NemoClaw Knowledge Wiki

OpenShell: Secure Runtime for AI Agents with Out-of-Process Enforcement

5 min read

🗂️ Tools, Platforms & Infrastructure · View mindmap

Generated: 2026-05-22 · API: Gemini 2.5 Flash · Modes: Summary

OpenShell: Secure Runtime for AI Agents with Out-of-Process Enforcement

Clip title: OpenShell Agents Author / channel: Sam Witteveen URL: https://www.youtube.com/watch?v=0zHNyGFSelA

Summary

This video delves into NVIDIA’s NemoClaw, an agent toolkit for building specialized AI agents, but quickly establishes that the real innovation lies not in NemoClaw itself, but in OpenShell, its underlying runtime. NemoClaw is presented as a blueprint, an extensible architecture composed of three main components: a Harness (the agent’s logic for planning and tool calling, such as OpenClaw, Hermes Agent, or LangChain Deep Agents), a Model (the Large Language Model, typically NVIDIA’s Nemotron), and a Runtime (OpenShell), which provides crucial security and policy controls. The core message is that while the harness and model can be swapped out, OpenShell remains the constant, providing the essential secure environment for agent execution, especially in production settings.

The video highlights the inherent security vulnerabilities of traditional AI agents, which often operate with unrestricted access to system resources like file systems, APIs, networks, and credentials. While acceptable for local experimentation, this unrestricted access is highly dangerous for production deployments due to risks such as prompt injection, data exfiltration, and unauthorized actions. OpenShell addresses these concerns through a fundamentally different approach: out-of-process enforcement. Instead of relying on the LLM’s system prompt to enforce rules (which can be easily circumvented by prompt injection, as LLMs are predictive, not enforcing mechanisms), OpenShell employs a “supervisor” process. This supervisor starts before the agent, fetches predefined security policies from a gateway, prepares a sandboxed environment, and then launches the agent as a restricted child process within this secure boundary.

OpenShell provides robust security controls across four critical attack vectors. Firstly, for network access, it operates on a “default deny” principle, meaning no external connections are allowed unless explicitly whitelisted in the policy. Secondly, file system access is strictly isolated; host directories are never mounted, and the agent can only read/write within its designated workspace and temporary storage, preventing access to sensitive files like SSH keys or environment variables. Thirdly, inference calls to LLMs are routed through a managed endpoint (inference.local) within the sandbox, with OpenShell handling the actual routing and injecting provider credentials, which are never exposed directly to the agent. Finally, credentials are managed via runtime key injection, where API keys are ephemerally supplied by the gateway to the supervisor for specific outbound calls, never being stored persistently within the sandbox itself.

The key takeaway is a paradigm shift from solely thinking in terms of AI frameworks to considering “blueprints, sandboxes, and primitives” for secure agent deployment. OpenShell’s policies are treated as code, residing in a version-controlled repository, allowing for diffing, code reviews, and auditability – offering a provable level of security. This modular and secure stack ensures that even if an agent’s logic or model is compromised (e.g., via prompt injection), the underlying runtime security policies enforced by OpenShell remain intact, blocking any unauthorized actions and safeguarding the host system. This makes OpenShell the critical component for safely scaling AI agent applications in enterprise environments.

Video Description & Links

Description

In this video, we look at OpenShell, the layer that runs the protection in NemoClaw Blueprints, but we actually do it with a LangChain DeepAgents harness to show how you can use a number of different agent options.

🔗 Links: OpenShell Docs: https://nvda.ws/3Pvfn6w NVIDIA Guide to OpenShell: https://nvda.ws/3RpuvTo LangChain Eample: https://github.com/langchain-ai/openshell-deepagent

Twitter: https://x.com/Sam_Witteveen

🕵️ Interested in building LLM Agents? Fill out the form below Building LLM Agents Form: https://drp.li/dIMes

👨‍💻Github: https://github.com/samwit/llm-tutorials

⏱️Time Stamps: 00:00 Intro 00:39 Quick Recap: NemoClaw 01:47 3 Flavors of NemoClaw 02:47 LangChain Deep Agent Framework 03:07 Deep Agent Architecture 04:26 Deep Agents+NemoClaw+OpenShell 04:52 Deep Agent Project 05:51 OpenShell: The Core Idea - Out-of-Process Enforcement 07:52 4 Things Supervisor Controls 10:14 End-to-end Walkthrough

NVIDIAAI langchain

Tags

Claude responded: NVIDIA OpenShell, OpenShell, NemoClaw, NVIDIA NemoClaw, OpenClaw, LangChain, LangChain Deep Agents, Deep Agents, AI agents, agentic AI, autonomous agents, secu… NVIDIA OpenShell, secure AI agents, AI agent sandbox, AI runtime, sandboxed AI, [[concepts/ai-agent-autonomy|AI agent security]], Nemotron, [[entities/dgx-spark|DGX Spark]], NVIDIA AI, [[concepts/open-source|open source]] AI, [[concepts/local-llm|local LLM]], Ollama, Hermes, [[entities/nous-research|Nous Research]], [[concepts/langgraph-framework|LangGraph]], AI [[concepts/tutorial|tutorial]], build AI agent, [[concepts/self-improving-ai|self improving AI]], [[concepts/ai-safety|AI safety]], kernel sandbox, [[concepts/agentic-harness|agent harness]], multi agent

URLs

Graph View

Backlinks