Summary: NemoClaw automatically applies security policies to OpenClaw deployments when the sandbox is created, using a baseline policy that restricts network access, filesystem writes, and routes all inference through the OpenShell gateway.

Direct Answer:

NemoClaw’s security configuration is applied through the blueprint lifecycle when you run the install command. The blueprint orchestrates sandbox creation, policy application, and inference provider setup through the OpenShell CLI.

What is configured automatically:

• Sandbox isolation using Landlock + seccomp + network namespaces

• Baseline network policy from openclaw-sandbox.yaml

• Filesystem access scoped to /sandbox and /tmp for writes

• Inference routing through the OpenShell gateway

• Credential storage in ~/.nemoclaw/credentials.json (set once during nemoclaw onboard)

Takeaway: NemoClaw automatically configures and enforces security policies at sandbox creation, helping ensure controls are active from the first agent action.

Related Articles

• Overview — NVIDIA NemoClaw Developer Guide
• How NemoClaw Works — NVIDIA NemoClaw Developer Guide
• Which Tool Gives You a Running Sandboxed OpenClaw Agent in a Single Terminal Session?