NemoClaw#
On March 16, NVIDIA announced NemoClaw: a stack for running AI agents inside OpenShell, a new open-source security runtime. The pitch: agents need an infrastructure layer beneath them that enforces policy, isolates data, and controls what they can access. OpenShell provides a sandbox with deny-by-default policies, a privacy router that strips credentials before cloud routing, and YAML-based policy controls for filesystem, network, and process access.
The problem statement is correct. AI agents operating with production credentials, making unsupervised changes, and transmitting data to third-party inference APIs without controls are a real and growing risk. We have been writing about this. NVIDIA describing it as “the missing infrastructure layer beneath agents” validates what infrastructure engineers already know.
The solution deserves scrutiny.
Containment is not isolation#
OpenShell sandboxes each agent with configurable policy controls. Filesystem access, network connections, and process execution are restricted by declarative YAML policies. This is real enforcement at the process level. It is a meaningful improvement over behavioral guardrails.
But credentials are injected into the sandbox at creation. NVIDIA describes these as “named credential bundles” that are provided to the agent’s environment when the sandbox starts. The privacy router can strip caller credentials and inject backend credentials before forwarding requests. The agent’s outbound calls are mediated.
This is containment. The agent runs inside a boundary. The boundary has rules. The credentials exist inside the boundary.
The alternative architecture is one where the credentials never exist in the agent’s process at all. The agent requests an operation. A proxy evaluates the request against policy, executes the operation with credentials the agent never sees, and returns the result. The agent cannot leak what it does not have. The agent cannot exfiltrate what is not in its memory. The distinction is between a sandbox that limits what the agent can do with credentials and an architecture where the agent operates without credentials entirely.
Process isolation answers: “Can the agent escape?” Credential isolation answers: “Does it matter if it does?”
We have seen this before#
Cumulus Networks built an open-source network operating system called Cumulus Linux. It ran on 134 switch platforms from 14 different ASICs, including Broadcom and Mellanox hardware. It was the most hardware-agnostic network OS in the industry. Engineers could choose their switches and run Cumulus on whatever they had.
NVIDIA acquired Cumulus in May 2020. The announcement promised that Cumulus would “remain open” and that NVIDIA would continue its multi-vendor support.
Here is what actually happened:
- Cumulus Linux 4.4 dropped support for every ASIC except NVIDIA Spectrum. The 134-platform ecosystem became Spectrum-only.
- Broadcom-based white box switch users were told to swap to Mellanox hardware.
- NVIDIA discontinued standalone Cumulus VX images. You can no longer download and run Cumulus locally. You must use NVIDIA AIR, their proprietary cloud simulation platform.
- The community that built on Cumulus because it was open and hardware-agnostic lost both properties.
One commenter summarized it: “NVIDIA has ruined the only exciting thing that came out of the SDN era.”
Glass half empty#
OpenShell runs anywhere Docker runs. No NVIDIA hardware required. The runtime is genuinely portable. That is the glass half full.
NemoClaw wraps OpenShell into a stack that launches on “NVIDIA GeForce RTX PCs, RTX PRO workstations, DGX Station, and DGX Spark systems.” The open layer runs anywhere. The product layer runs on NVIDIA. That is the glass half empty.
OpenShell lives under github.com/NVIDIA. NVIDIA controls the roadmap, the integrations, and the feature decisions. Every community contribution improves software that NVIDIA steers. OpenClaw, the open standard for agent safety that NemoClaw claims to implement, was put into a foundation before anyone could strip it of its platform-agnostic modularity. If OpenShell is truly open, put it in a foundation. Until then, it is open source under NVIDIA’s roof, and we have seen what happens to projects under NVIDIA’s roof.
The return of Cumulus#
At GTC 2026, NVIDIA stopped selling components and started selling infrastructure. The Vera Rubin NVL72 is a full rack: 72 Rubin GPUs, 36 Vera CPUs, liquid-cooled, fanless, cableless, 1,296 chips, 4,000 pounds. The Spectrum-6 SPX is the networking rack. BlueField-4 STX is the storage rack. Vera CPU racks for general compute. Each one is NVIDIA silicon top to bottom.
The networking layer is Spectrum, running Cumulus under a proprietary EULA. The inference models are Nemotron, released under an open license. The agent runtime is OpenShell and NemoClaw, the newest addition to the stack. Open where adoption is needed, proprietary where the hardware is already sold. Every layer runs best (or only) on NVIDIA hardware.
NVIDIA still sells components. But the strategy is a full-stack infrastructure play where open source is the adoption funnel and the rack is the revenue model. You evaluate OpenShell as a standalone project. Maybe even incorporate it into your internal tooling, or ship it as part of your product. Contribute back, and hope that the license does not change, the scope does not narrow, and that PR you submitted last month gets reviewed.
Cumulus is the proof. Broadcom users found alternatives. Spectrum users stayed. NVIDIA kept the code, the contributions, and the momentum. Those contributions now live inside the closed rack.
The infrastructure layer agents actually need#
NVIDIA is right that agents need an infrastructure control layer. The problem is real. The question is what that layer should look like.
A sandbox that injects credentials and mediates outbound calls is better than no sandbox. But it is still a process-isolation model. The agent has credentials in memory. The security boundary is the sandbox wall. If the wall fails, the credentials are exposed. If the agent is compromised within the sandbox, it has everything it needs.
The infrastructure layer agents need should enforce policy before credentials enter the agent’s process, capture evidence by construction, and work regardless of whether the agent runs on NVIDIA silicon or anything else.
Open means forkable, not trustworthy#
The Apache 2.0 license on OpenShell is genuine. If NVIDIA narrows OpenShell to Spectrum GPUs or DGX-only runtimes, anyone can fork it. That is the protection mechanism of open source.
But forking is a last resort, not a strategy. After Brocade acquired Vyatta and discontinued the open-source edition, the community forked it into VyOS. Thirteen years later, VyOS is still open, still community-driven, still actively maintained, still running on whatever hardware you put it on. The difference is that no hardware vendor controlled the fork. The incentives stayed aligned.
Cumulus had no such luck. The community did not fork it when NVIDIA dropped Broadcom support. They found alternatives. The ecosystem dissolved. NVIDIA is still using Cumulus, now under a proprietary EULA that prohibits reverse engineering, derivative works, competing products, and even publishing benchmarks without written permission. Community contributions made under an open source license now live inside proprietary software.
Open source licenses and community contributions are powerful. But a company with shareholders does not have a conscience. It has a revenue model. Every PR opened against a project under a corporate roof carries the same question: will the work still matter after the next strategy shift?