NVIDIA NemoClaw: Open Source Secure AI Agent Framework

Enterprise AI agents that can access files, execute code, browse the web, and spawn sub-agents are powerful -- and dangerous. The security community has spent two years pointing out that most open-source agent frameworks ship with almost no isolation: one compromised tool call can cascade into a full system breach. On May 31, 2026, NVIDIA answered that problem directly. At NVIDIA GTC Taipei 2026, the company unveiled NemoClaw, an open-source reference stack built from the ground up to run always-on AI agents in sandboxed environments. For developers who have been waiting for a production-grade, enterprise-safe way to deploy agents without paying for a closed platform, NemoClaw is the most complete free solution released to date.

What is NVIDIA NemoClaw and why does it matter?

NemoClaw is an open-source reference stack for running AI agents more safely inside NVIDIA OpenShell sandboxes. The name blends NeMo (NVIDIA's deep-learning framework lineage) with "claw" -- a nod to the OpenClaw agent it ships with by default. But the technology is anything but metaphorical. NemoClaw sits as a thin security and orchestration layer between the agent's reasoning loop and the host machine, enforcing network policies, managing memory, controlling inference routing, and providing lifecycle hooks so the agent can be paused, audited, or terminated cleanly.

Why does this matter? Because the three biggest blockers to enterprise AI agent adoption have consistently been security, predictability, and cost. Most developers who try to self-host an agent framework find themselves patching together Docker configs, firewall rules, and custom middleware just to get basic isolation. NemoClaw replaces that fragile DIY stack with a single opinionated blueprint that has been designed by the same team that builds NVIDIA's data center infrastructure. According to Open Source For You, Jensen Huang described the goal plainly: "NemoClaw provides enterprise software developers with the open building blocks to create more secure, long-running AI coworkers that amplify human expertise as they reshape how work gets done."

What does the full NemoClaw Agent Toolkit include?

NemoClaw is the security core, but NVIDIA shipped it as part of a broader Agent Toolkit announced at GTC Taipei. The four main components are:

Of these four, NemoClaw and CUDA-X Agent Skills are available for free right now on GitHub. OpenShell is in a free preview that developers can join. Nemotron 3 Ultra is the only commercial component, and it is not required to run NemoClaw -- you can route inference to any supported provider through the framework's modular inference layer.

For more context on how NVIDIA's physical AI strategy fits into the broader open-source landscape, see our open-source AI tracker.

How does OpenShell Secure Runtime actually protect AI agents?

OpenShell is the part of the toolkit that answers the hardest security questions. It is a containerized execution environment co-developed by NVIDIA with Microsoft, Canonical, and Red Hat -- three of the biggest names in enterprise Linux infrastructure. The runtime provides several distinct protection layers:

• Custom security controls -- Operators can define exactly which filesystem paths, network endpoints, and system calls an agent is permitted to access, with deny-by-default policies for everything else.
• Privacy protection and sensitive-data masking -- OpenShell can redact or tokenize specified data patterns before they ever reach the model, which is critical for regulated industries like healthcare and finance.
• Local-only execution mode -- For workloads that cannot leave the building, OpenShell supports air-gapped inference where no data exits the host machine.
• Network policy enforcement -- Agents are given an explicit allowlist of outbound connections. Any connection attempt outside that list is blocked and logged.
• Lifecycle management -- NemoClaw's CLI lets operators pause, inspect, checkpoint, and cleanly terminate agent processes without losing state.

This combination addresses the most common enterprise objection to deploying autonomous agents: the fear that a single prompt injection or hallucinated tool call could exfiltrate data, corrupt a codebase, or create unauthorized compute costs. According to the official NVIDIA press release, OpenShell was specifically designed for organizations that need agents to operate with sensitive files and autonomous code execution in production.

Which AI agents does NemoClaw support today?

