Nvidia NemoClaw
github.com138 points by hmokiguess 4 hours ago
138 points by hmokiguess 4 hours ago
Am I missing something? Why is everyone talking about sandboxes when it comes to OpenClaw?
To me it's like giving your dog a stack of important documents, then being worried he might eat them, so you put the dog in a crate, together with the documents.
I thought the whole problem with that idea was that in order for the agent to be useful, you have to connect it to your calendar, your e-mail provider and other services so it can do stuff on your behalf, but also creating chaos and destruction.
And now, what, having inference done by Nvidia directly makes it better? Does their hardware prevent an AI from deleting all my emails?
I think the point you're making is fully correct, so consider this a devil's advocate argument...
People claim, you can use Claw-agents more safely while getting some of the benefits, by essentially proxying your services. For example on Gmail people are creating a new Google accounts, forwarding email via rule, and adding access to their calendar via Google's Family Sharing. This allows the Claw agent to read email, access the calendar, but even if you ask it to send an email it can only send as the proxy account, and it can only create calendar appointments then add you as an attendee rather than destroy/altering appointments you've made.
Is the juice worth the squeeze after all that? That's where I struggle. I think insecure/dangerous Claw-agents could be useful but cannot be made safe (for the logical fallacy you pointed out), and secure Claw-agents are only barely useful. Which feels like the whole idea gets squished.
> Am I missing something?
You are indeed missing a TON. A lot of Open Claw users don't give it everything. We give it specific access to a group of things it needs to do the things we want. If I want an agent to sit there 24/7 maximizing uptime of my service, I give it access to certain data, the GitHub repo with PR privileges, and maybe even permissions to restart the service. All of this has to be very thoughtful and intentional. The idea that the only "useful" way to use Open Claw is to give it everything is a straw man.
Yes, although what I think is different in this setup here is the OpenShell gateway override, as they mention:
> NemoClaw installs the NVIDIA OpenShell runtime and Nemotron models, then uses a versioned blueprint to create a sandboxed environment where every network request, file access, and inference call is governed by declarative policy. The nemoclaw CLI orchestrates the full stack: OpenShell gateway, sandbox, inference provider, and network policy.
I think this means you get a true proxy layer with a network gateway that let's you stop in-flight requests with policies you define, so it's not their hardware but the combination of it plus OpenShell gateway and network policies.
I also think the reason they are doing this is to try and get some moat around these one-clik deployments and leverage their GPU for rent type of thing instead of having you go buy a mac mini and learn "scary" stuff (remember, the user market here is pretty strange lol)
OpenShell is the gem here indeed. A lot of good ideas like network sandbox that does TLS decryption and use of policy engine to set the rules. However:
> Credentials never leak into the sandbox filesystem; they are injected as environment variables at runtime.
If anyone from the team is reading - you should copy surrogate credentials approach from here to secure the credentials further: https://github.com/airutorg/airut/blob/main/doc/network-sand...
I'm putting my dog in his crate with all my important documents, but leaving my fine china tableware in the cupboard away from the dog.
and then tie a tiny string from the china to a thing inside the cage because it seemed handy at the time...
Agreed. I think the "simplifies running OpenClaw always-on assistants safely" bit is pretty misleading. I suppose it can wreak less havoc on your local file system but, as you point out, it's access to your account credentials (Slack, email, Amazon?, etc.) that is the real danger.
You don't need to connect your calendar, email, or anything else. I am having so much fun talking to it bouncing ideas and pushing code/markdown files to GitHub (totally separate account I created for OpenClaw). On the other hand I don't have a crazy life that everything needs to be in the calendar.
The fully autonomous agentic ecosystem makes me feel a little crazy — like all common sense has escaped. It feels like there is a lot of engineering effort being exhausted to harden the engine room on the Titanic against flooding. It's going to look really secure... buried in debris at the bottom of the ocean.
When a state sponsored threat actor discovers a zero day prompt injection attack, it will not matter how isolated your *Claw is, because like any other assistant, they are only useful when they have access to your life. The access is the glaring threat surface that cannot be remediated — not the software or the server it's running on.
