Surprise, surprise, agentic AI is advancing very quickly, and security isn’t quite keeping up. While most attention in recent times has focused on improving model capability, we’ve often been left wondering how to actually make these systems safe enough to trust with real-world tasks and limited interaction.

This challenge has become particularly evident with the rise of platforms like OpenClaw, where autonomous agents can execute multi-step actions with minimal human oversight. As adoption accelerated, the risks have continued to expose the growing gap between what AI systems can do and how securely they can operate.

Nvidia’s recent introduction of NemoClaw is a direct response to this problem, aiming to make AI agents more secure, rather than simply focusing on making them more capable. But what exactly is OpenClaw, and how does NemoClaw improve the security of it in a meaningful way? And well… if it does, are all our problems solved?

OpenClaw has had a few names in its short life. It started as "Clawdbot", created by Peter Steinberger in November 2025. Steinberger reportedly built the first prototype of Clawdbot in a single hour using "vibe coding" and released it as a free, open-source autonomous AI agent to the world.

In January 2026, however, Anthropic filed trademark complaints over the name's similarity to their flagship “Claude” chatbot, resulting in an initial rebrand to "Moltbot", followed by a subsequent rebrand three days later to "OpenClaw". (Not confusing for anyone at all). By February 2026, Steinberger had joined OpenAI. So… what even is it?

OpenClaw is a free, open-source autonomous AI agent that executes tasks using large language models (LLMs) via messaging platforms like Signal, Telegram, Discord, and WhatsApp. It allows users to interact with AI agents that can use tools, plan, and carry out complex multi-step instructions with minimal human interaction.

Its adoption has been extremely fast, amassing over 247,000 GitHub stars, 47,700 forks, and over 600 contributors as of early March 2026, making it the fastest-growing open-source project in history. Agents powered by OpenClaw (known as "claws") can handle tasks like managing email, messaging, scheduling, coding, and research, with more advanced applications rapidly emerging.

At its core, OpenClaw operates through a “skills” system where capabilities are stored as directories containing 

 files with metadata and tool instructions. These skills can be bundled, installed globally, or scoped to a workspace, and a central “ClawHub” marketplace allows users to share and discover skills, like an app store for AI agent capabilities.

OpenClaw's architecture is built around a gateway model. The agent runs locally, serving as an agentic interface connecting to external LLMs (Claude, DeepSeek, GPTs, etc) to power its reasoning, while a gateway service manages communications between the user's messaging platform and the agent itself. This is a convenient setup for end users as it allows anyone to spin up a personal AI agent on their own hardware and interact with it over familiar messaging tools.

However, this architecture introduces significant challenges from a security perspective.

The convenience of OpenClaw's design is also what made it so vulnerable. Originally a passion project, the platform was built with functionality and accessibility at its core and security as an afterthought. This resulted in a rapidly growing attack surface that security researchers were quick to identify and exploit.

 observed deployments susceptible to attacks. Of these, 12,812 were exploitable via remote code execution (RCE), 549 correlated with prior breach activity, and 1,493 had known vulnerabilities.

At the time of writing, over 239 security advisories have been written and multiple CVEs have been documented for OpenClaw, including 

 (WebSocket token theft leading to RCE), 

 (path traversal leading to command execution). These vulnerabilities span multiple core domains, including authentication, sandbox escape, and input validation failures.

Beyond direct exploitation, the supply chain has also proven to be a rich target. Trend Micro documented malicious skills on 

 (Atomic macOS Stealer), via malicious instructions hidden in 

 files that lead to AI agents presenting fake setup windows, tricking users into entering passwords and exfiltrating keychain credentials / personal files. At least 39 specific malicious skills were identified on ClawHub by Trend Micro alone, with other sources citing over 2,200 malicious skills across GitHub and broader skill marketplaces.

Common deployment failures made the issues worse, such as gateway binding on 0.0.0.0 without authentication, reverse proxy misconfigurations, Docker port exposure, and 

 via control panels. And if technical issues weren’t enough, in February 2026 a computer science student discovered his OpenClaw agent had created a 

 on his behalf without explicit authorisation, highlighting the autonomy and consent issues inherent in the tool. By March 2026, 

 had restricted state-run enterprises and government agencies from operating OpenClaw on office computers due to these risks.

These issues represent the systemic security challenges of agentic platforms that are designed with capability in mind first and security second. So clearly, something needed to change.

Enter Nvidia. Announced during the GTC 2026 keynote on 16th March 2026, 

 is Nvidia's open-source security and privacy stack that wraps OpenClaw with a security control layer. Rather than attempt to replace OpenClaw, Nvidia instead decided to provide a solution that sits on top of it, adding a layer of trust, isolation, and governance that the platform lacked.

 combining sandboxing, policy enforcement, data routing, and action validation to mitigate different classes of risk across the agent lifecycle.

