NVIDIA Nemotron & NemoClaw

Executive Summary

NVIDIA announced two products at GTC 2026 (March 16) that directly impact our OpenClaw evaluation:

• Nemotron — NVIDIA's open-source LLM family. Hybrid Mamba-Transformer architecture with Mixture-of-Experts. Models range from 4B to ~500B parameters, but only activate 1B–50B at inference time, making them fast and efficient. Free, permissive license. Designed for agentic AI workloads at scale.
• NemoClaw — An enterprise security wrapper that installs OpenClaw + Nemotron models inside a sandboxed runtime with network isolation, filesystem restrictions, and privacy routing. Apache 2.0 license. Currently alpha.

NVIDIA Nemotron — The Model Family

What Is It?

Nemotron is NVIDIA's family of open foundation models, spanning four generations since 2024. The current generation (Nemotron 3) introduces a breakthrough hybrid Mamba-Transformer Mixture-of-Experts architecture that delivers frontier-class quality at a fraction of the compute cost.

NVIDIA's strategy is clear: give away the models to sell the hardware. But the models are genuinely good, and the licensing is among the most permissive in the industry.

The Nemotron 3 Lineup

Architecture Deep Dive

The Nemotron 3 architecture combines three paradigms that have individually proven successful:

1. Mamba-2 Layers (Linear-Time Sequence Processing)

• Process sequences in O(n) time instead of O(n²) for standard attention
• Excellent for long context windows — 1M tokens becomes practical
• Handle sequential reasoning and pattern matching efficiently
• 23 of 52 layers in Nano 30B are Mamba-2

2. Transformer Attention Layers (Precise Associative Recall)

• Grouped Query Attention (GQA) with 2 groups for efficiency
• Handle tasks requiring precise retrieval from context (names, numbers, code references)
• 6 of 52 layers in Nano 30B are GQA attention
• Placed strategically where precise recall matters most

3. Mixture-of-Experts (Parameter Efficiency)

• 23 of 52 layers are MoE in Nano 30B
• Each MoE layer has multiple specialist "expert" sub-networks
• Router selects only 1–2 experts per token — rest stay dormant
• Result: 30B total params but only 3B active per token = 10x efficiency

Novel Innovation — Latent MoE

Compresses token representations before routing to experts. Enables 4x more expert specialists at the same inference cost. Think of it as "expert specialization on a budget."

Multi-Token Prediction (MTP)

Model predicts multiple future tokens simultaneously. Up to 3x wall-clock speedup for structured output (JSON, code, markdown). Particularly valuable for agent tool-calling patterns.

NVFP4 Native Training

First models trained natively in 4-bit floating point precision. Purpose-built for NVIDIA B200 GPUs. 4x memory and compute efficiency vs FP8 on H100. Means smaller GPUs can run larger models.

Training Pipeline

Phase 1 — Pretraining

• 25 trillion tokens (massive — GPT-4 was reportedly ~13T)
• NVFP4 precision on B200 GPU clusters
• NVIDIA released 3T+ tokens of the pretraining data publicly

Phase 2 — Supervised Fine-Tuning

• 7 million samples from a 40M-sample post-training corpus
• Curated for instruction following, tool use, and agentic behavior
• NVIDIA released 18M samples of this data publicly

Phase 3 — Multi-Environment Reinforcement Learning

• 21 different environment configurations
• 1.2 million environment rollouts
• 10 new training gym environments (open-sourced)
• Optimized for multi-step reasoning and real-world task completion

Benchmark Performance

Nemotron 3 Super (120B / 12B active)

Historical: Llama-Nemotron 70B vs Competitors

Specialized Variants

Licensing

NVIDIA Open Model License:

• Use, modify, distribute, commercially deploy — all allowed
• Royalty-free, perpetual, worldwide
• No attribution required
• Weights, training data, AND training recipes all published
• One of the most permissive AI model licenses in existence

Availability

The Nemotron Coalition

Announced at GTC 2026 — a first-of-its-kind global collaboration:

Members: Black Forest Labs, Cursor, LangChain, Mistral AI, Perplexity, Reflection AI, Sarvam, Thinking Machines Lab

Goal: Collaboratively build the next generation of open frontier models across six families:

1. Nemotron — Language
2. Cosmos — World models / vision
3. Isaac GR00T — Robotics
4. Alpaymayo — Autonomous driving
5. BioNeMo — Biology / chemistry
6. Earth-2 — Weather / climate

Notable Adopters

Accenture, Cadence, CrowdStrike, Cursor, Deloitte, EY, Oracle Cloud Infrastructure, Palantir, Perplexity, ServiceNow, Siemens, Synopsys, Zoom

NVIDIA NemoClaw — The Security Wrapper

What Is It?

