01 Β· NemoClaw User Overview (from the nemoclaw-user-overview skill)
This document is the condensed output of NemoClaw's official
nemoclaw-user-overviewagent skill. It's the NVIDIA-authored framing of the same material covered across the rest of this walkthrough, useful when you want the "official" pitch and decision table without the conceptual build-up.
The Three Projects
| Project | Scope |
|---|---|
| OpenClaw | The assistant: runtime, tools, memory, behavior inside the container. Does not define the sandbox or host gateway. |
| OpenShell | The execution environment: sandbox lifecycle, network/filesystem/process policy, inference routing, and the operator openshell CLI. |
| NemoClaw | The NVIDIA reference stack on the host: nemoclaw CLI + plugin, versioned blueprint, channel messaging wired for OpenShell-managed delivery, and state migration. |
NemoClaw sits above OpenShell in the operator workflow β it drives OpenShell's APIs and CLI to create and configure the sandbox that runs OpenClaw. Models sit behind OpenShell's inference routing; NemoClaw onboarding wires provider choice into that routing.
π¦ NemoClaw ββorchestratesβββΆ π OpenShell ββisolates and runsβββΆ π¦ OpenClaw
(CLI, plugin, blueprint) (gateway, policy, inference) (assistant in sandbox)
NemoClaw Path vs OpenShell Path
Both paths assume OpenShell can sandbox a workload. The difference is who owns the integration work.
| Path | What it means |
|---|---|
| NemoClaw path | Adopt the reference stack. The blueprint encodes a hardened image, default policies, and orchestration, so nemoclaw onboard stands up a known-good OpenClaw-on-OpenShell setup with minimal custom glue. |
| OpenShell path | Use OpenShell as the platform and supply your own container, OpenClaw install steps, policy YAML, provider setup, and any host bridges. OpenShell stays the sandbox/policy engine; nothing requires NemoClaw's blueprint or CLI. |
What NemoClaw Adds Beyond openshell sandbox create --from openclaw
OpenShell already ships a community sandbox for OpenClaw β running openshell sandbox create --from openclaw produces a working isolated environment. NemoClaw layers on:
- Hardened filesystem layout β
/sandboxhome is read-only; gateway config/sandbox/.openclawis immutable; only/sandbox/.openclaw-data,/sandbox/.nemoclaw,/tmpare writable. - Image hardening β strips
gcc,g++,make,netcatfrom the runtime image. - Credential filtering β blocks provider API keys,
DISCORD_BOT_TOKEN,SLACK_BOT_TOKEN,TELEGRAM_BOT_TOKENfrom leaking into sandbox creation as build args; stores them as OpenShell providers instead. - Process limits β
ulimit -u 512in the entrypoint on top of OpenShell's seccomp + privilege dropping. - Sentry exfil block β
POST sentry.io/**is denied entirely (any authenticated client can POST to any Sentry project, so path allowlists can't help). - Blueprint versioning β digest-pinned, compatibility-checked, reproducible across machines.
- State migration β snapshot/restore across machines with credential stripping and integrity verification.
- Automated channel wiring β bot tokens collected at onboarding, registered as OpenShell providers, OpenClaw config baked with placeholders that the L7 proxy resolves at egress.
- Guided onboarding wizard β validates credentials from the host, picks providers, configures inference routing in one command.
When to Use Which
| Situation | Prefer |
|---|---|
| Want OpenClaw with minimal assembly, NVIDIA defaults, documented install/onboard flow | NemoClaw |
| Standardizing on NVIDIA's reference for always-on assistants with policy + inference routing | NemoClaw |
| Need max flexibility for custom images, non-blueprint layouts, or workloads outside the reference stack | OpenShell + your own integration |
| Building internal platform abstractions where NemoClaw's CLI/blueprint aren't the right fit | OpenShell + your orchestration |
The Three Scenarios β A Beginner's Walkthrough
The sections above give the official framing. This section walks through the same material as three concrete scenarios, with side-by-side tables, so you can see exactly what changes at each level.
Scenario A: OpenClaw standalone (no OpenShell, no NemoClaw)
Your laptop
βββ OpenClaw Gateway (running as YOU, with YOUR permissions)
βββ Your files (fully accessible)
βββ Your network (fully open)
βββ Your API keys (in env vars or config files)
βββ Your messaging tokens (Telegram, Slack, etc.)
OpenClaw runs directly on your machine. It has full access to your filesystem, your network, your real API keys, and runs as your user account. It's like hiring a brilliant assistant and giving them the keys to your house, your car, and all your passwords. OpenClaw does have its own application-layer defenses (prompt injection filtering, tool deny lists, DM pairing, openclaw security audit), so it's not reckless β but the perimeter is your laptop itself.
