OpenClaw became the fastest-growing open-source project in GitHub history in under four months. At GTC 2026 in San Jose, NVIDIA CEO Jensen Huang answered the question the enterprise world had been asking: how do you actually deploy it safely? The answer is NemoClaw — and it is the first credible attempt to bridge the gap between a viral hobbyist tool and production-grade enterprise infrastructure. Whether it fully succeeds is a different question.
What You Need to Know
NVIDIA announced NemoClaw at GTC 2026, positioning it as an enterprise security and governance layer built on top of OpenClaw, the wildly popular open-source AI agent framework. The core upgrade is OpenShell, a runtime that enforces sandbox isolation, deny-by-default network access, and kernel-level policy controls — all the things OpenClaw never had out of the box.
For enterprise teams evaluating OpenClaw: NemoClaw is the most structurally serious attempt yet to make it safe enough to deploy — but it is still early alpha, and it does not solve governance, audit trails, or multi-tenant controls.
- Deploy NemoClaw now if you are an enterprise developer already running OpenClaw pilots and need infrastructure-level containment.
- Wait if you need compliance-grade audit logging, PII detection, or cross-system governance — NemoClaw does not provide those yet.
- Skip both if you are a regulated industry (finance, healthcare) without a dedicated security team to harden the deployment.
Background: What Is OpenClaw and Why Does It Matter?
To understand why NemoClaw matters, you need to understand how fast OpenClaw arrived.
OpenClaw was developed by Austrian developer Peter Steinberger and first published in November 2025 under the name Clawdbot. The software was derived from Clawd, an AI-based virtual assistant Steinberger had built, which was itself named after Anthropic's chatbot Claude. Within two months it was renamed twice — first to "Moltbot" on January 27, 2026, following trademark complaints by Anthropic, and then three days later to "OpenClaw."
OpenClaw accumulated 247,000+ GitHub stars and 47,700 forks in roughly 60 days. To put that in perspective, React — Facebook's UI library that powers half the modern web — took 10 years to reach comparable star counts. Some sources cite the total reaching 325,000+ stars by late March 2026, surpassing Linux's 30-year record on the platform.
At its core, OpenClaw is an autonomous AI agent designed to act as a kind of digital employee — always on, capable of managing emails and controlling web browsers to complete workflows, especially through messaging apps like WhatsApp or Telegram.
On February 14, 2026, Steinberger announced he was joining OpenAI, with OpenClaw moving to an open-source foundation to stay independent. The project's development pace has not slowed since the transition.
Then, on March 5, 2026, at the Morgan Stanley TMT Conference, Jensen Huang described OpenClaw as "probably the single most important release of software, probably ever." Eleven days later, NVIDIA backed that statement with code.
What NVIDIA Announced at GTC 2026
NemoClaw: The Enterprise Stack
NVIDIA's Agent Toolkit now includes NVIDIA OpenShell — an open-source runtime that enforces policy-based security, network, and privacy guardrails that make autonomous agents, or "claws," safer to deploy.
Jensen Huang framed the announcement directly: "OpenClaw opened the next frontier of AI to everyone and became the fastest-growing open source project in history. Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI. This is the moment the industry has been waiting for — the beginning of a new renaissance in software."
NemoClaw consists of a TypeScript plugin for the OpenClaw CLI and a Python blueprint that orchestrates NVIDIA's OpenShell runtime. It adds kernel-level sandboxing, out-of-process policy enforcement, and privacy-aware model routing to OpenClaw deployments. It installs in a single command.
