TL;DR: NVIDIA NeMoClaw, launched at GTC 2026, is an open-source security and privacy stack for the OpenClaw agent platform. It adds three layers: OpenShell (a sandboxed runtime with policy-based network controls), a Privacy Router (strips PII before cloud model calls), and intent verification (validates what an agent wants to do before it does it). It closes specific, well-understood attack paths. It does not replace red teaming.

Why NeMoClaw landed when it did

Enterprise teams have spent the last 18 months deploying OpenClaw agents across productivity, customer service, and operations workflows. Gartner projects that by 2028, 33% of enterprise software applications will include agentic AI capabilities, up from less than 1% in 2024. The attack surface those deployments created has grown proportionally. Repello's research has catalogued malicious OpenClaw skills designed to exfiltrate data and documented supply chain attacks targeting the OpenClaw ecosystem. The pattern is consistent: agents that can take action can be made to take the wrong action.

NVIDIA's answer, announced by Jensen Huang at GTC on March 16 2026, is NeMoClaw: a single-command install that wraps OpenClaw in a security and privacy enforcement layer. It is available now as an early preview, deployable on RTX PCs, DGX Spark, DGX Station, and cloud infrastructure. Enterprise launch partners include CrowdStrike, SAP, Adobe, Salesforce, and Dell.

This post explains what NeMoClaw actually does, how its three core components work, and where the gaps are that security engineers still need to cover.

The three components of NeMoClaw

OpenShell: sandbox and policy enforcement

OpenShell is the runtime layer. It sits between the OpenClaw agent and the underlying infrastructure, controlling what the agent can access, what it can execute, and where inference tasks are processed.

The key controls it enforces:

• Sandboxed execution: Agents run inside an isolated environment. A compromised or manipulated agent cannot directly access the host file system, network sockets, or adjacent processes without going through OpenShell's policy layer.

• Network egress control: Operators define which external endpoints an agent is permitted to call. Unapproved outbound connections require explicit operator approval before they complete. This directly addresses one of the most common data exfiltration paths in agentic attacks.

• Minimal-privilege access: OpenShell enforces least-privilege principles per agent, so a customer service agent cannot inherit the permissions of a code execution agent running in the same environment.

According to the NVIDIA NeMoClaw developer documentation, OpenShell acts as an intermediary that manages "how the agent operates, defining what it can access, execute, and where inference tasks are processed." That framing matters: it is a policy enforcement point, not a detection system. It prevents out-of-policy actions. It does not identify novel attack patterns it has not been configured to block.

Privacy Router: PII stripping before cloud calls

Many OpenClaw deployments use frontier cloud models (GPT-series, Gemini, Claude) for tasks that require reasoning beyond what local models can handle. Every time an agent sends a query to a cloud provider, there is a potential for sensitive data to leave the operator's environment.

The Privacy Router intercepts those calls. Before a query reaches the cloud model, the router applies differential privacy techniques to strip or obfuscate personally identifiable information. The agent can still get a useful response from the cloud model; the cloud provider never sees the raw PII.

For teams operating under EU AI Act or similar data residency requirements, this matters at the architecture level. The Privacy Router does not eliminate the need for data governance controls, but it substantially reduces the blast radius of a misconfigured agent that handles sensitive customer data.

Local inference is the other option. NeMoClaw evaluates available compute and, where hardware supports it, routes inference to NVIDIA Nemotron models running locally. No cloud call, no PII exposure risk. On DGX Spark and high-end RTX systems, local Nemotron inference is fast enough to be production-viable for many task classes.

Intent verification: validating what the agent wants to do

This is where NeMoClaw departs from standard sandboxing. Before an agent executes a tool call or takes an action, NeMoClaw's intent verification layer analyses the proposed action against the operator's defined policy. If the action falls outside policy, it is blocked before execution.

The practical effect: an attacker who successfully injects a malicious instruction into an agent's context window still has to get that instruction past intent verification before it becomes a real-world action. The injection has to produce an out-of-policy action, not just reach the model's context.

"Intent verification is a meaningful control layer, but it operates on declared intent, not adversarial intent," said the Repello AI Research Team. "An attacker who understands the policy can craft instructions that appear compliant at the intent layer while achieving a malicious outcome at the action layer. That gap is exactly what red teaming surfaces."

What NeMoClaw covers well

For teams currently running OpenClaw with no security layer at all, NeMoClaw is a substantial upgrade. If an agent tries to call a network endpoint not on the approved list, OpenShell blocks it, stopping the class of exfiltration attacks that depend on agents phoning home. The Privacy Router handles PII stripping at the platform level rather than leaving it to individual developers per integration. Enforced least-privilege means a compromised agent cannot move laterally beyond its granted permissions. And for the first time, security teams have a policy definition layer they can actually inspect: agent behavior is no longer opaque after deployment.

These are real improvements. The OWASP LLM Top 10 lists excessive agency and insecure output handling as two of the top risks in LLM deployments. NeMoClaw directly addresses both. Research from the University of Illinois Urbana-Champaign found that LLM agents can autonomously exploit real-world vulnerabilities with an 87% success rate when given access to tools with insufficient controls, which is precisely the attack surface NeMoClaw's sandbox is designed to constrain.

Where the gaps remain

NeMoClaw is a guardrail stack. Guardrail stacks, by their nature, enforce rules that operators define in advance. The history of AI security research is largely a history of adversaries finding ways to operate within defined rules while violating intended behavior.

Repello's breakdown of Meta's Prompt Guard documented this pattern in detail: a well-resourced guardrail failed against attacks that were not in its training distribution. NeMoClaw's intent verification faces the same structural challenge. It validates intent against policy. It cannot anticipate attack classes that the policy does not account for.