For clarity, these controls can be grouped into three conceptual domains:

The core NemoClaw is OpenShell, which is a sandbox responsible for enforcing security policies independently of the agent runtime. This separation ensures that the agent cannot modify or bypass its own constraints and provides isolation and policy enforcement across:

Policies follow a deny-by-default model and maintain an audit trail of all decisions, supporting traceability and post-execution analysis. In theory, this ensures that agents operate strictly within a least-privilege design.

NemoClaw includes a privacy router that controls where data is sent and how its processed. This component:

Routing decisions are determined by organisational policies like data sensitivity, user roles, and cost restrictions, rather than the agent’s own discretion. This ensures that data handling remains compliant with privacy and governance requirements.

Within OpenShell’s enforcement pipeline, NemoClaw applies intent verification before executing any state-changing operation to validate the agent’s planned actions by:

By validating intent prior to execution, this mechanism is designed to reduce the risk of unintended or harmful behaviour, even when the agent generates plausible but inappropriate actions.

So, this is great, all our problems are solved! Right?

Well, despite these controls, Agent security is complex, and NemoClaw is not a complete solution, leaving a number of significant risks unaddressed.

As with every attempt at a solution at the moment, NemoClaw does not solve prompt injection. Indirect injection through webpages, emails, attachments, and logs is still viable. The OpenShell layer can help reduce the damage caused if policies are configured well, but it doesn’t stop the model from seeing and acting on malicious content. If a well-crafted email convinces the agent to take a harmful action that falls within its permitted scope, no amount of sandboxing will prevent it.

While the sandbox reduces the fallout of a malicious skill, it doesn’t replace the need for curation, signing, allowlists, and manual skill review. The core supply chain problem we’ve faced for decades across many technical advances still requires governance and verification mechanisms that NemoClaw does not provide, as untrusted code can be distributed via ClawHub and other marketplaces.

Identity and Credential Management is Untouched

Agents inherit whatever credentials they hold, and NemoClaw does not change your identity or access management model. As such, the threat surface most immediately implicated during an agent compromise is identity, credentials, and access. When AI systems can act at machine speed with minimal human oversight, a gap in access restrictions or credential hygiene becomes a very real problem very quickly.

 tested eight models across 30 scenarios and found that every model committed critical failures in every run. Even when models could identify phishing pages with near-perfect accuracy when asked directly, as autonomous agents, they still retrieved real credentials and entered them into attacker-controlled login pages.

The fundamental issue with NemoClaw is that although it addresses execution containment effectively, it leaves the harder problems untouched. Security researchers and industry experts have established that three operational boundaries must be secured when it comes to agentic AI:

NemoClaw addresses execution containment through the OpenShell sandbox, but it requires organisational discipline and additional tooling for the other two.

 put it: "The missing piece is not tooling. It is control. Real developers building agentic systems want observability, policy enforcement, rollback, and audit trails." She also raised that NemoClaw does not yet answer the question of whether we can trust what AI agents do when no one is watching.

The recommended architecture endorsed by security research goes beyond what NemoClaw currently provides. We need reader-agent and actor-agent separation, where a tightly sandboxed, low-authority runtime ingests external content, a separate runtime with delegated authority executes approved actions with human approval required for state-changing operations, and identity scoped to the minimum necessary access per task. NemoClaw definitely helps move us in this direction, but it’s not quite there yet.

The new attack surface is the AI model's judgement itself, and no amount of sandboxing can prevent an Agent from being persuaded into taking harmful actions via well-crafted prompts.

Nvidia's investment in NemoClaw is a positive and necessary step in the right direction. The platform brings meaningful security controls to an ecosystem that desperately needed more with its execution containment, privacy routing, and intent verification architecture, representing a decent foundation for securing agentic AI deployments.

However, NemoClaw is not a silver bullet, and the hardest problems in AI security (prompt injection, supply chain trust, identity management, and model judgment) remain fundamentally unsolved. NemoClaw definitely makes OpenClaw safer, but it doesn’t make deployments “safe” by itself.

For organisations adopting or considering agentic AI, NemoClaw and similar frameworks are important, but they must be complemented by additional robust identity and access controls, supply chain governance, human oversight, and continuous monitoring. The security of agentic AI cannot currently be solved by any single tool or vendor; it requires a layered, defence-in-depth approach that treats AI agents as powerful and capable systems that are just not yet trustworthy enough to operate without supervision.

Society is still in the early stages of securing agentic AI, and the direction is promising, but the destination is a way off. Until models can reliably resist manipulation and make consistently safe decisions, the responsibility falls on us (humans) to build the governance, security controls, and oversight processes that keep these systems in check and people safe.

Surprise, surprise, agentic AI is advancing very quickly, and security isn’t quite keeping up. While most attention in recent times has focused on improving model capability, we’ve often been left wondering how to actually make these systems safe enough to trust with real-world tasks and limited interaction.


The Limits of Agentic AI Security

Recommended for you

Securing AI in the Enterprise: Facilitating Innovation whilst Securing Adoption

The Evolution of AI: From Symbolic Reasoning to GPTs and Agentic Systems

Pixels, Polygons, and Payloads:Malware delivery in 3D software pipelines