NemoClaw: The Governance-Focused Harness
NVIDIA's hardened OpenClaw fork. NeMo Guardrails. OpenShell sandboxes. Policy enforced OUTSIDE the agent's reach. The governance reference. The anti-Tau.
NemoClaw's defining principle is governance-beneath-the-agent. The enforcement layer sits in the call path between agent and world, OUTSIDE the agent's trust boundary. The agent has no API to disable, configure, or influence the guardrails. This is Module 0.2's principle realized in production: if the agent can reach the enforcement layer, a compromised agent can disable it.
NemoClaw does not improve the agent — it improves the boundary around the agent. The agent IS OpenClaw's agent (DD-07). The entire +4 over OpenClaw's 35 comes from the governance layer: +3 Module 6 (external guardrails — the highest permission score in the roster at 5/5) and +2 Module 5 (OpenShell sandboxing). Every other module is unchanged. Security is a property of the boundary, not the agent.
The NemoClaw-vs-Tau pairing is load-bearing for Course 2B. NemoClaw is the harness with all the controls (input rail, dialog rail, action rail, sandbox); Tau (DD-21) is the harness with zero defenses. Every Course 2B attack asks "does this harness enforce governance outside the agent's reach?" — NemoClaw is the yes, Tau is the no, most harnesses are a partial yes with a gap the attack exploits. The pairing defines the governance axis.
NemoClaw's pattern is the reference fix for Hermes's memory-write poisoning surface. Harness-managed writes (model proposes, harness validates) are the same principle — governance outside the agent's reach — applied to the memory write path. The write gate is the input rail for persistent storage. NemoClaw provides the template; Hermes omits the gate.
- Input rail — channel content tagged untrusted before model
- Dialog rail — output checked against policy before action
- Action rail — tool calls validated against capability policy
- OpenShell sandbox — agent never touches execution directly
- Enforcement outside the agent's reach (in the call path)
- Score: 39/60 (+4 over OpenClaw)
- No input rail — all input enters context with full trust
- No dialog rail — model output acted upon directly
- No action rail — agent actions execute unvalidated
- No sandbox — agent executes on the host
- No enforcement layer exists anywhere
- Score: near-zero effective security