NemoClaw

Run AI coding agents like OpenClaw and Hermes securely inside NVIDIA OpenShell sandboxes with a hardened blueprint, routed inference, and lifecycle management through a single CLI.

21.6Kstars
2.9Kforks
Apache License 2.0
TypeScript

NemoClaw is NVIDIA’s open-source reference stack for deploying always-on AI agents more safely inside OpenShell sandboxes. It wraps the full operational surface of sandboxed agent deployment — onboarding, blueprint application, inference routing, network policy enforcement, and sandbox lifecycle management — into a single CLI that makes it practical to run capable AI coding agents without sacrificing host security.

At its core, NemoClaw ships a hardened blueprint that pins the sandbox OCI image to a specific digest, applies capability drops and resource profiles, and enforces baseline network egress policies. Operators can choose from preset policy profiles for common scenarios, customize egress rules for private networks, and approve or reject agent-requested policy changes through a structured approval flow — all without modifying the agent itself.

Inference routing is handled through a virtual gateway endpoint that transparently forwards agent traffic to whichever provider is configured: NVIDIA NIM cloud, local NIM instances, vLLM, Ollama, AWS Bedrock, or any OpenAI-compatible endpoint. Switching providers requires only a profile flag change, not agent reconfiguration. This decoupling lets teams run the same agent configuration in airgapped environments or against cloud APIs without changing agent code.

NemoClaw is an alpha project backed by NVIDIA and supports two primary AI agents: OpenClaw (default) and Hermes. It targets developer teams and platform engineers who want to benefit from agentic AI coding workflows while maintaining meaningful isolation between the agent process and the host system.

What You Get

  • Hardened sandbox blueprint with pinned OCI image digests to prevent supply-chain substitution attacks on the sandbox container
  • Virtual inference gateway that transparently routes agent traffic to NVIDIA NIM, vLLM, Ollama, AWS Bedrock, or any OpenAI-compatible endpoint with a simple profile switch
  • Structured network policy system with operator-approved egress rules, preset policy profiles, and per-channel messaging controls
  • Guided onboarding CLI that handles prerequisites validation, agent installation, inference provider configuration, and sandbox creation in sequence
  • Sandbox lifecycle management commands for start, stop, status, rebuild, snapshot, restore, garbage collection, and upgrade of sandboxed agent environments
  • Credential isolation ensuring API keys are never baked into sandbox filesystems or local backups, injected at runtime via OpenShell’s credential mechanism
  • Support for resource profiles (creator, gamer, developer, game-developer) that partition CPU and memory allocation between the sandbox and host
  • Skill install and remote skill management to extend agent capabilities inside the isolated environment without compromising the sandbox boundary

Common Use Cases

  • Running OpenClaw or Hermes as always-on AI coding assistants with strong process isolation from the host operating system
  • Deploying AI agents in environments with strict egress requirements, using network policy presets and per-domain approval workflows to control outbound connections
  • Switching between cloud inference (NVIDIA NIM, Bedrock) and local inference (vLLM, Ollama) by changing a single profile flag without modifying agent configuration
  • Setting up airgapped or enterprise-controlled inference environments where the agent connects to an internal NIM service or vLLM instance
  • Platform engineering teams standardizing how AI agents are deployed across developer machines with consistent sandbox hardening, logging, and policy baselines
  • Evaluating AI agent security posture using the built-in security best practices controls reference and risk framework documentation

Under The Hood

Architecture NemoClaw follows a layered CLI architecture with clean separation between public command grammar, oclif-based command dispatch, action orchestration, and provider adapters. A front controller translates a natural sandbox-name-first product grammar into oclif’s internal routing, decoupling the user-facing API from the implementation. Actions in the core library compose domain modules — sandbox lifecycle, inference routing, policy management, network controls — without coupling them to each other. The dependency graph flows strictly one direction through CLI, actions, domain services, and adapters to state, ensuring each layer can be tested and replaced independently. Blueprint definitions express sandbox configuration declaratively with operator-controlled resource profiles and pinned image references that the runtime reads at execution time rather than baking into command logic.

Tech Stack NemoClaw is built in TypeScript in strict mode targeting Node.js 22+ and distributed as an npm package using oclif for command discovery, parsing, and help rendering. The blueprint system uses YAML for declaring sandbox configurations with pinned OCI image digests for supply-chain integrity. Inference routing spans multiple providers — NVIDIA NIM, AWS Bedrock via the official AWS SDK, vLLM, Ollama, and OpenAI-compatible endpoints — unified behind a virtual inference gateway endpoint that routes to the selected backend at runtime. The build pipeline uses Biome for formatting and linting, Vitest as the test runner, and Sphinx with Fern for documentation generation. Pre-commit hooks via prek enforce code quality gates, and GitHub Actions runs CI with conventional commit enforcement.

Code Quality The codebase demonstrates comprehensive test coverage with over 750 test files across unit, integration, and live E2E scenarios, all using Vitest with typed describe/it/expect patterns and explicit timeout budgets. Error handling is deliberate — credential redaction uses symlink-safe file open flags and pattern-based secret scrubbing to prevent credential leakage in logs and backups. TypeScript strict mode is enforced project-wide, Biome handles consistent formatting and linting, and commitlint with conventional commit configuration maintains a structured changelog history. CI pipelines gate on type checking, lint, format verification, and test execution before merges.

What Makes It Unique NemoClaw’s most distinctive technical contribution is the virtual inference gateway — a unified local endpoint that transparently routes AI agent traffic to any supported inference backend without agent reconfiguration, enabling seamless switching between cloud and local providers. Paired with digest-pinned blueprint containers, NemoClaw goes further than typical agent sandboxing by explicitly guarding against registry-level supply-chain attacks: the blueprint enforces that the resolved image digest matches the declared value at the configuration level, not just at pull time. This supply-chain-aware design combined with structured operator approval flows for network policy changes represents a meaningful step beyond what most open-source agent deployment frameworks currently offer.

Self-Hosting

NemoClaw is released under the Apache License 2.0, which is a permissive open-source license with no copyleft requirements. You can use it commercially, modify it freely, and distribute it in proprietary products as long as you retain the copyright notice and license text. There are no restrictions on what models you run, which inference providers you connect to, or how you deploy the resulting system. The Apache 2.0 license also includes an explicit patent license from all contributors, which is a meaningful protection when building on software from a large technology vendor.

Running NemoClaw yourself requires a host environment where NVIDIA OpenShell is supported — the blueprint pins specific OpenShell and OpenClaw version ranges, so you will need to track those dependencies as they evolve. The sandbox image is a pinned OCI digest pulled from GitHub Container Registry, so outbound access to ghcr.io is required unless you mirror the image internally. Inference providers add their own infrastructure requirements: cloud providers need API keys and internet access, while local options like vLLM or local NIM instances require substantial GPU resources to run the backing model. You are responsible for sandbox updates, network policy maintenance, host OS patching, and credential rotation — NemoClaw provides the tooling but not the managed operations layer.

As an alpha project, NemoClaw does not offer guaranteed response timelines from maintainers, no SLAs, and no dedicated enterprise support channels beyond public GitHub Discussions and Discord. There is no commercial cloud-hosted version of NemoClaw to compare against — it is purely a self-hosted reference stack. The trade-off is full control over data, inference backend, and security posture versus accepting that production readiness, HA configurations, and long-term maintenance are entirely the operator’s responsibility.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search