NemoClaw: a reference stack for running always-on AI agents in secure sandboxes

What it solves

NemoClaw provides a secure, reference stack for deploying "always-on" AI agents. It addresses the security risks associated with giving agents autonomy by running them inside sandboxed environments, preventing them from having unrestricted access to the host system or network.

How it works

It integrates with NVIDIA OpenShell to create hardened sandboxes. The system manages the entire agent lifecycle through a single CLI, providing routed inference, network policies to control egress traffic, and specific blueprints for agent deployment. It supports several agent frameworks, including OpenClaw, Hermes, and LangChain Deep Agents Code.

Who it’s for

Developers and operators who need to run autonomous AI agents with high security requirements and controlled access to system resources.

Highlights

• Sandboxed Execution: Uses NVIDIA OpenShell to isolate agents from the host.
• Hardened Blueprints: Provides pre-configured, secure deployment templates.
• enforced Network Policies: Includes baseline rules and egress control to manage how agents communicate.
• Unified CLI: Simplifies onboarding, lifecycle management, and configuration through one tool.
• Multi-Agent Support: Compatible with OpenClaw, Hermes, and LangChain Deep Agents.