OpenClaw became the fastest-growing open source project in history. Then the security incidents started. Then Gartner warned 40% of agent projects would fail. Then Jensen Huang called it the most important software release ever — and shipped a fix.
When the CEO of the world's most valuable semiconductor company calls an open-source tool "probably the single most important release of software, probably ever" — at a Morgan Stanley conference — you pay attention. He was talking about OpenClaw. And eleven days later, NVIDIA shipped NemoClaw.
This blog is about why that happened. Not the technology of Nemotron. The story — what OpenClaw is, why it exploded, what went wrong, why enterprises couldn't touch it, and why NVIDIA's answer is actually the same playbook they used with CUDA twenty years ago.
OpenClaw is not a chatbot. It's not a language model. It's an agent runtime — an infrastructure layer that connects any LLM (Claude, GPT-4, DeepSeek, local Ollama models) to your actual computer and lets it do real things. Send emails. Read files. Run code. Browse the web. Interact with APIs. Execute shell commands. While you sleep.
Austrian developer Peter Steinberger built the first version in November 2025. Originally called Clawdbot — a playful nod to Claude. Anthropic sent a trademark complaint. He renamed it Moltbot, then OpenClaw. The product: an always-on agent you control through WhatsApp, Telegram, Slack, or Discord. You message it like a person. It does the work.
The viral moment: Entrepreneur Matt Schlicht launched Moltbook — a social platform where AI agents could create profiles and chat with each other. People started spinning up OpenClaw agents and watching them interact. The spectacle of autonomous AI agents publicly socializing was surreal enough to go viral instantly. OpenClaw collected 60,000 GitHub stars in 72 hours. React took 10 years to reach 250,000. OpenClaw got there in 60 days.
OpenClaw is now the most-starred software project on GitHub. On March 3, 2026, it surpassed React at 250,829 stars — in roughly 1/60th the time.
OpenClaw isn't doing anything fundamentally new — connecting LLMs to tools has existed since early ChatGPT plugins. What it did differently was radical simplicity and local-first privacy. No browser. No cloud intermediary routing your data. No subscription. One command to install. Everything runs on your machine. Your data never leaves.
That privacy-first, open-source, always-on agent struck a nerve. Small businesses deployed it for lead generation. Developers used it for autonomous coding workflows. In China — where GPT and Claude aren't directly available — hundreds of thousands deployed it with DeepSeek through Ollama. The Shenzhen government announced 40% cost reimbursements for companies using it. Over 1,000 people queued outside Tencent's headquarters for help with installation.
You interact through WhatsApp, Telegram, Slack, Discord, iMessage. No new app. The agent lives inside the tools you already use 24/7.
Runs on your hardware. Configuration, history, memory — all stored locally. Nothing routed through a cloud provider you don't control.
Extensions that connect the agent to browsers, files, APIs, shell. 100+ built-in skills. Anyone can write and publish new ones to ClawHub.
Works with any LLM — Claude, GPT-4, DeepSeek, Gemini, or local models via Ollama. Switch models without changing your workflow.
The agent paradigm shift in one sentence: Traditional AI tools are stateless assistants — you ask, they answer, they forget. OpenClaw introduces persistent agents — they remember context across sessions, act on your behalf without being asked, and operate on your environment with operating-system-level access. That last part is where everything gets complicated.
OpenClaw's own maintainer, known as Shadow, wrote this in Discord: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely." That warning was about a tool with 2 million monthly active users.
The power that makes OpenClaw useful is exactly what makes it dangerous. An agent that can access your filesystem, run shell commands, send emails, read your calendar, and interact with external APIs — that's an enormously powerful attack surface. And in the first two months after going viral, the vulnerabilities started surfacing.
gatewayUrl parameter from the query string without validation and automatically established a WebSocket connection. Visiting a malicious page sent the auth token to an attacker-controlled server. With the token, an attacker could disable the sandbox, modify configuration, and execute arbitrary code on the host — bypassing the Docker container entirely.Prompt injection isn't new — it's been discussed since 2022. But it becomes catastrophically more dangerous when the model being injected has tool access. In a chatbot, a successful prompt injection produces harmful text. In an agent with filesystem and email access, it can exfiltrate gigabytes of data, send emails impersonating the user, or modify files — all without the user doing anything wrong.
