·6 min read·valpha
NemoClaw Architecture
OpenClaw plugin for NVIDIA OpenShell — sandboxed agent execution with managed inference and declarative policy enforcement
nvidiasandboxagent-runtimeinference-routingsecurity-policyopenclawopenshell
View repository →CLI / Plugin (TypeScript)
Blueprint / Orchestrator (Python)
Agent Runtime (OpenClaw)
Inference Providers
Policy / Config (YAML)
Monitoring / TUI
Sandbox Container
External Services
System Layers
Operator Interface
>nemoclaw CLITypeScript plugin
▦OpenShell TUIopenshell term
❯openclaw tuiAgent chat interface
⚙nemoclaw onboardInteractive wizard
Plugin Layer (TypeScript — in-process with OpenClaw gateway)
▶launch.tsFresh sandbox install
⇄connect.tsSandbox access
/slash.ts/nemoclaw command handler
✓Blueprint ResolverDigest verification
Blueprint Layer (Python — versioned artifact)
◆orchestrator/runner.pyplan / apply / status
▦blueprint.yamlVersion & compatibility
■openclaw-sandbox.yamlBaseline security policy
☰Policy PresetsPyPI, Docker Hub, Slack, Jira
OpenShell Runtime (container orchestration & gateway)
▢Sandbox Containerghcr.io/nvidia/.../openclaw
⇔OpenShell GatewayRequest interception
★Inference RouterProvider switching
⚠Network Policy EngineEgress control
Agent Runtime (inside sandbox)
★OpenClaw AgentAutonomous task execution
✎/sandbox workspaceRead-write filesystem
↻/tmpEphemeral storage
🔒System pathsRead-only mount
Inference Providers (external)
☁NVIDIA Cloud (NIM)Nemotron 3 Super 120B
⚙Local NIMSelf-hosted Nemotron
⚙Local vLLMNemotron 3 Nano 30B
↗build.nvidia.comAPI key endpoint
Core Flow — Sandbox Lifecycle
1
CLI Entry — Operator runs nemoclaw onboard or nemoclaw launch. The TypeScript plugin registers under the openclaw nemoclaw namespace.
↓
2
Blueprint Resolution — Plugin downloads the Python blueprint artifact and verifies its digest for supply-chain safety. Checks min_openshell_version and min_openclaw_version constraints.
↓
3
Resource Planning — runner.py executes the plan phase, determining which OpenShell resources to create: gateway, inference provider, sandbox, network policy, and inference route.
↓
4
Apply Configuration — Blueprint invokes OpenShell CLI commands to provision the sandbox container, apply openclaw-sandbox.yaml policies, and configure inference routing.
↓
5
Agent Boot — OpenClaw starts inside the sandbox with the NemoClaw plugin pre-installed. All policies are active. Filesystem confined to /sandbox and /tmp.
↓
6
Runtime Enforcement — Every network request, file access, and inference call is governed by declarative policy. Blocked egress surfaces in the TUI for operator approval.
↓
7
Inference Routing — Agent inference calls are intercepted by OpenShell and routed to the configured provider (NVIDIA Cloud, Local NIM, or Local vLLM). Providers can be hot-swapped at runtime.
↓
8
Status & Monitoring — Operator uses openshell term for live network monitoring, nemoclaw status for health checks, and nemoclaw logs --follow for streaming container logs.
