open/claude-code-complete-agent
1
0
Fork 0
Code Activity Actions
claude-code-complete-agent/security/nemoclaw-comparison.md
Kjell Tore Guttormsen 2491f5c732 feat: initial companion repo for OpenClaw vs Claude Code article 
40 files demonstrating every major OpenClaw capability using Claude Code:
- 3 agents (researcher, writer, reviewer)
- 3 skills (daily-briefing, slack-message, web-research)
- 2 security hooks (pre-tool-use blocker, post-tool-use logger)
- 10 self-contained examples with copy-paste prompts
- Complete feature map (20 capabilities, 11 full match, 7 different, 2 gap)
- Security docs including NemoClaw comparison
- Automation, messaging, browser, memory documentation

Zero dependencies. Clone and run.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 09:47:29 +01:00

86 lines
3.3 KiB
Markdown
Raw Permalink Blame History

# NemoClaw vs Claude Code Security
An honest comparison of security architectures. NemoClaw is
NVIDIA's enterprise layer on top of OpenClaw. Claude Code is
Anthropic's agent platform. They solve security differently.
## Architecture comparison
### NemoClaw (4 security layers)
| Layer | Mechanism | Enforcement |
|-------|-----------|-------------|
| Network | Block non-allowlisted outbound | Kernel (netns) |
| Filesystem | Restrict to /sandbox and /tmp | Kernel (Landlock) |
| Process | Block privilege escalation | Kernel (seccomp) |
| Inference | Route API calls through gateway | Proxy |
All enforcement is out-of-process. The agent cannot override its
own constraints because they are enforced by the Linux kernel.
### Claude Code (3 security layers)
| Layer | Mechanism | Enforcement |
|-------|-----------|-------------|
| Permissions | Allow/deny lists, modes | Claude Code runtime |
| Hooks | PreToolUse/PostToolUse scripts | Shell scripts |
| Sandbox | macOS sandbox-exec | OS-level |
Hooks run in-process (same machine) but as separate shell processes.
The agent cannot modify hook scripts during execution because file
writes can be restricted.
## Where NemoClaw wins
1. **Kernel-level isolation.** Landlock + seccomp + network namespaces
cannot be bypassed by the agent, period. Claude Code hooks can
theoretically be circumvented if permission mode is too permissive.
2. **Enterprise compliance.** NemoClaw is designed for SOC2, audit
trails, OpenTelemetry integration. Claude Code has basic logging
via hooks but no compliance framework.
3. **Multi-tenant safety.** NemoClaw sandboxes isolate agents from
each other. Claude Code agents share the host environment (worktree
isolation helps but is git-level, not OS-level).
## Where Claude Code wins
1. **Flexibility.** Hooks can contain any logic. NemoClaw policies
are declarative YAML with fixed categories. If you need custom
rules, Claude Code is easier to extend.
2. **No infrastructure.** NemoClaw requires Docker, 4 vCPU, 8GB RAM,
a 2.4GB sandbox image. Claude Code hooks are bash scripts.
3. **Speed.** No container startup. Hooks add milliseconds, not
seconds.
4. **Ecosystem maturity.** Claude Code's permission model is
battle-tested across millions of sessions. NemoClaw is in early
alpha (announced March 2026).
## Known vulnerabilities
- **OpenClaw:** CVE-2026-25253 (CVSS 8.8) allowed remote code
execution through crafted skill files. 135K+ instances were
exposed before the patch.
- **ClawHub:** Cisco research found 12% of community-submitted
skills contained malicious code (data exfiltration or prompt
injection payloads).
- **Claude Code:** No known CVEs. The marketplace has a review
process, though its effectiveness varies.
## Practical recommendation
| Use case | Better choice |
|----------|--------------|
| Personal automation | Claude Code (simpler, no infra) |
| Enterprise/multi-tenant | NemoClaw (kernel isolation) |
| Compliance-required | NemoClaw (audit trails) |
| Custom security rules | Claude Code (hook flexibility) |
| Untrusted skill ecosystem | NemoClaw (sandbox) or Claude Code (review + hooks) |
They are not mutually exclusive. You can use Claude Code for
development work and OpenClaw+NemoClaw for always-on automation
where stronger isolation matters.
View git blame Copy permalink