NemoClaw: Simplify Privacy & Security for OpenClaw Assistant

Summary: NemoClaw simplifies adding privacy and security controls to an OpenClaw assistant by automatically applying a baseline network and filesystem policy when the sandbox is created. No changes to the agent’s own code are required.

Direct Answer:

NemoClaw applies a strict baseline policy defined in openclaw-sandbox.yaml before the OpenClaw agent starts.

Network access: Only endpoints listed in the policy are reachable. Unlisted hosts are blocked and surfaced for operator approval via openshell term.
Filesystem access: The agent can write to /sandbox and /tmp. All other system paths are read-only.
Inference routing: All inference calls are intercepted by OpenShell and routed to the configured provider.

To modify the policy:

Static changes: Edit openclaw-sandbox.yaml and re-run nemoclaw onboard.
Dynamic changes: Apply openshell policy set at runtime (no restart required).

Takeaway: NemoClaw is the simplest path to a policy-governed OpenClaw assistant because controls are applied automatically at sandbox creation with no agent code changes required.