Descriptions:
At GTC 2026, NVIDIA announced NemoClaw — an official security and sandboxing layer for OpenClaw agents, built in collaboration with OpenClaw’s creator and open-sourced on launch day. In this same-day hands-on walkthrough, Fahd Mirza sets up NemoClaw alongside OpenShell on Ubuntu, substituting NVIDIA’s recommended Neotron model with a Qwen 3.5 9-billion parameter model served locally via vLLM on an NVIDIA RTX 6000 GPU with 48GB VRAM.
OpenShell is NVIDIA’s open-source secure runtime that enforces hardened sandboxes using seccomp, landlock, and Linux network namespaces. NemoClaw is the OpenClaw plugin that wires agents into that environment. Together they provide three runtime guarantees: inference is routed through a controlled provider, the network is locked down by policy, and the file system is isolated so agents can only touch explicitly permitted paths. When `openclaw nemoclaw launch` is invoked, a blueprint runner provisions the gateway, sandbox container, inference route, and network policy in a single automated shot.
Mirza walks through the complete installation sequence — cloning the NemoClaw repository, running the `install.sh` script, handling Docker and Node dependencies, allowing vLLM through the Docker bridge firewall, and setting the inference provider to local vLLM instead of the cloud-hosted default. The video includes specific details like VRAM consumption (44.3GB for the active model), k3s Kubernetes running under the hood, and the flag needed to avoid TLS errors during initialization — making it a practical reference for anyone wanting to run OpenClaw agents in an air-gapped or security-controlled local environment.
📺 Source: Fahd Mirza · Published March 17, 2026
🏷️ Format: Hands On Build
