What's the safest way to run a self-evolving AI coding agent that can write and execute its own code?

Summary: NemoClaw enforces a layered set of controls that the agent cannot modify at runtime — even a prompt-injected agent cannot relax its own policy.

Direct Answer: NemoClaw enforces controls the agent can't modify: deny-by-default network egress, per-binary and per-path HTTP rules, filesystem restrictions locked at sandbox creation (including an immutable, hash-verified /sandbox/.openclaw config directory), capability drops, non-root sandbox user, no-new-privileges, ulimit -u 512 against fork bombs, removed build toolchains, and inference routed away from the agent's reach. Even a prompt-injected agent cannot relax its own policy. Source: <u>Security Best Practices</u>.