Security Model
Sandbox Policy Enforcement
Network: Deny-by-default egress model
Only whitelisted endpoints in openclaw-sandbox.yaml allowed
Unlisted hosts blocked; surfaced in TUI for operator approval
Approved endpoints persist for session only, not baseline
Network rules are hot-reloadable via openshell policy set
Filesystem: Read-write limited to /sandbox and /tmp
All system paths mounted read-only
Filesystem isolation locked at container creation
Process: Prevents privilege escalation and unsafe syscalls
Container image pinned: ghcr.io/nvidia/openshell-community/sandboxes/openclaw
Inference & Supply Chain Auth
Inference Mediation:
All model calls routed through OpenShell gateway
Agent never contacts inference endpoints directly
NVIDIA Cloud requires API key from build.nvidia.com
Key configured during nemoclaw onboard wizard
Blueprint Verification:
Immutable, versioned Python artifacts
Digest-verified before every execution
Version constraints: min_openshell_version, min_openclaw_version
Operator Approval Flow:
TUI surfaces blocked egress requests in real time
Operator approves/denies per-session, not persistent
Key Subsystem Detail — Blueprint System
nemoclaw-blueprint/
├── blueprint.yaml ← Manifest: version, compatibility constraints
├── orchestrator/
│ └── runner.py ← Core engine: plan / apply / status lifecycle
└── policies/
├── openclaw-sandbox.yaml ← Baseline network & filesystem restrictions
└── presets/
├── pypi.yaml ← Pre-configured egress for PyPI
├── dockerhub.yaml ← Pre-configured egress for Docker Hub
├── slack.yaml ← Pre-configured egress for Slack API
└── jira.yaml ← Pre-configured egress for Jira APIrunner.py (Orchestrator)
Implements plan/apply/status ops, Determines which OpenShell resources to create/update/verify, Drives all CLI interactions
blueprint.yaml (Manifest)
Declares blueprint version, min_openshell_version, min_openclaw_version, Ensures compatibility before provisioning
openclaw-sandbox.yaml (Policy)
Declarative YAML defining network whitelist, Filesystem mount rules, Process constraints — security baseline
Policy Presets
Ready-made egress templates for PyPI/Docker Hub/Slack/Jira, Applied additively on top of baseline, requires_approval: false
Digest Verification
Plugin verifies blueprint artifact digest before execution, Immutable artifacts ensure supply-chain integrity
Hot-Reload Support
Network rules reloadable at runtime via openshell policy set, Filesystem and process isolation locked at creation time
Configuration & Data Model
blueprint.yaml
version, name, min_openshell_version, min_openclaw_version, artifact_digest (sha256)
openclaw-sandbox.yaml
network.egress[].host, network.egress[].port, filesystem.writable[], filesystem.readonly[], process.allow_escalation
Inference Profile
provider: nvidia-nim | vllm-local | nim-local, model: nemotron-3-super-120b-a12b, endpoint: build.nvidia.com, api_key (env variable)
Sandbox State
instance_name, run_id, container_image (ghcr.io), status: creating | running | stopped, session_approvals[] (ephemeral)
Policy Preset
name: pypi | dockerhub | slack | jira, egress[].host, egress[].port, merge_strategy: additive, requires_approval: false
OpenShell Resources
gateway (request interception), inference_provider (routing), sandbox (container instance), network_policy (egress rules), inference_route (model mapping)
Package / Directory Map
NemoClaw/ ├── nemoclaw/ TypeScript CLI plugin (16.4% of codebase) │ └── src/ │ ├── launch.ts Fresh sandbox installation │ ├── connect.ts Reconnect to existing sandbox │ ├── slash.ts /nemoclaw chat command handler │ └── status.ts Health check & reporting ├── nemoclaw-blueprint/ Python orchestrator artifact (12.2%) │ ├── orchestrator/ │ │ └── runner.py plan / apply / status engine │ └── policies/ │ ├── openclaw-sandbox.yaml Baseline security policy │ └── presets/ Service-specific egress templates ├── scripts/ Utility & setup scripts (28.8% Shell) ├── docs/ Documentation sources │ ├── about/ Overview, how-it-works │ ├── reference/ Architecture, API reference │ ├── inference/ Provider configuration guides │ └── monitoring/ TUI & logging guides ├── test/ Test suites (vitest + pytest) ├── ci/ CI/CD workflows ├── .github/ Issue templates, GH Actions └── bin/ Executable entry points
The Key Insight
NemoClaw achieves defense-in-depth for autonomous agents through a thin TypeScript plugin that delegates all orchestration to a digest-verified, immutable Python blueprint. This separation means the plugin stays lightweight and stable while the blueprint independently evolves its security policies, inference routing, and sandbox provisioning — ensuring that every network request, file access, and model call is governed by declarative, auditable policy rather than imperative code.