In just eight weeks, OpenClaw went from a one-hour side project to the most-starred repository in GitHub history — and triggered the largest AI agent security crisis on record. Then, on March 16, Nvidia stepped in. At its GTC 2026 keynote, CEO Jensen Huang announced NemoClaw, an enterprise security layer built directly on top of OpenClaw. The transition from OpenClaw to NemoClaw is the most important story in agentic AI right now, and it matters because the security problems NemoClaw is designed to solve are not edge cases. They are architectural — and they affect any organization that has deployed, or is considering deploying, autonomous AI agents.
What You Need to Know
OpenClaw is powerful, viral, and genuinely dangerous to run unmodified in any enterprise context. Over 1,184 malicious skills have been confirmed on ClawHub, roughly one in five packages in the ecosystem, with nine CVEs disclosed across multiple rounds including three with public exploit code enabling one-click remote code execution.
NemoClaw is Nvidia's answer: a single-command install that adds kernel-level sandboxing, policy enforcement, and a privacy router on top of OpenClaw. It is currently in early alpha, with no production benchmarks yet.
- Deploy NemoClaw immediately if you are running OpenClaw in any business environment.
- Stay on the latest patched OpenClaw release (v2026.2.26+) if NemoClaw is not yet suitable for your stack.
- Hold off on production deployment of any OpenClaw-based agent in regulated industries until NemoClaw exits alpha — targeted for Q3 2026.
- Skip unvetted ClawHub skills entirely until Nvidia's VirusTotal partnership delivers better marketplace vetting.
What OpenClaw Is and Why It Went Viral
OpenClaw is a viral open-source AI agent that runs locally, remembers context across conversations, and can take actions on your machine — connecting AI models with your local files and messaging apps like WhatsApp and Discord to automate tasks around the clock.
The software can access email accounts, calendars, messaging platforms, and other sensitive services. Users interact with it through familiar chat apps, not a new interface.
In January 2026, a solo developer launched the project. Within 72 hours, it had 60,000 GitHub stars. By March, it surpassed React to become one of the most-starred software projects on GitHub with 250,000+ stars.
The speed was driven by a specific promise: an AI agent that actually does things — not just answers questions. OpenAI acqui-hired its creator, Peter Steinberger, in February 2026, signaling that agent orchestration infrastructure is where the next competitive battleground sits.
The Security Crisis: What Went Wrong
OpenClaw's design philosophy prioritizes capability over containment. OpenClaw agents typically operate with broad system permissions, including terminal access and full disk access, so they can execute tasks on the user's behalf. That permission model is the entire point of the tool. It is also the entire problem.
The following table summarizes every major confirmed security incident, from launch through March 2026.
| Incident | Details | Source | Severity |
|---|---|---|---|
| CVE-2026-25253 (ClawJacked) | One-click remote code execution via WebSocket hijacking | SecurityScorecard / Endor Labs | CVSS 8.8 |
| Default network binding | Bound to 0.0.0.0:18789 (all interfaces) instead of 127.0.0.1 | SecurityScorecard | Critical |
| Exposed instances | 135,000 OpenClaw instances found on public internet | SecurityScorecard | Critical |
| ClawHub malicious skills | 1,184 confirmed malicious packages (~1 in 5) including keyloggers and Atomic Stealer malware | Antiy CERT | Critical |
| Moltbook data breach | 35,000 email addresses and 1.5 million agent API tokens exposed | Reco / Security Dispatch | High |
| Total CVEs disclosed | Nine CVEs across multiple rounds | Endor Labs | Multiple |
| Directly RCE-vulnerable instances | 15,000+ confirmed | SecurityScorecard | Critical |
How the ClawJacked Attack Works
A developer visits an attacker-controlled webpage; malicious JavaScript silently opens a WebSocket connection to OpenClaw's localhost gateway. Because the gateway automatically trusts local connections and silently approves new device registrations from localhost, the attacker's site gains full control of the agent — in milliseconds.
Security researchers confirmed the attack chain takes "milliseconds" after a victim visits a single malicious webpage.
The Corporate Risk
Traditional security tooling is largely blind to this: endpoint security sees processes running but cannot interpret agent behavior; network tools see API calls but cannot distinguish legitimate automation from compromise; identity systems see OAuth grants but do not flag AI agent connections as unusual.
Trend Micro researchers described this as "shadow AI with elevated privileges."
What NemoClaw Changes
Nvidia's answer arrived on March 16 at its annual GTC developer conference in San Jose. The company announced NemoClaw, a stack that installs onto OpenClaw in a single command, adding the privacy and security infrastructure that enterprises need before they can trust an autonomous agent with production data. The core component is OpenShell, a new open-source runtime that sandboxes agents at the process level.
NemoClaw is not a fork of OpenClaw. It's not a competing agent framework. It's a security and governance layer that wraps around OpenClaw — a plugin and a runtime that add enterprise-grade controls without modifying the agent code itself.
NemoClaw vs. OpenClaw: Feature Comparison
| Capability | OpenClaw (Vanilla) | NemoClaw |
|---|---|---|
| Installation | Manual configuration | Single command |
| Sandboxing | None | Kernel-level, deny-by-default (OpenShell) |
| Policy enforcement | None | YAML-based, out-of-process (cannot be overridden by a compromised agent) |
| Privacy router | None | Local Nemotron models for sensitive data; cloud routing for complex tasks |
| Network binding default | 0.0.0.0:18789 (all interfaces — dangerous) | Configurable with enforcement |
| Skill marketplace vetting | Minimal (ClawHub) | VirusTotal partnership in progress |
| Hardware requirement | Any | Hardware-agnostic; full privacy router requires Nvidia GPU |
| Model compatibility | Any (BYO API key) | Any, including OpenAI, Anthropic, Nemotron |
| Enterprise audit trail | None | Policy-based logging |
| Production readiness | Patched for known CVEs | Early alpha — not yet production-ready |
NemoClaw introduces OpenShell, a YAML-based security runtime for defining granular permissions, and locally deployable Nemotron models optimized for Nvidia hardware.