Scenario B: OpenShell + OpenClaw (manual setup, no NemoClaw)
Your laptop (host)
βββ OpenShell gateway (control plane)
β βββ Credential store (real API keys live HERE)
β βββ L7 proxy (inspects all traffic)
β βββ Policy engine (your YAML rules)
β βββ Inference proxy (model routing)
β
βββ Sandbox container (isolated)
βββ OpenClaw Gateway (thinks it's on a normal machine)
βββ Restricted filesystem (you decide what's writable)
βββ Restricted network (deny-all by default)
βββ Placeholder credentials (not real keys)
βββ Runs as user "sandbox" (not as you)
You manually run openshell sandbox create --from openclaw, write your own policy YAML files, set up providers, configure inference routing, and decide which hosts to allow. It's like building your own secure office from scratch β you pick the locks, write the guard's rulebook, and decide the floorplan. Flexible, but you own every decision.
Scenario C: NemoClaw (the full NVIDIA stack)
Your laptop (host)
βββ NemoClaw CLI (orchestrates everything below)
β βββ calls OpenShell under the hood
βββ OpenShell gateway (same as Scenario B, but configured BY NemoClaw)
β βββ Credential store
β βββ L7 proxy
β βββ Policy engine (NemoClaw's hardened policies)
β βββ Inference proxy
β
βββ Sandbox container (hardened beyond OpenShell defaults)
βββ OpenClaw Gateway
βββ Read-only home directory
βββ No compilers (gcc, g++, make, netcat removed)
βββ Process limit (max 512 processes)
βββ Curated network allowlist
βββ Placeholder credentials
βββ Runs as user "sandbox"
You run one command: nemoclaw onboard. It handles everything.
Side-by-side: setup experience
| OpenClaw standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| Install | npm i -g openclaw |
Install OpenShell + create sandbox + write policies + create providers | curl ... | bash then nemoclaw onboard |
| Effort | 5 minutes | 30β60 minutes (you write all YAML) | 10 minutes (guided wizard) |
| Expertise needed | Low | High (must understand policies, L7 proxy, providers) | Low (wizard asks questions) |
Side-by-side: where credentials live
| Standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| API keys | In your shell env or ~/.openclaw/openclaw.json |
In OpenShell providers (you set them up) | In OpenShell providers (wizard sets them up) |
| Bot tokens | In your shell env | In OpenShell providers (you set them up) | In OpenShell providers (wizard sets them up), filtered from build args |
| Inside the sandbox? | N/A (no sandbox) | Placeholder only | Placeholder only + explicit filtering to prevent accidental leakage |
With manual OpenShell, if you accidentally pass --env TELEGRAM_BOT_TOKEN=real-token during sandbox creation, the real token lands in the container. NemoClaw actively strips known credential env vars from the creation command β a guardrail against operator mistakes, not just agent mistakes.
Side-by-side: filesystem security
| Standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| Home directory | Your real home, fully writable | Depends on YOUR policy | Read-only (/sandbox) |
| Gateway config | Writable file on your laptop | Depends on YOUR policy | Immutable (/sandbox/.openclaw) |
| Writable locations | Everything | Whatever you allow | Only /sandbox/.openclaw-data, /sandbox/.nemoclaw, /tmp |
| Compilers available | Whatever's on your laptop | Whatever's in the image | Stripped (no gcc, g++, make, netcat) |
Why strip compilers? If an agent is compromised, having gcc means an attacker could compile custom binaries to probe sandbox defenses. Removing them raises the bar. This is NemoClaw-specific hardening the community OpenShell sandbox doesn't do.
