Lumetric
Back to resources

The Open-Source Agent Stack: NemoClaw, OpenClaw, and What It Means for Enterprise AI

9 min read
The Open-Source Agent Stack: NemoClaw, OpenClaw, and What It Means for Enterprise AI

Six months ago, OpenClaw did not exist. Today it is the fastest-growing open-source project in history, often called the "Linux of AI agents." NVIDIA just shipped NemoClaw — an enterprise-grade wrapper around the OpenClaw ecosystem — at GTC 2026. Salesforce, SAP, ServiceNow, and CrowdStrike have already adopted the framework.

For IT leaders at financial institutions, consulting firms, and real estate shops, the pressure to have an opinion on this stack is growing fast. Your analysts are already running OpenClaw on their personal machines. Your board is asking about "agentic AI." And your CISO is losing sleep.

This article is for the person who needs to evaluate whether the open-source agent stack is ready for a regulated enterprise — not from a hype perspective, but from a security and governance one.

The Architecture in Plain English

The stack has three layers. Understanding them is necessary before evaluating the risks.

Layer 1: OpenClaw (The Agent Framework)

OpenClaw is open-source software that turns a large language model into an autonomous agent. Instead of chatting with you in a browser window, the agent can execute code, manage files, browse the web, read your email, and interact with SaaS tools — all from a messaging interface like Slack, WhatsApp, or a terminal.

It was created by Peter Steinberger (founder of PSPDFKit) as a side project in late 2025 — originally called Clawdbot, then briefly Moltbot, before settling on OpenClaw after trademark disputes with Anthropic. Steinberger joined OpenAI in February 2026 to lead their personal agents division. OpenClaw is now maintained by an independent foundation and remains model-agnostic — it can run on GPT-5, Claude Opus, Nemotron, or any compatible model.

The critical point: OpenClaw requires high-level system permissions to be useful. It needs access to your file system, network, and potentially your email and messaging apps. This is what makes it powerful. It is also what makes it dangerous in an uncontrolled environment.

Layer 2: NemoClaw (The Enterprise Wrapper)

NemoClaw is NVIDIA's answer to the question "How do we make OpenClaw safe for the enterprise?" It bundles:

  • Nemotron 3 models — NVIDIA's open-weight model family, optimized for agentic reasoning with a 1-million-token context window. These can run locally on NVIDIA hardware, meaning inference never leaves your network.
  • OpenShell Runtime — A secure sandbox that isolates agent sessions in containers. Every action the agent takes is governed by declarative YAML policies that your security team writes. The agent can only access the directories, network endpoints, and tools that the policy explicitly permits.
  • Privacy Router — A middleware layer that intercepts calls to cloud-based frontier models. If the agent needs to use a more powerful cloud model for a specific reasoning task, the privacy router strips PII and sensitive data before the request leaves your network.
  • NVIDIA Agent Toolkit — Pre-built blueprints for common agent patterns, including the AI-Q deep research agent that currently tops the DeepResearch Bench II benchmark.

NemoClaw runs on NVIDIA hardware: RTX workstations for individual users, DGX Spark for team-level deployments, and full DGX infrastructure for enterprise scale.

Layer 3: ClawHub (The Skills Marketplace)

ClawHub is the open marketplace where developers publish "Skills" — plugins that extend what an OpenClaw agent can do. Skills exist for everything from calendar management to code execution to CRM integration.

This is the layer that introduces the most risk, and we will come back to it.

The Security Picture: What Has Already Gone Wrong

OpenClaw's velocity has outpaced its security maturity. This is not speculation — it has already produced real incidents.

Supply Chain Attacks (ClawHavoc). In early 2026, security researchers identified a coordinated supply chain attack through ClawHub. Professional-looking skills — with documentation, stars, and reviews — contained embedded malware that exfiltrated plaintext API keys and OAuth tokens from host machines. Over 13% of community-contributed skills were found to contain critical vulnerabilities or outright stealer code.

Remote Code Execution. CVE-2026-25253 demonstrated that a single malicious message or compromised web page could execute arbitrary code on the host machine running OpenClaw. The agent reads a page, the page contains a hidden instruction, and the instruction tells the agent to execute a script. This is not theoretical — it was demonstrated in the wild.

Sandbox Escapes. Researchers found methods to bypass the Docker containers that OpenClaw uses for code execution, granting the agent (or an attacker exploiting the agent) access to the underlying host operating system.

Prompt Injection. This remains the most fundamental and unsolved vulnerability. An agent that reads email is an agent that can be manipulated by email. A carefully crafted message — invisible to the human reader but visible to the model — can redirect the agent to leak data, delete files, or execute unauthorized actions. Steinberger himself has acknowledged that prompt injection remains an unsolved problem.

Exposed Instances. In early 2026, over 1,000 public-facing OpenClaw instances were found misconfigured, leaking chat histories and system credentials to the open internet.

Regulatory Warnings. China's CNCERT issued warnings against deploying OpenClaw in government and critical infrastructure, citing it as a high-value target for state-sponsored espionage due to its autonomous system access.