How OpenShell Actually Works
| Layer | What It Does | What It Replaces |
|---|---|---|
| Kernel Sandbox | Isolates agent actions via Landlock, seccomp, and network namespaces | Default OpenClaw: full host OS access |
| Policy Engine | Evaluates every action out-of-process — filesystem, network, binaries | In-agent guardrails (easily bypassed) |
| Privacy Router | Keeps sensitive data on local Nemotron models; scrubs PII before cloud routing | No equivalent in base OpenClaw |
| Skill Verification | Vets community-contributed skills before installation | ClawHub open install with no vetting |
The key design decision is that policy enforcement runs out-of-process — it executes outside the agent's address space, in a separate process that the agent cannot access, modify, or terminate. This is the architectural leap that separates NemoClaw from patching individual CVEs.
New Models: Nemotron 3
Alongside NemoClaw, NVIDIA released new open models tuned for agentic workloads:
New open models for local agents include NVIDIA Nemotron 3 Nano 4B and Nemotron 3 Super 120B, along with optimizations for Qwen 3.5 and Mistral Small 4. On PinchBench — a new benchmark for determining how well large language models perform with OpenClaw — Nemotron 3 Super scored 85.6%, making it the top open model in its class.
Nemotron 3 Super is a 120-billion-parameter open model with 12 billion active parameters, designed to run complex agentic AI systems. Nemotron 3 Nano 4B provides a compact, capable starting point for building agents and assistants locally on RTX AI PCs.
Both models run locally on NVIDIA DGX Spark and RTX PRO GPUs — which matters directly for the privacy router's local inference capability.
Partner Ecosystem
ServiceNow's Autonomous Workforce of AI Specialists is built on the ServiceNow AI Platform and leverages NVIDIA Agent Toolkit. Synopsys is building a multi-agent framework powered by its AgentEngineer technology for semiconductor and systems design.
The enterprise partner list also includes Cisco, CrowdStrike, Google, and Microsoft Security, all building OpenShell compatibility into their tooling. CrowdStrike has already released a Secure-by-Design AI Blueprint embedding Falcon into OpenShell.
The Security Context NemoClaw Is Responding To
Here is the part most GTC coverage skipped over.
NemoClaw was not announced in a vacuum. OpenClaw's explosive growth created an equally explosive security crisis — one that made enterprise deployment almost untenable without a significant infrastructure layer underneath it.
Between March 18 and March 21, 2026, nine CVEs were publicly disclosed for OpenClaw. One scored a 9.9 out of 10 on the CVSS scale. Six were high severity. Two medium. One critical.
CVE-2026-25253 is a CVSS 8.8 vulnerability in OpenClaw that allowed one-click remote code execution via Cross-Site WebSocket Hijacking. Researchers found over 40,000 publicly exposed instances vulnerable to it.
Cisco's AI security research team tested a third-party OpenClaw skill and found it performed data exfiltration and prompt injection without user awareness. A subsequent disclosure confirmed that China restricted state-run enterprises and government agencies from running OpenClaw apps on office computers, citing security risks.
OpenClaw was designed as a personal AI assistant running on personal hardware, where the operator and user are the same person operating under direct supervision. In that context, permitting all tools by default and optimizing for capability over containment is a reasonable design choice. The problem emerged when enterprise teams deployed OpenClaw in multi-user, network-exposed environments without understanding what the default configuration permitted.
NemoClaw is a direct architectural response to that structural mismatch.
What NemoClaw Does Not Fix
This is the most important and underreported part of the GTC announcement.
As of the March 2026 early preview, NemoClaw provides no multi-tenant governance, no PII detection, no content safety guardrails, no compliance audit trails, and no cost attribution. It addresses the foundation. The governance layer remains an organizational challenge that no platform resolves on its own.
NemoClaw's intent verification operates per-action. It checks each individual tool call against the policy engine. But it does not track cumulative behavior across turns. A prompt injection that gradually shifts the agent's goal over 20 turns can slip through per-action checks because no single action looks suspicious. Only the trajectory is malicious.
Zahra Timsah, CEO of AI governance platform i-GENTIC AI, observed: "The missing piece is not tooling. It is control. Real developers building agentic systems want observability, policy enforcement, rollback, and audit trails. NemoClaw makes OpenClaw more usable from an infrastructure standpoint. But it does not solve governance, consistency, or cross-system reasoning. The real question is not 'Can agents run at the edge?' It is 'Can you trust what they do when no one is watching?'"
