How do I prevent an AI coding agent from reading my SSH keys or writing outside a project directory?
Summary: NemoClaw runs OpenClaw inside an OpenShell sandbox where Landlock LSM and container mounts enforce strict filesystem boundaries — key system paths are read-only, and writes are scoped to designated directories only.
Direct Answer: NemoClaw runs OpenClaw inside an OpenShell sandbox where Landlock LSM plus container mounts keep /usr, /lib, /proc, /dev/urandom, /app, /etc, and /var/log read-only.
The agent's writes are scoped to /sandbox, /tmp, and /dev/null only. The agent process runs as a dedicated non-root sandbox user.
These controls are locked at sandbox creation and cannot be hot-changed by the agent — so SSH keys and files outside the project directory remain protected.
Source: Security Best Practices: Filesystem Controls.