default) and Hermes (via NEMOCLAW_AGENT=hermes env var, CLI alias nemohermes)
  • Runtime requirement: Node.js >= 22.16.0 (declared in engines, implying use of newer V8 and ESM features)

3. System structure: how the three layers compose

Component map (per official AGENTS.md):
PathLanguageResponsibility
bin/JavaScript (CJS)CLI launcher (nemoclaw.js / nemohermes.js) and compatibility helpers
src/lib/TypeScriptCLI core: onboard, credentials, inference, policies, preflight, runner
nemoclaw/TypeScriptOpenClaw plugin (Commander extension)
nemoclaw/src/blueprint/TypeScriptRunner, snapshot, SSRF validation, state management
nemoclaw/src/commands/TypeScriptSlash commands, migration state
nemoclaw/src/onboard/TypeScriptOnboarding config
nemoclaw-blueprint/YAMLBlueprint definition and network policies
nemoclaw-blueprint/policies/YAMLNetwork egress rules
nemoclaw-blueprint/model-specific-setup/JSONAgent-to-model compatibility registry
agents/openclaw/, agents/hermes/AssetsAgent deployment assets
.agents/skills/Markdown11 user skills plus maintainer and contributor tiers
The fastest way to understand a repo: read AGENTS.md firstNemoClaw’s own AGENTS.md is the structured “how this project works” summary written for agents to consume — more structured than the README, faster to grasp than the source. When approaching any unfamiliar open-source project, locating the AGENTS.md / CLAUDE.md / CONTRIBUTING.md trio first is the time-saving shortcut.

4. Configuration files: four layers of customization

YAML-primary, TypeScript-secondary, divided into four layers:

4.1 Blueprint: single source of truth for the entire stack

  • nemoclaw-blueprint/blueprint.yaml: declares sandbox structure, default policies, inference routing
  • Distinction from the agent workspace’s openclaw.json: the blueprint is “the state ops wants,” the workspace config is “the agent’s own preferences.” Keeping them separate prevents users from accidentally overwriting enterprise policies
  • Changing the blueprint requires a sandbox restart; changing workspace config is hot-reload

4.2 Network policies: egress control

  • Location: nemoclaw-blueprint/policies/
  • Behavior: allowlist external targets, block SSRF, restrict ports and protocols
  • Rationale: the largest attack surface for an always-on agent is prompt injection coercing it to call an external API to exfiltrate data or upload a token. Network policy is the last gate before traffic leaves the host
  • Customization: via nemoclaw manage policy or direct YAML editing

4.3 Model-specific setup: compatibility registry

  • Location: nemoclaw-blueprint/model-specific-setup/*.json
  • Contents: which agent maps to which provider, what special headers or parameters are required
  • Use case: the same OpenClaw agent running against Bedrock vs. vLLM needs different system-prompt prefixes and token limits; this registry collapses that difference into one declarative file
  • Lesson: treat “model/service compatibility” as declarable data, not hardcoded agent logic

4.4 Skills: documentation the agent reads

  • Location: .agents/skills/, three audience tiers
    • nemoclaw-user-* (10 files, end users: overview, get-started, configure-inference, configure-security, manage-policy, manage-sandboxes, monitor-sandbox, deploy-remote, agent-skills, reference)
    • nemoclaw-maintainer-* (project maintainers)
    • nemoclaw-contributor-* (codebase contributors)
  • Load mechanism: use nemoclaw-skills-guide skill to get the full directory and decision tree
  • Design observation: audience segmentation treated as first-class metadata, not collapsed into a single tier