Side-by-side: network policies
| Standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| Default egress | Everything open | Everything denied (you write allowlist) | Everything denied + curated allowlist for NVIDIA, Anthropic, ClawHub, npm, OpenClaw |
| Binary pinning | N/A | If YOU configure it | Pre-configured (e.g., only /usr/local/bin/claude can reach api.anthropic.com) |
| Sentry exfil | Open | Depends on YOUR policy | POST blocked, only GET allowed |
| GitHub access | Open | Depends on YOUR policy | Not in baseline β opt-in via preset only |
| Presets | N/A | N/A (you write everything) | Pre-built for Telegram, Discord, Slack, GitHub, Brave, npm, PyPI, Jira, etc. |
Side-by-side: process isolation
| Standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| User | YOUR user account | sandbox user (if you configured it) |
sandbox user (pre-configured) |
| Process limits | None | OpenShell defaults (seccomp) | seccomp + ulimit -u 512 (anti fork-bomb) |
| Privilege escalation | Possible | Blocked by seccomp | Blocked by seccomp |
Side-by-side: reproducibility
| Standalone | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| Reproducible across machines? | No (depends on your laptop state) | Only if you version your YAML | Yes β digest-pinned blueprint |
| Version control | openclaw update |
You manage image versions | Blueprint pins exact image digest + OpenClaw version |
| Upgrades | openclaw update --channel stable |
You pull new images manually | Wait for new blueprint, rerun nemoclaw onboard |
The blueprint digest-pinning (sha256:b3d832b... in blueprint.yaml) means every machine running nemoclaw onboard with that blueprint gets the exact same container image, policies, and configuration. This is what makes fleet deployment auditable β your security team can verify one blueprint and know it applies everywhere.
Side-by-side: day-to-day operations
| Task | Standalone | OpenShell + OpenClaw | NemoClaw |
|---|---|---|---|
| Chat with the assistant | openclaw tui |
openshell sandbox connect then openclaw tui |
nemoclaw my-assistant connect then openclaw tui |
| Switch model | /model or env var |
openshell inference set |
openshell inference set (same) |
| Approve blocked request | N/A (nothing blocked) | openshell term |
openshell term (same) |
| Check health | openclaw doctor |
openclaw doctor (inside sandbox) |
nemoclaw my-assistant status + openclaw doctor inside |
| Back up agent memory | Copy ~/.openclaw/ |
openshell sandbox download |
./scripts/backup-workspace.sh |
What stays the same across ALL three
OpenClaw's application-layer defenses work identically everywhere:
- Prompt injection filtering (regex, boundary wrapping, unicode folding)
- Tool deny list (exec, shell, fs_write blocked from Gateway HTTP by default)
- Environment variable blocklist (
NODE_OPTIONS,LD_PRELOAD, etc.) - DM pairing (unknown senders need approval codes)
openclaw security audit(50+ automated security checks)- Skill/extension supply-chain scanning
- Rate limiting and flood protection
- CLI secret redaction
These are baked into OpenClaw itself. NemoClaw doesn't add to them or change them.
Presentation-ready summary
| OpenClaw (standalone) | OpenShell + OpenClaw | NemoClaw | |
|---|---|---|---|
| What it is | The AI assistant running on your machine | The assistant in a manually-configured sandbox | The assistant in an NVIDIA-hardened sandbox |
| Security model | App-layer defenses only; you are the perimeter | App-layer + infrastructure isolation (your policies) | App-layer + infrastructure isolation (NVIDIA's policies + your customizations) |
| Who writes the policies? | Nobody (no sandbox) | You | NVIDIA (baseline) + you (presets/overrides) |
| Credential safety | Keys on your filesystem | Keys in OpenShell providers (manual setup) | Keys in OpenShell providers (automated) + leak prevention |
| Reproducible? | No | If you version-control your setup | Yes (digest-pinned blueprint) |
| Best for | Personal use, development, experimentation | Teams building custom agent platforms | Enterprise deployment with NVIDIA's security defaults |
OpenClaw is the AI assistant. Running it standalone gives you app-level safety. Adding OpenShell gives you infrastructure-level isolation β but you write every policy. NemoClaw gives you NVIDIA's battle-tested policies out of the box, with a single command, reproducible across your entire fleet.
Core Capabilities
| Capability | What it does |
|---|---|
| Sandbox OpenClaw | Creates an OpenShell sandbox pre-configured for OpenClaw with filesystem + network policies from first boot. |
| Route inference | Configures OpenShell inference routing so agent traffic goes to the provider/model chosen at onboarding (NVIDIA Endpoints, OpenAI, Anthropic, Gemini, Ollama, vLLM, compatible endpoints). Agent talks to inference.local; credentials stay on the host. |
| Manage the lifecycle | Blueprint versioning, digest verification, reproducible setup. |
| Layered protection | Network, filesystem, process, and inference controls β hot-reloadable (network/inference) or locked at creation (filesystem/process). |
The Core Challenge It Solves
Autonomous AI agents like OpenClaw can make arbitrary network requests, touch the host filesystem, and call any inference endpoint. Without guardrails, that creates security, cost, and compliance risks that compound as agents run unattended. NemoClaw gives you a single CLI (nemoclaw) that orchestrates the full stack β gateway, sandbox, inference provider, and network policy β so those guardrails come on by default and stay reproducible across machines.
Next: 02-mental-model.md β the unified stack model, end to end.