NemoClaw is an open-source software stack that wraps OpenClaw with enterprise-grade security, privacy, and isolation controls. It is not a separate agent — it is OpenClaw running inside NVIDIA's security infrastructure.

Jensen Huang, GTC 2026 keynote: "30 years of NVIDIA computing, distilled into an agent platform."

Peter Steinberger (OpenClaw creator, now at OpenAI): "With NVIDIA and the broader ecosystem, we're building the claws and guardrails that let anyone create powerful, secure AI assistants."

One-Command Install

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

This installs:

• OpenClaw agent
• Nemotron models (default: Nemotron 3 Super 120B)
• OpenShell sandboxed runtime
• NVIDIA Agent Toolkit with pre-configured security policies

Architecture

Two-component design:

The Four-Layer Security Model

This is NemoClaw's core value proposition — the direct answer to OpenClaw's CRITICAL security rating.

Layer 1: Network Isolation

• Default deny — all network connections blocked unless explicitly whitelisted
• Policy defined in openclaw-sandbox.yaml (human-readable, version-controlled)
• Unauthorized requests are blocked AND surfaced in a TUI for operator review
• Hot-reloadable — change policies without restarting the sandbox
• What this fixes: OpenClaw's 40K+ exposed instances problem. NemoClaw never listens on 0.0.0.0.

Layer 2: Filesystem Restrictions

• Agent can write ONLY to /sandbox and /tmp
• All other filesystem paths are read-only
• No access to host filesystem outside the container
• What this fixes: OpenClaw's unrestricted file access (could read SSH keys, credentials, browser data)

Layer 3: Process Protection

• Agent runs inside OpenShell — a K3s-based container sandbox
• All blueprints are immutable, versioned, and digest-verified
• Executed as subprocesses with restricted capabilities
• No privilege escalation possible from within the sandbox
• What this fixes: OpenClaw's Docker sandbox being OFF by default, arbitrary code execution risk

Layer 4: Inference Routing (Privacy Router)

• All model API calls route through OpenShell — agent cannot call external APIs directly
• Privacy router makes the key decision for each query:
  • Sensitive data → routed to local Nemotron models (never leaves the machine)
  • Non-sensitive / high-capability needed → routed to frontier cloud models (Claude, GPT)
• Configurable classification rules for what counts as "sensitive"
• What this fixes: OpenClaw's credential and PII leakage to external model providers

System Requirements

Hardware agnostic — does not require NVIDIA GPUs (though optimized for them). Supported on: GeForce RTX PCs, RTX PRO workstations, DGX Station, DGX Spark, any Linux machine with Docker.

Release Status

Enterprise Partnerships

Being pursued for NemoClaw integrations: Salesforce, Cisco, Google, Adobe, CrowdStrike, SAP, JFrog (supply chain security)

OpenClaw — Quick Refresher

For full details, see our Deep Research Report on Notion.

Why We Were Cautious

1. 40K+ instances exposed on public internet — Gateway binds to 0.0.0.0
2. ClawHavoc attack — 1,184 malicious skills in official marketplace (12–20% compromised)
3. Prompt-based security — safety rules are instructions, not architectural boundaries
4. Microsoft's warning: "Not appropriate to run on a standard personal or enterprise workstation"
5. Jack's allergy rules — cannot safely move from hardcoded logic to prompt-based