By mid-2025, the list of companies quietly banning or severely restricting agentic AI tools had grown significantly. Meta restricted employees from running OpenClaw on company-issued devices. Chinese state-run enterprises and government agencies were prohibited by national authorities. The reasons were consistent across organizations: no governance layer, no audit trail, no data sovereignty, no blast-radius containment.
In December 2025, Gartner estimated that more than 4 in 10 agentic AI projects would be abandoned by 2027 without a dedicated governance and security infrastructure layer. The reasoning wasn't about the agents' intelligence — it was about what happens when powerful autonomous programs operate inside corporate networks with insufficient guardrails. What happens to compliance? To data sovereignty? To liability? That report circulated in Slack channels and board decks for months. It crystallized the problem in language enterprises understand: risk and money.
The problem wasn't OpenClaw's design — it was that OpenClaw was designed by a solo developer for personal use, then adopted by enterprises without the security infrastructure layer that enterprise software normally ships with. The demand was real. The gap was equally real.
OpenClaw provided everything except the enterprise-critical layer. NemoClaw fills exactly that gap — without replacing or forking OpenClaw.
NemoClaw is not a replacement for OpenClaw. It's not a fork. It's an enterprise security layer that installs on top of OpenClaw in a single command, adding the sandboxing, policy enforcement, and privacy routing that enterprises need — without changing the OpenClaw experience at all for the agent or the user.
Install in three commands:
pip install nemoclaw
nemoclaw install my-assistant --model nemotron-3-super
nemoclaw my-assistant connect
The install summary prints your active sandbox policy, model endpoint, and security configuration. You know exactly what's running.
Every agent action runs inside a secure isolated container. File access restricted to whitelisted directories. Network requests filtered by policy. System commands require explicit approval. If the agent gets compromised via prompt injection, the blast radius is contained to what the sandbox allows.
Every incoming prompt and agent instruction is scanned for injection attacks, jailbreak patterns, and malicious payloads before they reach the model. The detection happens at the input layer — the model never sees the injected instruction.
Cloud model API requests are routed through a controlled gateway that strips PII, masks sensitive fields, and logs what goes out. For teams that must use cloud models but can't let raw data leave the building, this is the compliance answer.
For maximum privacy, NemoClaw ships with Nemotron models that run entirely on-device. Data never leaves your hardware at all. Runs on any RTX GPU — laptop to DGX Station — without cloud API calls.
OpenShell is NVIDIA's sandboxing runtime — part of the Agent Toolkit. It uses three Linux kernel security primitives stacked together to contain agent behavior:
The key property of this stack: even a fully compromised agent — one that has been successfully prompt-injected with malicious instructions — cannot exceed the permissions the sandbox allows. The attack surface is bounded. A compromised agent can only do what you explicitly said it could do. This is the property enterprises need before they can deploy agents on production networks.
NemoClaw's access policies are defined in YAML configuration files. An operator can specify exactly which directories the agent can read, which domains it can reach, which syscalls are permitted, and which skills are allowed to run. The policy file ships with the deployment, can be version-controlled, and can be audited by compliance teams without understanding the underlying kernel security mechanisms. This is what enterprise IT needs: not just security, but auditable, explainable security.
| Threat | OpenClaw alone | OpenClaw + NemoClaw |
|---|---|---|
| Prompt injection via webpage | Full agent control | Detected at input, blocked |
| Malicious ClawHub skill | Data exfiltration possible | Sandbox limits outbound traffic |
| CVE-2026-25253 (gateway exploit) | Arbitrary code execution | Syscall restriction via seccomp |
| Sensitive data in LLM prompt | Sent to cloud API raw | Privacy router strips PII first |
| Agent accessing unauthorized files | Full filesystem access | Landlock restricts to whitelist |
| Compliance audit trail | None | YAML policies + logs |
To understand why NVIDIA built NemoClaw for free and released it as open source, you need to remember what CUDA is. In 2006, NVIDIA released CUDA — a free programming framework that let developers use NVIDIA GPUs for general-purpose computing. They didn't charge for it. They gave it away.
