Developer posts show tool sandboxing isolates local AI agents

AI agents are software that can read files, call tools, and keep working after you stop typing. NVIDIA’s NemoClaw is built to put those agents inside a locked-down box. (developer.nvidia.com) (docs.nvidia.com) NVIDIA announced NemoClaw on March 16, 2026, as an open-source stack for the OpenClaw agent platform. The company said it installs Nemotron models and the new OpenShell runtime in a single command. (investor.nvidia.com) The basic idea is separation. OpenClaw handles the assistant, while OpenShell supplies the runtime that creates the sandbox, applies policies, and manages what the agent can touch. (developer.nvidia.com) (nemoclawai.io) NVIDIA’s own quickstart says NemoClaw is alpha software and “not” for production use yet. The early preview started March 16, 2026, with tested paths on Linux, DGX Spark, macOS with limits, and Windows through Windows Subsystem for Linux 2 with limits. (docs.nvidia.com) The security pitch is concrete. NVIDIA says NemoClaw adds guided onboarding, image hardening, lifecycle management, and policy controls so a local agent can run on your hardware without sending data off-device when inference is local. (developer.nvidia.com) Recent developer posts are filling in how that looks in practice. Natoma’s April 23 walkthrough described a NemoClaw-sandboxed agent reaching GitHub, Slack, Jira, and other tools through Natoma, with no service credentials inside the agent environment. (natoma.ai) That post said every tool call is policy-evaluated and every action is logged. It also said the sandbox sees only the remote Model Context Protocol servers registered for it, not every tool on the host. (natoma.ai) Outside security researchers are also testing the limits. Lasso Security wrote on April 23 that NemoClaw and OpenShell provide “kernel-level isolation,” but argued that sandboxing alone does not remove AI-specific attacks once an agent is allowed to reach the outside world. (lasso.security) Lasso’s write-up described declarative egress policies that can map specific domains to specific binaries, such as allowing `curl` to reach GitHub only when that binary and domain are explicitly enabled. That is closer to an allowlist than a general internet connection. (lasso.security) NVIDIA’s command reference shows that setup revolves around `nemoclaw onboard`, which creates the OpenShell gateway, registers inference providers, builds the sandbox image, and applies a policy tier. The default “Balanced” tier includes development tooling and web search, while “Restricted” removes third-party network access beyond inference and core tooling. (docs.nvidia.com) The hardware and runtime details show why this is aimed at serious local deployments, not lightweight demos. NVIDIA recommends 16 gigabytes of memory, 40 gigabytes of free disk space, and notes the sandbox image is about 2.4 gigabytes compressed. (docs.nvidia.com) So the story in the new posts is less that NemoClaw makes agents safe by itself, and more that it turns safety into something operators can configure. The agent gets a smaller room, narrower doors, and a log of what it tried to do. (developer.nvidia.com) (natoma.ai) (lasso.security)