Nvidia's NemoClaw Adds Security and Privacy Features for AI Agents. Is It Enough?

Nvidia called NemoClaw a reference security stack for OpenClaw. Three independent security researchers think that is not enough.

NemoClaw dropped at GTC 2026 on March 16, announced by Jensen Huang as a one-command install that wraps sandbox isolation, policy guardrails, and a privacy router for cloud tool access around OpenClaw, the autonomous agent platform Nvidia has described as the operating system for personal AI. Cisco followed two weeks later with DefenseClaw, an open-source operational layer released March 27 on GitHub under Apache 2.0. Both products exist because something broke — and the something that broke was OpenClaw itself.

Five CVEs disclosed in 2026. A supply chain attack that planted over 800 malicious skills in ClawHub, roughly 20 percent of the entire registry. Over 135,000 OpenClaw instances exposed on the public internet across 82 countries. Meta banned OpenClaw from corporate machines. Microsoft advised against running it on workstations. This is the security crisis NemoClaw and DefenseClaw are designed to address — and the question is whether either actually closes the gap.

Melissa Bischoping, senior director of security and product design research at Tanium, a cybersecurity firm, called NemoClaw a positive sign but was direct about what it does not solve. My hope is that Nvidia bakes in robust privacy and safety measures to enable adoption of, and innovation with, their agent while providing guardrails to protect users and their data, she told CNET. That is the hope. The question is whether the architecture delivers it.

The architectural split

The security community critique of NemoClaw tracks a specific architectural problem: its guards operate inside the agent runtime, coupled with the agent itself. NemoClaw governance is application-layer governance, Traefik analysis notes. Its guards operate inside the agent runtime, coupled with the agent itself. Inference calls, MCP invocations, and management API calls each need independent enforcement points — and application-layer governance cannot provide them all.

The contrast is OpenShell. Nvidia released OpenShell alongside or as part of the NemoClaw stack, and it is the more interesting piece technically. OpenShell enforces constraints on the environment the agent runs in — meaning the agent cannot override them, even if compromised. It uses Landlock, a Linux kernel security framework, to create ephemeral sandboxes with unprivileged process identities, and Seccomp to block raw socket creation, preventing an agent from bypassing the network proxy. A compromised agent can still misbehave within its sandbox, but it cannot escape the sandbox. That is the difference between NemoClaw and OpenShell: one is a reference configuration, the other is the enforcement layer.

Karthik Ranganathan, CEO of Yugabyte, a distributed database company, put the limitation plainly. NemoClaw runs the agent in a sandbox and network traffic can be tracked and inspected, but it does not address the nightmare scenario of an agent deleting emails without warning. That is behavioral policy, not infrastructure. Ranganathan is identifying the gap between what sandboxing handles and what governance handles — a distinction that matters at scale.

Rens Troost, CTO at Rational Exponent, a security research firm, gave the most quoted assessment of NemoClaw: it is a significant advancement over OpenClaw, but significant advancement over OpenClaw is a low bar. He is right in a specific, technical sense. OpenClaw security model was minimal by design — it was built to ship fast and iterate. NemoClaw adds real constraints. But constraints enforced inside the process you are trying to constrain are only as strong as the process itself.

The operational layer

Cisco DefenseClaw takes a different approach. Rather than replacing OpenClaw security model, it wraps five open-source scanning tools — skill-scanner, mcp-scanner, a2a-scanner, CodeGuard, and AI BoM — into a single CLI with a Splunk connector. The Cisco blog is unusually honest about what this is: OpenShell gives you the sandbox. Cisco gives you the scanners. But who manages the block lists? DefenseClaw is the answer to that question — an operational layer on top of OpenShell enforcement. When you block an MCP server, DefenseClaw removes the endpoint from the sandbox network allow-list and OpenShell denies all connections. Cisco says this happens in under two seconds with no restart required.

DJ Sampath, Cisco senior vice president of AI and software platforms, wrote on the Cisco blog that he runs OpenClaw at home. Within three weeks of OpenClaw going viral in November 2025, the first critical CVE dropped — CVE-2026-25253, a critical one-click remote code execution vulnerability with a CVSS score of 8.8, enabling auth token theft. Four more CVEs followed in 2026: a Windows command injection flaw (CVSS 7.8), a macOS remote code execution vulnerability, a race condition (CVSS 6.6), and an approval bypass (CVSS 5.7). The ClawHavoc supply chain attack, which planted malicious skills in ClawHub, is the supply-chain complement to the code-execution vulnerabilities — different attack surface, same root problem.

Cisco own survey data is relevant here, even as a commissioned study. In a recent Cisco survey of major enterprise customers, 85 percent were experimenting with AI agents but only 5 percent had moved them into production. And nearly 60 percent of security leaders view security concerns as the primary barrier to broader agentic AI adoption — from a Cisco Security Advisory Board post on the agent trust gap. The gap between experimentation and deployment is not a hype problem — it is a trust problem, and the trust gap is grounded in exactly the vulnerabilities Cisco is trying to address.

What NemoClaw does and does not fix

NemoClaw is currently described as an early-stage alpha release — Nvidia itself says to expect rough edges. The one-command install is real, the sandbox isolation is real, and the OpenShell enforcement underneath it is architecturally sound. What it does not provide is behavioral policy — rules about what the agent is allowed to do with the access it has, not just constraints on what it can access. That is the gap Ranganathan identified, and it is the gap that sandboxing alone cannot close.

Three security researchers — Bischoping, Ranganathan, and Troost — looked at the same architecture and reached the same conclusion independently. That is worth noting. The convergence is not about any one product failing; it is about the architecture of in-process enforcement having a ceiling. OpenShell out-of-process model is the response to that ceiling. NemoClaw is a reference configuration that sits on top of it.

DefenseClaw is the more complete enterprise story in the near term — the operational layer, the scanners, the sub-two-second block-list propagation. But it inherits OpenShell enforcement model too, which means it benefits from the architectural improvement even as it solves a different problem. Cisco is honest about this. Nvidia reference config is honest about it. The question for enterprises is not which wrapper to choose — it is whether they are building on a foundation that can actually hold production workloads.

Meta banned OpenClaw. Microsoft said do not run it on workstations. Both companies have seen enough to make a categorical call. The rest of the industry is building toward the same conclusion from a different direction — with better sandboxes, faster block lists, and a more honest accounting of what agentic autonomy actually costs in security terms.

What to watch: whether OpenShell becomes a default isolation layer across cloud providers and agent frameworks, or whether it stays an opt-in component that requires explicit configuration. If it is the latter, the operational gap DefenseClaw is trying to close will keep reopening. The architecture is right. The question is whether anyone ships it as the default.