nvidianemoclawopenclawsecurityai-agents

NVIDIA Chose OpenClaw. Here's How We Secure It.

DS
Drakon Systems · 22 March 2026 · 6 min read

This week, NVIDIA released NemoClaw — an open-source security wrapper built on top of OpenClaw. On their website, they described OpenClaw as "the operating system for personal AI."

That's not a throwaway line. NVIDIA doesn't build on ecosystems they don't believe in. This is institutional validation that agent runtimes are production infrastructure — and that security is no longer optional.

We've been building on OpenClaw since the beginning. NemoClaw is great news. But it also creates a question we want to answer directly: if NemoClaw secures OpenClaw, what does ShieldCortex add?

The answer matters. Because they protect completely different things.

What NemoClaw Actually Does

NemoClaw is an OS-level security wrapper for OpenClaw. Its focus is protecting your host machine from the agent. That's an important and underserved problem, and NVIDIA has attacked it properly.

Under the hood, NemoClaw delivers:

  • Sandbox isolation via NVIDIA OpenShell — Agents run in a hardened execution environment, separated from the host OS
  • Landlock + seccomp — Kernel-level filesystem and syscall restriction. The agent literally cannot access paths or make calls outside its allowed profile
  • Network namespace isolation — Egress is policy-controlled. You decide what the agent can call and what it can't
  • Inference routing — Built-in routing to NVIDIA cloud inference (Nemotron models) or local inference, with policy controls around which models agents can use

This is serious systems work. Landlock and seccomp don't lie — they enforce at the kernel level. A sandboxed agent running under NemoClaw genuinely cannot exfiltrate data through unapproved network paths or write to protected filesystem locations.

NemoClaw is the walls and locks on your building. Solid engineering. Recommended for any production OpenClaw deployment.

What NemoClaw Doesn't Do

Here's where the architecture matters. NemoClaw operates at the OS and network layer. It secures the environment the agent runs in — not the agent itself.

That leaves a different attack surface completely open:

  • Prompt injection — Malicious instructions embedded in content the agent reads (emails, documents, web pages, tool outputs) pass through NemoClaw's sandbox untouched. The sandbox doesn't inspect LLM inputs.
  • Memory poisoning — If an attacker can write to your agent's persistent memory — through injected content, a compromised tool, or a malicious document — NemoClaw doesn't catch it. Sandboxes don't audit what agents remember.
  • Behaviour control — A sandboxed agent can still take harmful actions within its allowed permissions. NemoClaw restricts syscalls and network paths; it doesn't control what tasks the agent decides to perform.
  • Credential leakage into memory — If an agent reads a file containing an API key and stores it in memory, NemoClaw doesn't flag it. Sensitivity detection isn't an OS-layer problem.

This isn't a criticism of NemoClaw — these problems are genuinely out of scope for an OS-level sandbox. They're a different layer of the stack. NemoClaw protects the box. It doesn't protect the brain.

Where ShieldCortex Fits

ShieldCortex operates at the agent layer — inside the runtime, not beneath it. Our job is to protect the agent itself from attacks that reach it through its inputs, its memory, and its decision-making.

The three pillars:

1
6-Layer Defence Pipeline
Every piece of content entering agent memory passes through six scanning stages: prompt injection detection, encoded payload analysis, fragmentation attack identification, credential and PII sensitivity detection, trust scoring by source, and context manipulation detection. Threats are flagged or blocked before they reach storage.
2
Iron Dome — Behaviour Control
Iron Dome defines what actions your agent is allowed to take. Even if an attacker poisons the agent's context with instructions to exfiltrate data or modify infrastructure, Iron Dome blocks the action at execution. Policy-driven. Audited. Your rules, enforced.
3
Full Audit Trail
Every memory write, every action taken, every policy decision — logged with timestamps, source attribution, and reasoning. When something goes wrong, you know exactly what happened and why.

These layers sit inside OpenClaw, above the NemoClaw sandbox. They don't conflict — they complement.

The Full-Stack Picture

Think of a modern building. You need both:

The complete agent security stack
Your AI
Application layer — the thing you're actually protecting
Application
ShieldCortex
Agent layer — security guard, memory scanner, behaviour policy
Agent
NemoClaw
OS layer — walls, locks, network perimeter
OS

Walls and locks stop threats from getting in. The security guard watches what happens inside. You need both. A bank with steel-reinforced walls and no guards is still vulnerable. A bank with excellent guards and no walls is asking for it.

The same logic applies to AI agents. NemoClaw + ShieldCortex is full-stack agent security. Either alone leaves a gap.

Why This Moment Matters

NVIDIA doesn't build enterprise security products for hobbies. NemoClaw's existence signals something important: AI agents are being deployed in environments where security failures have real consequences.

The attack surface is growing faster than defences. Agents are being granted broader permissions, longer memory windows, access to more sensitive systems. Meanwhile, prompt injection and memory poisoning attacks are getting more sophisticated — and more targeted.

OS-level sandboxing is a necessary foundation. But the most dangerous attacks against AI agents don't come through the filesystem or the network. They come through the content the agent trusts. A document the agent reads. A tool result it stores. An email it processes. Attacks that look, to the OS, exactly like normal operation.

That's the problem ShieldCortex was built to solve.

Get Started

If you're running NemoClaw, adding ShieldCortex takes minutes. The core defence pipeline is open source.

# Node / npm
npm install -g shieldcortex
# Python
pip install shieldcortex

ShieldCortex integrates natively with OpenClaw's plugin system. Drop it in alongside NemoClaw — no configuration conflicts, no additional infrastructure required.

Secure the full stack.

NemoClaw handles the OS. ShieldCortex handles the agent. Together, you're covered.

Read the Docs See Pricing

ShieldCortex is open source under the MIT licence. Built by Drakon Systems.