# NemoClaw — Secure Agent Execution on NVIDIA Infrastructure > Run AI coding agents like Hermes and OpenClaw inside NVIDIA OpenShell with managed inference, hardware-backed isolation, and enterprise-grade security guardrails. ## Install Save as a script file and run: # NemoClaw — Secure Agent Execution on NVIDIA Infrastructure ## Quick Use ```bash # Install NemoClaw CLI npm install -g @nvidia/nemoclaw # Initialize a workspace with managed inference nemoclaw init --runtime openshell --model nemo-72b # Run an agent session inside the secure sandbox nemoclaw run --agent hermes --task "refactor auth module" ``` ## Introduction NemoClaw bridges the gap between powerful AI coding agents and enterprise security requirements. It wraps agents such as Hermes and OpenClaw in NVIDIA OpenShell containers with managed inference endpoints, giving teams GPU-accelerated agent execution without exposing raw model access or credentials to the agent process. ## What NemoClaw Does - Runs AI coding agents inside hardware-isolated OpenShell sandboxes - Provides managed NVIDIA inference so agents never touch API keys directly - Enforces configurable security policies on file system and network access - Supports multi-agent orchestration with resource quotas per agent - Integrates with existing CI/CD pipelines for automated code tasks ## Architecture Overview NemoClaw consists of a lightweight CLI that communicates with the NemoClaw daemon. The daemon provisions OpenShell containers on the host GPU, mounts the project workspace read-write, and proxies inference requests through a local sidecar that holds credentials. A policy engine evaluates every tool call against a YAML ruleset before execution, blocking disallowed operations. Telemetry streams to a local dashboard or Prometheus endpoint. ## Self-Hosting & Configuration - Requires an NVIDIA GPU with CUDA 12+ and the OpenShell runtime installed - Configure `nemoclaw.yaml` at project root for agent selection, model, and policies - Set `NEMOCLAW_LICENSE` env var for enterprise features; community tier is free - Supports Docker Compose deployment for multi-node GPU clusters - Integrates with Vault or SOPS for secrets injection into agent sessions ## Key Features - Hardware-backed sandbox isolation prevents agent escape - Zero-credential agent execution via managed inference proxy - Policy-as-code with auditable logs of every tool invocation - Hot-swap between NVIDIA NeMo models without restarting sessions - Built-in cost tracking and token budgets per agent run ## Comparison with Similar Tools - **E2B** — cloud-only sandboxes; NemoClaw runs on your own GPUs - **Daytona** — general dev environments; NemoClaw is purpose-built for agent security - **microsandbox** — lightweight microVMs; NemoClaw adds managed inference and policy engine - **Docker** — no inference integration or agent-aware policy enforcement ## FAQ **Q: Do I need NVIDIA hardware to use NemoClaw?** A: Yes, NemoClaw requires an NVIDIA GPU with CUDA 12+ for both inference and the OpenShell runtime. **Q: Which agents does NemoClaw support?** A: It ships with first-class support for Hermes and OpenClaw, and any agent that speaks the standard tool-use protocol can be adapted via a thin wrapper. **Q: Is there a cloud-hosted option?** A: NVIDIA offers managed NemoClaw through DGX Cloud for teams that prefer not to self-host. **Q: How does the policy engine work?** A: Policies are YAML files that whitelist or blacklist file paths, network destinations, and shell commands. Every tool call is evaluated before execution. ## Sources - https://github.com/NVIDIA/NemoClaw - https://developer.nvidia.com/openshell --- Source: https://tokrepo.com/en/workflows/asset-41e51aaf Author: Script Depot