At launch, NemoClaw supports two agents. OpenClaw is the default and ships built-in -- it is the same agent powering the OpenClaw AI platform. Hermes from Nous Research is the second supported agent, installed by setting the NEMOCLAW_AGENT=hermes environment variable before running the installer (or by using the nemohermes alias after installation). Each agent gets its own quickstart guide in the official NemoClaw documentation.

The architecture is designed to be extensible. The GitHub repository includes a contributing guide and a Discord server for developers building support for additional agents. The key requirement for any new agent is compatibility with NVIDIA OpenShell's sandbox API -- essentially, the agent's tool-calling layer needs to pass calls through the managed inference router rather than making direct API calls. This constraint is also the source of NemoClaw's security guarantee: because all inference flows through the router, NVIDIA can enforce rate limits, audit logs, and credential management at the framework level.

If you are evaluating AI agents for self-hosting, our deep dive on Hermes covers its capabilities in detail. You can also compare open-source options on our free vs paid AI compare page.

How do CUDA-X Agent Skills unlock physical AI workflows?

The release of NemoClaw came bundled with a separate but related announcement: NVIDIA open-sourced a major collection of physical AI skills as part of the broader Agent Toolkit. These CUDA-X Agent Skills cover the full NVIDIA physical AI stack -- Cosmos for physical world modeling, Omniverse for simulation and digital twins, Isaac for robotics, Metropolis for vision AI, Alpamayo for autonomous vehicles, and Jetson for edge AI. Each skill packages a complex NVIDIA library workflow into repeatable agent-executable instructions so that a coding agent can invoke them directly without hand-coding the integration.

The practical implication is significant. Before CUDA-X Agent Skills, a developer building a robot simulation pipeline would need to manually wire together Isaac, Omniverse, and custom evaluation scripts. Now an agent running inside NemoClaw can call a skill, receive structured outputs, and chain them into the next step of a pipeline -- all within the security boundaries enforced by OpenShell. According to TechGenyz, the announcement was received strongly by enterprise partners already using NVIDIA's physical AI infrastructure: Agile Robots, Cadence, Dassault Systemes, Delta Electronics, Foxconn, Pegatron, PTC, Siemens, Synopsys, and TSMC were all named in the release as companies actively using the tools to accelerate physical AI development.

How does NemoClaw compare to other open-source agent frameworks?

The open-source agent landscape in 2026 is crowded, but NemoClaw occupies a different niche than most of the popular frameworks. Here is how it stacks up on the dimensions that matter for enterprise deployment:

• vs. LangChain / LangGraph -- LangChain is a general-purpose orchestration library. It has no built-in sandbox, no network policy enforcement, and no lifecycle management beyond what you build yourself. NemoClaw trades flexibility for safety -- if you need enterprise security guarantees, NemoClaw has them; if you need maximum customization, LangChain still wins.
• vs. Microsoft Windows Agent Framework (WAF) -- WAF (open-sourced under MIT at Build 2026) focuses on Windows-native agent lifecycle on the desktop. NemoClaw targets server and cloud deployments, with GPU-accelerated inference and physical AI integrations that WAF does not offer. The two are complementary rather than competing.
• vs. AutoGPT -- AutoGPT pioneered autonomous agents but has evolved into a platform with a visual builder and marketplace. NemoClaw is a lower-level infrastructure component -- it does not include a no-code UI, but it runs inside hardened sandboxes that AutoGPT does not provide.
• vs. LocalAI -- LocalAI is focused on running model inference locally without a cloud dependency. NemoClaw is focused on running agents safely, and it includes inference routing rather than inference itself. They can be combined: LocalAI as the inference backend, NemoClaw as the agent security layer.

The most accurate way to think about NemoClaw is as infrastructure for agents rather than an agent framework in the traditional sense. It answers the question "how do I run an agent safely in production?" rather than "how do I build an agent?" That is a gap that existing frameworks have largely left open, and it is where NemoClaw is most differentiated. You can track how this fits into the broader open-source model landscape on our open-source AI hub.