NemoClaw (GNOME)
v1.0.0
NVIDIA's sandboxed AI agent (OpenClaw + OpenShell) with GNOME desktop and RDP access
What's included
- NemoClaw -- NVIDIA's sandboxed OpenClaw deployment (Apache 2.0)
- OpenClaw AI assistant inside NVIDIA OpenShell sandbox
- Kernel-level security (Landlock, seccomp, network namespaces)
- Caddy reverse proxy with auto-HTTPS, basic auth, and WebSocket support
- GNOME desktop with RDP access via xrdp
- VS Code, Firefox, Chromium
- Docker, Go, Rust, Node.js 22, Python + uv
- Playwright with Chromium and Firefox
Security
- NVIDIA OpenShell sandbox (agents can only write to /sandbox and /tmp)
- Deny-by-default egress policies (L4/L7 enforcement)
- Caddy: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy
- Basic auth + WebSocket transport pinned to HTTP 1.1/2
After install
- Open the web UI URL shown at the end of install
- Enter the sandbox: nemoclaw assistant connect
- Use the TUI inside sandbox: openclaw tui
- Connect via RDP on port 3389 with the shown credentials
Supported Operating Systems
Ubuntu 24Ubuntu 25Debian 12Debian 13
Requirements
- RAM
- 8GB minimum
- Disk
- 20GB minimum
Configuration
| Variable | Default | Description |
|---|---|---|
| NEMOCLAW_HOST | server hostname | Domain name or IP. Domains get auto-HTTPS via Let's Encrypt. |
| NEMOCLAW_AUTH_USER | admin | Username for web UI basic auth |
| NEMOCLAW_AUTH_PASS | random 24-char | Password for web UI basic auth |
| NEMOCLAW_SANDBOX | assistant | Name for the NemoClaw sandbox |
| VIRTUA_USER | clawden | System user for the agent |
| VIRTUA_PASS | random 24-char | User password for RDP login |
5 installsOfficial website →
Changelog
v1.0.02026-04-02
- Initial release
- NemoClaw (OpenClaw + NVIDIA OpenShell) sandboxed deployment
- Caddy reverse proxy with basic auth, HSTS, and WebSocket support
- Custom systemd service with auto-reconnect after reboot
- GNOME desktop with RDP via xrdp
- VS Code, Firefox, Chromium
- Full dev environment: Docker, Go, Rust, Node.js, Python