Specific gaps security engineers should think about:

Indirect prompt injection through tool responses. NeMoClaw focuses on what the agent proposes to do. It does not, based on current documentation, deeply inspect the content returned by tool calls before that content enters the agent's context window. An attacker who can control the output of a data source the agent queries can still inject instructions into the agent's reasoning chain. This is the core mechanism behind MCP prompt injection attacks, and it applies to any agentic framework, including OpenClaw with NeMoClaw installed.

Policy definition quality. OpenShell enforces the policy operators write. If the policy is too permissive, or if an operator has not anticipated a particular attack path, OpenShell will not catch it. Policy configuration is not a one-time exercise. It requires ongoing red teaming to identify what the current policy misses.

Multi-turn erosion. Intent verification operates per action. It does not, in its current form, track whether an agent's cumulative behavior over many turns represents a policy violation even when each individual action appears compliant. Gradual goal hijacking across a long conversation can bypass per-action verification.

Novel attack classes. NeMoClaw is in early preview. Its training data and policy templates reflect known attack patterns. Attack classes discovered after deployment will require policy updates. The window between a new attack class being discovered in the wild and a policy update reaching production deployments is where risk concentrates.

What this means for security teams evaluating NeMoClaw

NeMoClaw is worth deploying. The OpenShell sandbox, Privacy Router, and intent verification layer represent genuine security improvements over vanilla OpenClaw, and the single-command installation removes the friction that has historically kept security controls off agent deployments.

The mistake is treating NeMoClaw as a security program rather than a security component. The NIST AI Risk Management Framework is explicit that AI security requires continuous measurement, not point-in-time configuration. A policy defined at deployment time without ongoing adversarial testing is a policy that decays as the threat landscape evolves.

Red teaming NeMoClaw-protected OpenClaw deployments is not optional. It is the mechanism by which operators discover what their policy configuration misses before attackers do.

How Repello approaches NeMoClaw-protected agent security

ARGUS, Repello's runtime security layer, directly extends what NeMoClaw's intent verification does not cover. NeMoClaw checks each proposed agent action against operator-defined policy. ARGUS monitors behavioral drift across the full session: it tracks whether an agent's cumulative trajectory over a conversation has deviated from expected operating parameters, and flags sessions where that drift indicates multi-turn manipulation. The two layers work at different scopes, which is why they complement rather than duplicate each other.

ARTEMIS, Repello's automated red teaming engine, handles pre-deployment validation. It runs adversarial probes against the full NeMoClaw stack, including indirect prompt injection through tool responses, intent verification bypass techniques, and multi-turn erosion sequences. The output is a prioritized list of gaps in the current OpenShell policy configuration, so teams know what to fix before attackers find it first.

Deploying NeMoClaw alongside ARGUS gives you runtime behavioral coverage that operator-defined policy cannot provide. Running ARTEMIS against the combined stack keeps that policy current as the threat landscape evolves.

Learn more about how Repello secures agentic AI deployments at repello.ai/product.

Conclusion

NeMoClaw's three-component architecture covers the attack classes NVIDIA anticipated at launch: unapproved outbound connections, PII leakage to cloud providers, overprivileged agents, and out-of-policy tool calls. Those are real problems and the controls are well-engineered. What the policy cannot cover is what has not been written into it yet. Every new attack class, every new agent capability, every new deployment context adds to that gap. Red teaming is the only mechanism that keeps the gap visible.

Frequently asked questions

What is NVIDIA NeMoClaw? NeMoClaw is an open-source security and privacy stack for NVIDIA's OpenClaw agent platform. Announced at GTC 2026, it installs via a single command and adds three layers of protection: OpenShell (a sandboxed runtime with policy-based network controls), a Privacy Router (strips PII before cloud inference calls), and intent verification (validates agent actions against operator-defined policy before execution).

How does NeMoClaw's OpenShell sandbox work? OpenShell sits between the OpenClaw agent and the underlying infrastructure. It enforces minimal-privilege access controls, restricts network egress to operator-approved endpoints, and runs agents in isolated sandboxes that prevent a compromised agent from directly accessing host resources. Operators define policy in configuration; OpenShell enforces it at runtime.

Does NeMoClaw protect against prompt injection? Partially. NeMoClaw's intent verification layer can block out-of-policy actions that result from a successful prompt injection. However, it does not deeply inspect tool response content before it enters the agent's context window, which means indirect prompt injection through a compromised data source can still inject malicious instructions into the agent's reasoning chain. Red teaming is required to identify which injection paths the current policy configuration does not cover.

What is NeMoClaw's Privacy Router? The Privacy Router intercepts queries destined for cloud inference providers and applies differential privacy techniques to strip or obfuscate PII before the query leaves the operator's environment. It also supports routing inference to locally running NVIDIA Nemotron models on supported hardware, eliminating cloud calls entirely for privacy-sensitive workloads.

What hardware does NeMoClaw support? NeMoClaw is available on NVIDIA RTX PCs, DGX Spark, DGX Station, and cloud infrastructure. Local model inference using Nemotron requires compatible NVIDIA hardware; cloud inference via the Privacy Router works on any deployment target.

Is NeMoClaw a replacement for AI red teaming or runtime behavioral monitoring? No. NeMoClaw enforces operator-defined policy at the action level. It cannot anticipate attack classes the policy does not account for, and it does not track cumulative behavioral drift across multi-turn conversations. ARGUS by Repello fills the runtime gap: it monitors session-level behavioral drift that per-action intent verification misses. ARTEMIS by Repello fills the red teaming gap: it runs adversarial probes against the NeMoClaw stack to find policy gaps before attackers do. The three layers are complementary, not interchangeable.