NemoClaw is the first serious attempt to address the vulnerabilities of autonomous, self-evolving AI agents. OpenClaw started as a hobby project and grew faster than anyone could govern it. Whether NemoClaw succeeds depends entirely on early adopter risk assessments, and it is too early to deliver a verdict.
NVIDIA's Larger Strategic Play
What Jensen Huang presented at GTC 2026 is more than just a software platform. It is an attempt to become for the era of autonomous AI agents what Windows was for the personal computer.
The analogy Huang drew at the keynote was deliberate and specific. "For the CEOs, the question is, what's your OpenClaw strategy? We need it. We all have a Linux strategy. We all needed to have an HTTP HTML strategy, which started the internet. We all needed to have a Kubernetes strategy, which made it possible for mobile cloud to happen."
Importantly, NemoClaw is hardware agnostic — it does not need to run on NVIDIA's own GPUs — and integrates with NeMo, NVIDIA's AI agent software suite. That is not altruism. It mirrors CUDA's strategy: build the open standard first, then capture the market through ecosystem gravity.
NVIDIA OpenShell is fully open source, an attempt to turn it into the gold standard for agentic claw security. The underlying hardware is not vendor-specific either. But developers will be attracted to NemoClaw, not because it is objectively better, but because it runs faster on NVIDIA hardware and is easier if you are already in that ecosystem.
Who This Actually Affects
Enterprise developers already running OpenClaw pilots: NemoClaw is worth deploying now for the sandboxing alone. The ClawHub attack patterns that succeeded earlier — malicious skills executing arbitrary code with the user's full permissions — would hit a wall at the sandbox boundary under OpenShell. That is a meaningful structural improvement.
Security and compliance teams in regulated industries: Wait. NemoClaw is early alpha with no audit trails, no PII detection, and no multi-tenant controls. For security teams assessing OpenClaw deployments today, NemoClaw is worth monitoring but not yet a production recommendation.
Self-hosters and developers: Update to v2026.3.12 or later immediately. Bind the gateway to localhost. Do not expose it on 0.0.0.0. And do not rely on the sandbox alone — until the sandbox inheritance fix for CVE-2026-32048 is verified in your version, assume sandboxed agents can escape.
Businesses evaluating the broader OpenClaw ecosystem: The NVIDIA announcement signals that OpenClaw is infrastructure, not a side project. The enterprise partner list — Cisco, CrowdStrike, Microsoft Security, Salesforce — confirms the tier-one ecosystem is forming. That reduces long-term adoption risk, even if immediate deployment risk remains real.
What to Watch Next
Three things will determine whether NemoClaw becomes enterprise infrastructure or stays a developer preview. First, security researchers will begin probing OpenShell for its own CVEs — expect disclosures within 60 days. Second, governance features (audit trails, PII detection, multi-tenant controls) need to ship before regulated industries can seriously evaluate the platform. Third, the PinchBench benchmark for OpenClaw agent performance is brand new; independent evaluation from Artificial Analysis or LMSYS-equivalent testing will be necessary before meaningful model comparisons are possible. NVIDIA's roadmap points toward production-ready orchestration, but no firm date has been committed.
Conclusion
NemoClaw is the right answer to a real and serious problem. OpenClaw grew from a weekend project into critical-path infrastructure faster than any security model could follow it, and wrapping it in NemoClaw structurally improves the threat model rather than simply patching individual vulnerabilities. But structurally improved is not the same as enterprise-ready. The governance layer, the compliance tooling, and the adversarial testing that builds institutional trust — none of that exists yet. If you are running OpenClaw, install NemoClaw. If you are evaluating OpenClaw for regulated enterprise use, set a 90-day review window and watch the CVE tracker.