The Full Stack: OpenClaw + NemoClaw + Nemotron

How They Fit Together

┌────────────────────────────────────────────────────┐
│                    USER INTERFACE                     │
│     WhatsApp  Signal  Telegram  Discord  iMessage    │
└──────────────────────┬──────────────────────┘
                       │
┌──────────────────────▼──────────────────────┐
│                    OPENCLAW                           │
│     Agent Runtime · Skills · Memory · Integrations   │
│     (TypeScript, Gateway daemon, port 18789)         │
└──────────────────────┬──────────────────────┘
                       │
┌──────────────────────▼──────────────────────┐
│                    NEMOCLAW                           │
│     Security Wrapper · Sandbox · Policy Engine       │
│                                                      │
│  ┌─────────────┐  ┌──────────────┐  ┌────────────┐  │
│  │   Network    │  │  Filesystem  │  │  Process   │  │
│  │  Isolation   │  │ Restrictions │  │ Protection │  │
│  │ (whitelist)  │  │ (/sandbox    │  │ (OpenShell │  │
│  │              │  │  /tmp only)  │  │  K3s)      │  │
│  └─────────────┘  └──────────────┘  └────────────┘  │
│                                                      │
│  ┌────────────────────────────────────────────┐    │
│  │           PRIVACY ROUTER                      │    │
│  │  Sensitive → Local    Non-sensitive → Cloud   │    │
│  └────────────────────────────────────────────┘    │
└──────────────────────┬──────────────────────┘
                       │
        ┌──────────────┼──────────────┐
        ▼              ▼              ▼
┌──────────────┐ ┌──────────┐ ┌──────────────┐
│   NEMOTRON   │ │  Claude  │ │   GPT / etc  │
│  (Local LLM) │ │  (Cloud) │ │   (Cloud)    │
│  Free, fast  │ │  Smart   │ │   Optional   │
│  Private     │ │  Capable │ │              │
└──────────────┘ └──────────┘ └──────────────┘

What Each Layer Provides

Why This Combination Matters

Before NemoClaw: Deploying OpenClaw required accepting CRITICAL security risk. Our evaluation said "do not deploy without full isolation" — which meant building your own sandbox, firewall rules, Docker hardening, and credential isolation manually.

With Nemotron: Routine queries (scheduling, reminders, simple lookups, home automation) run on free local models. Only complex reasoning (coding, analysis, financial) routes to Claude. This dramatically reduces API costs and keeps private data off external servers.

Comparison: Our Stack vs the NVIDIA-OpenClaw Stack

Architecture Comparison

Where Each Stack Wins

Use Cases for Our Household

High-Value Use Cases (NemoClaw + Nemotron + OpenClaw)

1. Family Messaging Hub

Ashley, Valentina, and family members message the AI via WhatsApp or Signal (apps they already use). No need to install Discord or learn terminal commands. Example: Ashley texts "What's for dinner tonight?" → agent checks meal plan, confirms allergen safety, responds. Privacy router keeps family conversations on local Nemotron — never hits external APIs.

2. Always-On Home Automation

"Turn off the lights at 10pm every night." "If the garage door is open after 11pm, close it and tell me." Scheduled tasks that our ephemeral CLI sessions can't do. Integrates with existing Home Assistant setup.

3. Proactive Scheduling

Morning briefing: weather, calendar, commute, school schedule. Automatic reminders for appointments, medications, school events. Cron-based recurring tasks without human initiation.

4. Voice Interface

Wake word activation for hands-free queries while cooking, driving, etc. Push-to-talk for quick questions. TTS responses — useful when hands are busy.

5. Music Control

"Play Jordan's bedtime playlist on the nursery Sonos." Spotify/Sonos integration through natural language.

6. Local AI for Private Tasks

Journal entries, personal reflections, sensitive family discussions. Nemotron processes locally — nothing leaves the house. Medical questions routed to local model, not cloud APIs.