User-side config directory: ~/.nemoclaw/

Sections 4.1 through 4.4 cover the hardening configuration you (or ops) declare inside the repo’s nemoclaw-blueprint/ — committed to version control, expressing “what this stack should look like.” Separately, there is a set of files outside the repo, under your home directory: the runtime state generated by the CLI when you run nemoclaw onboard. This is what the CLI reads and writes day to day (as of 2026-06):
~/.nemoclaw
config.json · onboarding state, inference route configuration
sandboxes.json · sandbox registry (with metadata)
credentials.json · user API keys (plaintext JSON, file mode 600)
onboard.json · onboarding configuration snapshot
state
nemoclaw.json · runtime execution state
Three points:
  • Division between ~/.nemoclaw/ and the repo blueprint: the blueprint (nemoclaw-blueprint/blueprint.yaml) is a declarative blueprint committed to version control; ~/.nemoclaw/ is the runtime state produced by onboarding on this specific machine and is not committed. The former is design; the latter is current machine state.
  • A second OpenClaw config lives inside the sandbox: the sandbox container holds /sandbox/.openclaw/openclaw.json (agent config, model, gateway) and .config-hash (SHA256 integrity check). This is inside the container, not on the host, and maps directly to the openclaw.json discussed in 05-1 — just managed by NemoClaw inside the sandbox.
  • Uninstall removes all of ~/.nemoclaw/: because runtime state and design blueprint are separate, uninstalling clears home-directory state without touching the repo blueprint.
credentials.json is plaintext — no encryption, no OS keychainNemoClaw writes user-supplied API keys as plaintext JSON to ~/.nemoclaw/credentials.json, relying only on file mode 600 for access control. The official documentation states it does not encrypt the file and does not integrate with the operating system keychain. Exclude it from cloud sync (iCloud, OneDrive, Dropbox) and broad backup policies; otherwise plaintext keys will be synced to the cloud. By contrast, the provider inference token is injected by the OpenShell gateway at egress and never written to the host disk — a better security model. The plaintext exposure risk is concentrated in credentials.json.

5. Security: four guardrails and the attack surface each covers

GuardrailImplementationAttack surfaceWhat to verify
Network policiesnemoclaw-blueprint/policies/Agent coerced to call external APIs, SSRF, token exfiltrationDefault-deny? Can a plugin bypass the policy?
Credential sanitizationsrc/lib/credentialsAPI keys and tokens leaking via logs or error messagesDoes the log auto-redact? Which secret types are recognized?
SSRF validationnemoclaw/src/blueprint/ssrf.tsAgent fetches a URL that hits an internal metadata service (169.254.169.254, etc.)Rejects loopback / link-local / RFC1918?
Docker capability drops + process limitsOpenShell runtimeContainer escape, CPU/memory exhaustionDefault drop ALL caps? no-new-privileges set?
Security is a deployment prerequisite, not an add-on featureThe very first badge in NemoClaw’s README is “Security: Report a Vulnerability,” and SECURITY.md requires vulnerabilities to be submitted through NVIDIA PSIRT or a PGP-encrypted channel — not as public issues. This signals the intended context: the hardening layer is not decoration; it is the prerequisite for deploying an always-on agent in an enterprise environment. If you want to run OpenClaw or Hermes in an enterprise setting, do not put it into production without an equivalent hardening layer.

6. What to internalize: six design lessons

  • Shell as policy: rather than letting the agent decide whether it can reach external networks, the shell declares (YAML blueprint) and enforces (OpenShell + policy engine). Security policy and agent logic are fully decoupled
  • Managed inference as a cross-cutting concern: model compatibility is not the agent code’s problem; it is the deployment layer’s. The model-specific-setup registry makes “same agent, multiple models” declarable data
  • Three-tier documentation: user / maintainer / contributor each get their own skill set, avoiding the information overload of one README serving everyone
  • Plugin, not fork: nemoclaw/ is an OpenClaw plugin (Commander extension), not a fork. Upgrading upstream requires no rebase
  • Dual CLI alias: nemoclaw (OpenClaw) and nemohermes (Hermes) share one package; switching agents requires no reinstall
  • Sandbox boundary as audit unit: OpenShell is both runtime and audit boundary. The same agent in two sandboxes is two audit units; events are independently traceable
Mapping this to your own deploymentSuppose you want to deploy a team-internal OpenClaw to staging:
1

Write the blueprint

After git clone of OpenClaw, write nemoclaw-blueprint/blueprint.yaml describing which internal APIs the agent may call, which external hosts are blocked, and which inference provider to use.
2

Run onboard

Run npx nemoclaw onboard; the guided flow auto-generates policies/ and model-specific-setup/.
3

Deploy to staging

npx nemoclaw deploy-remote pushes to staging.
4

Monitor

On staging, use npx nemoclaw monitor-sandbox to observe SSRF attempts, policy violations, and credential exposure events.
5

Switch inference provider

Need to change providers? Edit the corresponding JSON in model-specific-setup/ and restart the sandbox. Agent code is untouched.
This path demonstrates the “agent logic unchanged, only the blueprint updated” benefit: upgrading OpenClaw upstream does not force a rebase of your hardening layer.

