← hub

NemoClaw

NVIDIA's OpenClaw sandbox plugin. Landlock + seccomp + netns are the isolation boundary; the transparent inference-routing proxy is the orthogonal part.
Orthogonal contribution: inference.local via the OpenShell gateway keeps API keys host-side — secrets physically cannot exist in the sandbox. Nobody else ships this.

NemoClaw in one sentence: It wraps OpenClaw inside NVIDIA OpenShell (Landlock + seccomp + network namespaces — the isolation boundary), then runs a transparent inference-routing proxy: the agent calls inference.local, the OpenShell gateway intercepts before the packet leaves the sandbox, injects the real credential host-side, and forwards to Nemotron — so the agent holds no credentials. The kernel mechanisms isolate; the inference proxy is the part nobody else has.

Agent context

Source at /workspace/web/agents/refs-nemoclaw/ (github.com/NVIDIA/NemoClaw, alpha March 2026, Apache 2.0). ~9,300 LOC (TS + Python). Core isolation = NVIDIA OpenShell (separate closed-source project). Is a plugin for OpenClaw — not a standalone agent system. Adds: OpenShell sandbox (Landlock+seccomp+netns), transparent inference proxy (secrets never in sandbox), declarative network policy YAML, operator approval TUI for blocked egress, versioned blueprint with digest, migration+rollback of host OpenClaw into sandbox. Does NOT add: channels, memory, multi-group hierarchy, scheduling — all inherited from OpenClaw. Kanipi source at /workspace/web/agents/refs-kanipi/ (github.com/kronael/kanipi, TS, 13k src LOC). Kanipi channels: WhatsApp, Telegram, Discord, Email (IMAP/SMTP), Web SSE, Slink (HTTP+JWT), Bluesky, Facebook, Mastodon, Reddit, Twitter. Kanipi features: impulse batching, MIME pipeline (video/voice/whisper), auth (JWT+argon2+OAuth GitHub/Discord/Telegram), action registry, web-proxy with embedded sloth.js. See full feature-to-kanipi mapping in llm block at bottom of this page.