Use Cases Where Our Stack Remains Superior

1. Software Development → Claude Code + developer/reviewer agents
2. Financial Analysis → CFO agent + Monarch Money MCP
3. Network Management → CTO agent + UniFi MCP
4. Security Review → CISO agent reviews before execution
5. Meal Planning → rosey-bot with hardcoded allergy rules (NEVER move to prompt-based)

The Hybrid Approach

Run both stacks, each doing what it's best at:

Security Analysis

What NemoClaw Fixes

What NemoClaw Does NOT Fix

Security Recommendation

If deploying NemoClaw + OpenClaw:

• Dedicated VM or container host (not EQR1)
• Tailscale-only network access (no public exposure)
• CISO agent review of sandbox policies before going live
• No shared credentials with our main stack
• Allergy-related meal planning stays in rosey-bot — NEVER delegate to OpenClaw
• Monitor NemoClaw GitHub for security advisories
• Revisit in 3–6 months when third-party audits exist

Hardware & Deployment Options

Option A: Docker on EQR2

Pros: Separate machine from main infrastructure, Tailscale already set up

Cons: May not have GPU for fast Nemotron inference

Option B: Dedicated VM on EQR1

Pros: EQR1 has resources, Docker available

Cons: Shares host with critical infrastructure. Adds attack surface to primary machine.

Option C: DGX Spark (New Hardware)

NVIDIA's new personal AI supercomputer. Designed specifically for NemoClaw + Nemotron.

• 128GB unified memory
• Grace Blackwell GPU
• Runs Nemotron 3 Super natively
• MSRP: ~$3,000 (pre-order)

Pros: Purpose-built, maximum Nemotron performance, dedicated hardware

Cons: $3,000, delivery timeline uncertain, may be overkill for evaluation

Option D: Cloud Instance

Spin up a cloud VM (any provider) with: 4 vCPU, 16GB RAM, 40GB disk, Docker pre-installed, Tailscale joined to our tailnet.

Pros: Zero hardware commitment, easy to tear down

Cons: Monthly cost, data leaves our network (partially offset by privacy router)

Nemotron Model Sizing for Local Inference

Cost Analysis

Current Stack Costs

NemoClaw + Nemotron Added Costs

Cost Savings from Privacy Router

With Nemotron handling routine queries locally:

• Simple questions, scheduling, reminders → Nemotron (free)
• Home automation commands → Nemotron (free)
• Family chat responses → Nemotron (free, private)
• Only coding, analysis, complex reasoning → Claude API (paid)

Recommendation

Short Term (Now — Next 30 Days)

Medium Term (30–90 Days)

Long Term (90+ Days, After NemoClaw Matures)

What We Should NEVER Do

The Hybrid Future

The ideal end state is a dual-stack architecture:

┌──────────────────────────────────────────────────────┐
│              DANIEL'S AI INFRASTRUCTURE               │
│                                                      │
│  ┌─────────────────────┐  ┌─────────────────────┐  │
│  │   CLAUDE CODE + COO │  │  NEMOCLAW + OPENCLAW  │  │
│  │                     │  │                       │  │
│  │  Coding             │  │  Family messaging     │  │
│  │  Finance            │  │  Home automation      │  │
│  │  Network mgmt       │  │  Voice / music        │  │
│  │  Security review    │  │  Scheduling / cron    │  │
│  │  Project mgmt       │  │  Quick lookups        │  │
│  │  Complex reasoning  │  │  Private queries      │  │
│  │                     │  │                       │  │
│  │  Model: Claude      │  │  Models: Nemotron     │  │
│  │  Interface: CLI     │  │  (local) + Claude     │  │
│  │                     │  │  (cloud, complex)     │  │
│  │  runs on: EQR1      │  │  Interface: WhatsApp  │  │
│  │                     │  │  Signal, Discord      │  │
│  │                     │  │                       │  │
│  │                     │  │  runs on: EQR2 or     │  │
│  │                     │  │  dedicated hardware   │  │
│  └─────────────────────┘  └─────────────────────┘  │
│                                                      │
│  ┌─────────────────────┐                             │
│  │     ROSEY-BOT       │  ← Allergy safety STAYS    │
│  │  Hardcoded rules    │    HERE. Never moves.       │
│  │  Meal plans         │                             │
│  │  Discord channels   │                             │
│  └─────────────────────┘                             │
└──────────────────────────────────────────────────────┘

Each component does what it's best at. No single point of failure. Jack's safety rules stay hardcoded. Private data stays local. Complex work uses the best model available.

Appendix: Sources