7. Questions to ask yourself

  • Does your always-on agent have equivalent four-guardrail coverage? If not, what is the exposed risk surface?
  • Is your blueprint or policy expressed as code (version-controlled, auditable) or buried in a docker run command or Helm values file?
  • When you upgrade your agent’s upstream, is the hardening layer preserved as-is or forced into a rebase?
  • Is your skill or documentation segmentation fixed or does it drift as the agent evolves?
  • Is your SSRF validation and credential sanitization “on by default” or “remember to enable it”?

8. An analogy

NemoClaw is like putting a mobile robot inside a reinforced glass display case: the robot itself is unchanged (OpenClaw stays OpenClaw, Hermes stays Hermes), but the case decides what it can touch, what it cannot, who it can see, and who can see it. The case’s policies (YAML blueprint) are version-controlled; the robot’s personality (SOUL.md) is also version-controlled. The two layers are managed separately.

9. Positioning against 05-1, 05-2, and 05-4

Dimension05-1 OpenClaw05-2 Hermes-Agent05-3 NemoClaw
RoleAgent coreAgent coreHardened shell for agents
LanguageTypeScriptPythonTypeScript + YAML + Bash
SandboxOptional (agents.defaults.sandbox)6 terminal backendsMandatory (OpenShell)
Network policyTool-levelTool-levelBlueprint + policy engine
Inference routingClient-sideClient-sideManaged inference + registry
Skill loadingskills/skills/ (progressive).agents/skills/ three-tier
Enterprise-readyNo (local-first, personal)No (local-first, personal)Yes (policy-as-code + formal vulnerability disclosure)

Hands-on exercises

1

Read AGENTS.md

After git clone https://github.com/NVIDIA/NemoClaw, run cat AGENTS.md and map its content against this unit’s “System structure” section. The project’s own AGENTS.md is the most authoritative “how this project works” summary.
2

Examine a blueprint

Read nemoclaw-blueprint/blueprint.yaml and one example from nemoclaw-blueprint/policies/ to get a concrete feel for what policy-as-code looks like.
3

Observe three-tier naming

Run gh api repos/NVIDIA/NemoClaw/contents/.agents/skills --jq '.[].name' to list all skills and observe the naming convention across user / maintainer / contributor tiers.

Common pitfalls

  • Thinking NemoClaw is another agent framework: it is a hardened shell with no AIAgent main loop of its own. Without OpenClaw or Hermes running inside it, NemoClaw has no meaning
  • Treating the blueprint as an ordinary config file: the blueprint is the declared desired state of enterprise policy; changing it requires a sandbox restart and a passing preflight check. Do not bypass preflight by directly editing a running sandbox
  • Mixing nemoclaw and nemohermes commands: the two manage onboarding for different agents. Mixing them writes OpenClaw configuration into a Hermes sandbox (the directory structures differ)
  • Ignoring model-specific-setup/ version compatibility: upgrading a model provider without updating the registry causes the agent to assume the new model has the old model’s capabilities, producing silent failures

Self-check

Self-check
  1. Can you draw a stack diagram showing the relationship between OpenShell, NemoClaw, and OpenClaw?
  2. Can you state the attack surface each of the four security guardrails addresses?
  3. Can you explain why nemoclaw-blueprint/ uses YAML rather than TypeScript or JSON?
  4. Can you evaluate what would need to change — and what could be preserved — if you moved your existing OpenClaw deployment into NemoClaw?

Sources and further reading

Factual claims are grounded in official documentation; fast-changing items are annotated as of 2026-05.
  • Related: 05-1 OpenClaw agent core; 05-2 Hermes-Agent core; 05-4 three-approach comparison (includes in-depth sandbox discussion); 01-6 harness engineering six components (NemoClaw’s security shell is a complete real-world instance of the security-boundaries component).