What NemoClaw Fixes (and What It Does Not)

NemoClaw directly addresses several of these risks. The OpenShell runtime provides real, infrastructure-level isolation — not just Docker containers, but policy-governed sandboxes with declarative rules for file access, network egress, and tool permissions. The privacy router is a genuine architectural improvement for hybrid cloud deployments. The integration with enterprise security platforms (CrowdStrike, Cisco, Microsoft Security) means agent activity can flow into your existing SIEM/XDR infrastructure and be monitored like any other service.

These are meaningful improvements. But NemoClaw does not solve the fundamental challenges:

Prompt injection is still unsolved. NemoClaw's guardrails operate at the runtime level — they control what the agent can do. They do not control what the agent wants to do. If a prompt injection convinces the agent to exfiltrate data through an authorized channel (like sending an email it is permitted to send), the guardrails will not catch it.

ClawHub remains a risk surface. NemoClaw encourages the use of the NVIDIA-verified skill registry, but it does not prevent users from installing community skills. The supply chain problem is mitigated by audit processes, not eliminated by architecture.

Configuration complexity is a risk in itself. YAML-based policy files are powerful, but they are also easy to misconfigure. A single overly permissive rule — granting an agent write access to a directory it should only read, or allowing network egress to an endpoint that exposes internal data — can undo the entire security model. This is the same class of risk that has plagued Kubernetes deployments for years: the tool is secure in theory, but the configuration is where breaches happen in practice.

The "Shadow AI" problem persists. Your analysts are already running OpenClaw on their personal laptops. NemoClaw provides the enterprise deployment path, but it does not prevent employees from running unmanaged instances on personal hardware connected to corporate Slack or email. The governance challenge is organizational, not just technical.

A Practical Assessment for Regulated Industries

If your firm operates in a regulated environment — PE, IB, asset management, or any sector with data handling obligations — here is a realistic evaluation:

Is NemoClaw ready for production in regulated finance? Not yet. The stack is in alpha/early preview as of March 2026. The security architecture is sound in design, but it has not been through the multi-year hardening cycle that regulated industries require. SOC 2 Type II certification, penetration testing at scale, and real-world incident response history are prerequisites for institutional adoption — and NemoClaw does not have them yet.

Is it ready for controlled pilots? Yes. The AI-Q research agent blueprint provides a well-scoped starting point. Running a NemoClaw agent in a sandboxed environment with read-only access to a limited document set — for example, a research agent that synthesizes public filings — is a reasonable way to evaluate the technology without exposing sensitive data.

Should you block OpenClaw on corporate devices? This depends on your risk tolerance, but at minimum, you should have a policy. Unmanaged OpenClaw instances running on employee machines with access to corporate messaging and email represent a real and current threat vector. If you are not actively managing this, you are passively accepting the risk.

The Hardening Checklist

For IT leaders evaluating a NemoClaw pilot, these are the minimum requirements:

  1. Dedicated hardware. Run NemoClaw on isolated machines or VMs that are not connected to production systems. Do not deploy on machines that have access to deal data, client PII, or internal communications until the stack has been audited.
  2. Verified skills only. Restrict agent skills to the NVIDIA-verified registry and internally developed skills that have been reviewed by your security team. Block installation from the open ClawHub marketplace.
  3. Read-only access first. Start with agents that can read documents and produce analysis but cannot write to file systems, send emails, or access external APIs. Expand permissions incrementally as you build confidence.
  4. SIEM integration from day one. Connect OpenShell telemetry to your existing security monitoring infrastructure. Every agent action should be logged, searchable, and alertable.
  5. Prompt injection testing. Before deploying any agent that reads external content (emails, web pages, uploaded documents), conduct adversarial testing with prompt injection payloads. Understand the failure modes before they occur in production.
  6. Clear internal policy. Publish a firm-wide policy on the use of autonomous AI agents — both managed (NemoClaw) and unmanaged (personal OpenClaw instances). Define what is permitted, what requires approval, and what is prohibited.

Where This Leaves the Enterprise

The open-source agent stack is real, it is powerful, and it is moving fast. NemoClaw represents NVIDIA's serious commitment to making it enterprise-ready. But "enterprise-ready" and "regulated-industry-ready" are not the same thing. The architecture is promising. The maturity is not there yet.

For firms that need AI agents producing deliverables today — not next quarter, not after a pilot — the managed alternatives remain more practical. Claude Cowork provides a polished, secure desktop agent with zero infrastructure overhead. Microsoft Copilot Cowork provides cross-application automation within the 365 ecosystem.

And for deal teams that need agents built specifically for their industry — not general-purpose tools that require prompt engineering to understand a rent roll or a sensitivity table — purpose-built AI coworkers like those from Lumetric deliver the specificity that no general agent stack provides out of the box. The best CRE analyst, the best PE associate, the best underwriting specialist — not another platform to configure, but a coworker who already knows the job, available by email.

The open-source stack will mature. NVIDIA's resources and partner ecosystem virtually guarantee it. The question for your firm is not whether to adopt it eventually, but whether you can afford to wait for it — or whether you need the work done now.

Want to see it in action?

30 minutes. Your workflow. Live demo.

Book a demo