open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/security/nemoclaw-comparison.md
Kjell Tore Guttormsen 2491f5c732 feat: initial companion repo for OpenClaw vs Claude Code article 
40 files demonstrating every major OpenClaw capability using Claude Code:
- 3 agents (researcher, writer, reviewer)
- 3 skills (daily-briefing, slack-message, web-research)
- 2 security hooks (pre-tool-use blocker, post-tool-use logger)
- 10 self-contained examples with copy-paste prompts
- Complete feature map (20 capabilities, 11 full match, 7 different, 2 gap)
- Security docs including NemoClaw comparison
- Automation, messaging, browser, memory documentation

Zero dependencies. Clone and run.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 09:47:29 +01:00

3.3 KiB
Raw Permalink Blame History

NemoClaw vs Claude Code Security

An honest comparison of security architectures. NemoClaw is NVIDIA's enterprise layer on top of OpenClaw. Claude Code is Anthropic's agent platform. They solve security differently.

Architecture comparison

NemoClaw (4 security layers)

Layer Mechanism Enforcement
Network Block non-allowlisted outbound Kernel (netns)
Filesystem Restrict to /sandbox and /tmp Kernel (Landlock)
Process Block privilege escalation Kernel (seccomp)
Inference Route API calls through gateway Proxy

All enforcement is out-of-process. The agent cannot override its own constraints because they are enforced by the Linux kernel.

Claude Code (3 security layers)

Layer Mechanism Enforcement
Permissions Allow/deny lists, modes Claude Code runtime
Hooks PreToolUse/PostToolUse scripts Shell scripts
Sandbox macOS sandbox-exec OS-level

Hooks run in-process (same machine) but as separate shell processes. The agent cannot modify hook scripts during execution because file writes can be restricted.

Where NemoClaw wins

  1. Kernel-level isolation. Landlock + seccomp + network namespaces cannot be bypassed by the agent, period. Claude Code hooks can theoretically be circumvented if permission mode is too permissive.

  2. Enterprise compliance. NemoClaw is designed for SOC2, audit trails, OpenTelemetry integration. Claude Code has basic logging via hooks but no compliance framework.

  3. Multi-tenant safety. NemoClaw sandboxes isolate agents from each other. Claude Code agents share the host environment (worktree isolation helps but is git-level, not OS-level).

Where Claude Code wins

  1. Flexibility. Hooks can contain any logic. NemoClaw policies are declarative YAML with fixed categories. If you need custom rules, Claude Code is easier to extend.

  2. No infrastructure. NemoClaw requires Docker, 4 vCPU, 8GB RAM, a 2.4GB sandbox image. Claude Code hooks are bash scripts.

  3. Speed. No container startup. Hooks add milliseconds, not seconds.

  4. Ecosystem maturity. Claude Code's permission model is battle-tested across millions of sessions. NemoClaw is in early alpha (announced March 2026).

Known vulnerabilities

  • OpenClaw: CVE-2026-25253 (CVSS 8.8) allowed remote code execution through crafted skill files. 135K+ instances were exposed before the patch.
  • ClawHub: Cisco research found 12% of community-submitted skills contained malicious code (data exfiltration or prompt injection payloads).
  • Claude Code: No known CVEs. The marketplace has a review process, though its effectiveness varies.

Practical recommendation

Use case Better choice
Personal automation Claude Code (simpler, no infra)
Enterprise/multi-tenant NemoClaw (kernel isolation)
Compliance-required NemoClaw (audit trails)
Custom security rules Claude Code (hook flexibility)
Untrusted skill ecosystem NemoClaw (sandbox) or Claude Code (review + hooks)

They are not mutually exclusive. You can use Claude Code for development work and OpenClaw+NemoClaw for always-on automation where stronger isolation matters.