Twenty years later, CUDA is installed on roughly 4 million developer machines. The entire deep learning ecosystem — TensorFlow, PyTorch, every major AI framework — runs on CUDA. Switching away from NVIDIA hardware means abandoning that ecosystem. CUDA isn't a product. It's a moat.
"Mac and Windows are the operating systems for the personal computer. OpenClaw is the operating system for personal AI. This is the moment the industry has been waiting for — the beginning of a new renaissance in software."
That framing is deliberate. NVIDIA isn't positioning NemoClaw as a security product. They're positioning it as the infrastructure layer for the agent era — the way CUDA became the infrastructure layer for the GPU era. Every enterprise that deploys NemoClaw is running Nemotron models. Every Nemotron model runs best on NVIDIA hardware. The virtuous cycle is intentional.
NVIDIA could have built their own agent framework. They chose to build on top of OpenClaw. That's a calculated decision: OpenClaw already has 300K+ developers, 2M monthly active users, and Tencent, WeChat integration, and enterprise adoption in motion. Competing with it would be slow and expensive. Enabling it is fast and generates GPU demand immediately.
By building on OpenClaw, NemoClaw has an instant distribution channel into the most active open-source AI community in history. Not one developer had to be convinced to try OpenClaw — they were already there.
Gartner's 40% abandonment risk was blocking enterprise OpenClaw deployment. NemoClaw directly addresses that risk. Every enterprise that was waiting for a security layer is now a potential NemoClaw — and therefore Nemotron and NVIDIA hardware — customer.
An always-on AI agent running 24/7 needs dedicated hardware. A laptop CPU isn't enough. DGX Spark, DGX Station, RTX Pro workstations — NVIDIA's hardware stack becomes the natural answer to "where do I run this?"
NVIDIA is not trying to sell NemoClaw. They're trying to own the platform that agents run on. NemoClaw is the entry point. OpenShell is the runtime. Nemotron is the model. NIM microservices are the deployment layer. NVIDIA GPUs are the hardware. The whole stack is coherent — and the moment you're inside it, switching out any one piece becomes harder.
The honest read: This is CUDA 2.0. CUDA made NVIDIA indispensable for training AI. NemoClaw is the bet that NVIDIA can make itself indispensable for running AI agents. The timing is deliberate — OpenClaw exploded before any competitor had a security layer ready. NVIDIA shipped NemoClaw 11 days after Jensen Huang called OpenClaw the most important software ever. In tech, 11 days is not a coincidence. It was in development long before the GTC announcement.
Always-on, persistent, messaging-native agents running locally with operating system access. The demand is real — 300K stars doesn't lie. Enterprises were waiting for a security layer. Now there is one.
Prompt injection at scale is unsolved. NemoClaw detects patterns — it doesn't eliminate the fundamental problem. Malicious skills will keep appearing on ClawHub faster than they can be scanned. The supply chain problem is hard.
Not a product. A platform moat. NemoClaw, OpenShell, Nemotron, NIM, DGX hardware — a vertically integrated stack that's open at the top and NVIDIA hardware at the bottom. The CUDA playbook.
Multi-agent systems where specialized agents coordinate on tasks. PinchBench is the early signal — benchmarks designed around agent coordination, not isolated capability. The evaluation infrastructure is being built in real-time.
My take: Jensen Huang used the word "renaissance." That's not hyperbole for its own sake — it's a precise historical analogy. The Renaissance wasn't one invention. It was a period where the conditions finally aligned for many inventions to compound. OpenClaw is not the invention. It's the condition: an open, accessible, local-first agent runtime that anyone can build on. NemoClaw is what turns that condition into something enterprises can actually deploy.
The question isn't whether autonomous AI agents are coming. It's who controls the platform they run on. That's NVIDIA's bet. And the CUDA precedent suggests they know exactly how to play this game.