Summary: NemoClaw simplifies adding privacy and security controls to an OpenClaw assistant by automatically applying a baseline network and filesystem policy when the sandbox is created. No changes to the agent’s own code are required.

Direct Answer:

NemoClaw applies a strict baseline policy defined in openclaw-sandbox.yaml before the OpenClaw agent starts.

• **Network access: **Only endpoints listed in the policy are reachable. Unlisted hosts are blocked and surfaced for operator approval via openshell term.

• **Filesystem access: **The agent can write to /sandbox and /tmp. All other system paths are read-only.

• **Inference routing: **All inference calls are intercepted by OpenShell and routed to the configured provider.

To modify the policy:

• **Static changes: **Edit openclaw-sandbox.yaml and re-run nemoclaw onboard.

• **Dynamic changes: **Apply openshell policy set <policy-file> at runtime (no restart required).

Takeaway: NemoClaw is the simplest path to a policy-governed OpenClaw assistant because controls are applied automatically at sandbox creation with no agent code changes required.

Related Articles

• Overview — NVIDIA NemoClaw Developer Guide
• Customize the Sandbox Network Policy — NVIDIA NemoClaw Developer Guide
• How NemoClaw Works — NVIDIA NemoClaw Developer Guide