This is the computing equivalent of practicing free love in the late 80's without a condom. It looks really fun from a distance and it's probably really fun in the moment, but y'all are out of your minds.
Well, at least we share the same world as these people, meaning that we too will experience the consequences of their actions.
Isn't that a nice perspective
I found this part interesting: "Inference requests from the agent never leave the sandbox directly. OpenShell intercepts every call and routes it to the NVIDIA cloud provider."
Seems like they are doing this to become the default compute provider for the easiest way to set up OpenClaw. If it works out, it could drive a decent amount of consumer inference revenue their way
Secure installation isn't the main problem with OpenClaw. This project doesn't seem to be solving a real problem. Of course the real problem is giving an LLM access to everything and hoping for the best.
Running OpenClaw is the nerd equivalent of rolling coal
OpenClaw can be useful, in theory, unlike rolling coal. OpenClaw is what people always hoped Siri, Alexa and/or Google Assistant would be, and now it's really here. It may be expensive, has a chance to become your local Skynet and might randomly delete or leak everything that's valuable for you..but I guess this counts as growing pains.
I'm trying to put together what you could possibly mean by this -- rolling coal is fundamentally about spite. In isolation, nobody _wants_ their vehicle to spew black smoke. It only comes close to making sense in the context of another population (EV owners, typically, or more generally "the libs").
OpenClaw lets people live a bit dangerously, but fundamentally gives them something that they actually wanted. They wanted it so badly that they're willing to take what seem like insane risks to get it.
What do the two have in common?
> OpenClaw lets people live a bit dangerously, but fundamentally gives them something that they actually wanted. They wanted it so badly that they're willing to take what seem like insane risks to get it.
For the first time in my career I feel so incredibly behind on this: What is open claw giving people that they want so badly? It just seems like Russian Roulette, I honestly don't see the upside
I can give you, as an example, what is driving me towards trying it.
I work as a contractor for 2 companies, not out of necessity, but greed. I also have a personal project with a friend that is dangerously close to becoming a business that needs attention. I also have other responsibilities and believe it or not - friends. Also the ADHD on top of that.
I yearn for a personal assistant. Something or somebody that will read the latest ticket assigned to me, the email with project feedback, the message from my best friend that I haven't replied for the last 3 days and remind me: "you should do this, it's going to take 5 minutes", "you have to do this today, because tomorrow you are swamped" or "you should probably start X by doing Y".
I have tried so many systems of managing my schedule and I can never stick with it. I have a feeling that having a bot "reach out", but also be able to do "reasoning" over my pending things would be a game changer.
But yes, the russian roulette part is holding me back. I am taking suggestions though
How much would a real personal assistant cost?
> How much would a real personal assistant cost?
A lot. And wouldn't be as good or fast. I am speaking from experience.
Like with any new tool/technology, you have to try it. And even then the benefits won't be obvious to you until you've played with it for a few days/weeks. With LLMs in general, it took me months before I found real good use cases.
Simple example: I tell (with my voice) my OpenClaw instance to monitor a given web site daily and ping me whenever a key piece of information shows up there.
The real problem is that it is fairly unreliable. It would often ping me even when the information had not shown up.
Another example: I'm particular about the weather related information I want, and so far have not found any app that has everything. I got sick of going to a particular web site, clicking on things, to get this information. So I created a Skill to get what I need, and now I just ask for it (verbally), and I get it.
As the GP said. This is what Siri etc should have been.
> Simple example: I tell (with my voice) my OpenClaw instance to monitor a given web site daily and ping me whenever a key piece of information shows up there.
Maybe i'm just old -- a cron job can fetch the info and push it to some notification service too, without also being a chaos agent. It seems I spend the security cost here, and in return i can save 15 minutes writing a script. Juice doesn't seem to be worth the squeeze.
But they don't just want the text of the website pushed as a notification every day. They want the bot to load the site, likely perform some kind of interaction, decide if the thing they're looking for is there, and then notify them.