Policies are written in YAML, which means a development team can, for example, permit a sandbox to connect to a specific cloud AI tool while blocking everything else on the network.
The Privacy Router — NemoClaw's Most Important Feature
The privacy router is the architectural piece that makes NemoClaw genuinely different from a patched OpenClaw. It keeps sensitive data on local Nemotron models while routing complex reasoning to cloud models. In practical terms: proprietary documents and internal credentials never leave your infrastructure. Only tasks that require frontier-model reasoning touch an external API — and even then, the policy engine controls which APIs are permitted.
OpenClaw hands infrastructure responsibility to whoever installs it. NemoClaw sits between the fully-managed approach and raw OpenClaw, preserving flexibility while allowing companies to set and enforce their own rules.
What Is Still Not Fixed
Here is the non-obvious finding that most NemoClaw coverage is glossing over: NemoClaw is an infrastructure-layer solution applied to a problem that also exists at the application layer. The two are not the same.
NemoClaw addresses infrastructure-level security — sandboxing, policy enforcement, data routing — but does not solve application-level risks like prompt injection, skill supply chain attacks, or agent reasoning manipulation.
Prompt injection — where malicious instructions embedded in an email or webpage convince the agent to act against the user's intent — is not a kernel-level problem. The agent is susceptible to prompt injection attacks, in which harmful instructions are embedded in data with the intent of getting the LLM to interpret them as legitimate user instructions. A sandboxed agent that acts on a poisoned email is still acting on a poisoned email. The sandbox only limits the blast radius.
The "confused deputy" framework coined by researcher Simon Willison describes when an AI agent has access to private data, processes untrusted content, and can communicate externally. OpenClaw has all three in its default configuration. NemoClaw reduces the third — external communication — but does not fully address the first two.
Security teams should treat NemoClaw as a significant improvement, not a complete solution.
Current Patching Status: Where Things Stand
If you are running OpenClaw today, version matters enormously.
| Version | Status | Key Changes |
|---|---|---|
| Pre-2026.1.29 | Critical — update immediately | Unpatched ClawJacked RCE (CVE-2026-25253 CVSS 8.8) |
| 2026.1.29 | Patched for CVE-2026-25253 | ClawJacked fix only |
| 2026.2.12 | Recommended minimum | 40+ vulnerability fixes |
| 2026.2.23 | Strongly recommended | HSTS headers, SSRF policy changes, external secrets management |
| 2026.2.26 | Latest stable (as of March 1, 2026) | Current recommended baseline |
| NemoClaw alpha | Enterprise early-access | Kernel sandbox + policy engine + privacy router |
To check whether your instance is exposed, run netstat -tlnp | grep 18789. If the binding shows 0.0.0.0:18789, the instance is listening on all interfaces including the public internet. Change this to 127.0.0.1:18789 immediately.
Who This Actually Affects
Enterprise security teams are the primary audience. If employees deploy OpenClaw on corporate machines and connect it to enterprise systems and leave it misconfigured and unsecured, it could be commandeered as a powerful AI backdoor agent capable of taking orders from adversaries.
Individual developers running OpenClaw locally should update to v2026.2.26 now and audit every installed skill against the Antiy CERT malicious skills list.
Organizations in regulated industries — finance, healthcare, legal — should wait for NemoClaw to exit alpha before any production deployment. The architecture is sound; plan your evaluation for Q3 2026.
IT and procurement teams who have been sitting on the sidelines: close to 7% of U.S. enterprise CFOs have already deployed AI agents in live finance workflows, with an additional 5% running pilots, according to PYMNTS Intelligence research. Companies using AI agents capable of autonomous action have automated up to 95% of their accounts receivable work, compared to 38% at firms without that capability. The business case is real. The question is now whether your security posture can support it.
Anyone who has not yet audited their ClawHub skills: do this before anything else. One in five packages in the ecosystem has been confirmed malicious.
What to Watch Next
NemoClaw's Q3 2026 production-readiness milestone is the critical date for enterprise deployments. Endor Labs noted that traditional static application security testing tools cannot identify issues in LLM-to-tool communication flows, conversation state management, or agent-specific trust boundaries — meaning a new category of AI-native security tooling needs to emerge alongside NemoClaw. Watch for dedicated AI firewall products and agent-aware EDR integrations to mature over the next two quarters. The VirusTotal partnership for ClawHub vetting is also worth monitoring; a verified skill registry would dramatically reduce the supply chain risk that currently makes ClawHub a liability.
Conclusion
OpenClaw is the fastest-growing open-source project in history — and the most dangerous AI agent framework to run unmodified in a business environment. Its security problems are not bugs. They are architectural. NemoClaw, announced by Nvidia on March 16, 2026, is the first credible enterprise-grade answer: kernel-level sandboxing, YAML policy enforcement, and a privacy router, installed in a single command. It does not solve prompt injection or supply chain poisoning at the application layer — but it closes the infrastructure gaps that have made enterprise deployment unjustifiable. Update to OpenClaw v2026.2.26 today if you have not already, audit every installed skill, and track NemoClaw's GitHub repo for the Q3 production release before committing to a regulated-environment deployment.
