Subtopics 9.1 through 9.3 taught the file-level discipline, the platform-native secrets management, and the chat-app permission boundaries. Subtopic 9.4 is the layer below all three: where the agent runs. The channel's framing is that the runtime environment is the security boundary, and the default — running the agent on your daily-driver Mac with system access — is the wrong default. The right default is a sandboxed environment with isolated permissions, policy-based guardrails, and network isolation. Two paths get you there: a cheap VPS (Zebra $2/month, 2 GB RAM) and the NemoClaw privacy layer (the open-source wrapper built in collaboration with OpenClaw's creator Peter Steinberger).

This article walks through the VPS-over-Mac framing, the NemoClaw installation (both the agent-assisted and the manual paths), the security configuration, the architecture integration with multi-agent setups, and the troubleshooting flow for the most common install failures.

What you'll learn

  • The VPS-over-Mac default: run the agent on a $2/month Zebra VPS, not on your daily-driver Mac. The blast radius of a wrong action on a VPS is the VPS. The blast radius of a wrong action on your Mac is your life.
  • The NemoClaw privacy layer: an open-source security/privacy wrapper built in collaboration with OpenClaw's creator Peter Steinberger. Adds isolated sandboxes, policy-based guardrails, network isolation, data privacy controls, a privacy router, and a hybrid model strategy on top of an existing OpenClaw agent. It is a wrapper, not a fork.
  • The two install paths: agent-assisted (send nvidia.com/nemo to your existing OpenClaw orchestrator, let it drive the install) and manual (curl the install script, run the wizard). Agent-assisted is 10–20 minutes; manual is the same plus a 5-minute SSH dance.
  • The model options: free nvidia.com/nemotron-3-super on OpenRouter ($0/M tokens), Hunter Alpha (free tier), minimax-m2.5 for stronger task execution, Claude Opus/Sonnet 4.6 for architecture work. The default is the free tier; the upgrade is task-specific.
  • The security layers: OpenShell (core infrastructure providing isolated sandboxes), policy-based guardrails (control what agents can access), network isolation (restrict external connections), and data privacy controls (protect sensitive information).
  • The policy configuration: nemo policy set --level basic for the recommended starter, nemo policy edit for custom rules. The starter policy is "deny by default, allow specific paths" — the same shape as a Linux firewall.
  • The architecture integration: in a multi-agent OpenClaw setup, NemoClaw runs as an additional secure agent under the orchestrator. The orchestrator dispatches sensitive operations to NemoClaw; NemoClaw executes in a sandbox; the orchestrator receives the result. The audit trail is the receipt.
  • The troubleshooting flow for the four most common install failures: installation fails on Windows (use a VPS or WSL2), agent can't install NemoClaw (verify SSH credentials, RAM, Ubuntu/Debian), NemoClaw won't start (check logs, verify API key, restart), Discord bot not responding (verify token, check permissions, review logs).

The VPS-over-Mac default

The "right way" framing in the channel's coverage is a scope discipline, not a tooling preference. The agent gets a VPS, the VPS has its own IP, the VPS has its own credentials, the VPS has no access to your real Google account or your crypto wallets. The blast radius of a wrong action is the VPS. The blast radius of a wrong action on your Mac Mini is your life.

The cross-cutting reference: the 3am-girlfriend story (anchored in 9.5) is the receipt for why the VPS-over-Mac default exists. The agent sent a message to the girlfriend at 3am while running with full system access on a Mac. The fix is not "the model is too dumb" — the fix is "the model should not have had system access on a Mac in the first place."

The VPS is the cheap version of the fix. The hosted MaxClaw is the easier version. The NemoClaw privacy layer is the production version. All three are valid; the choice depends on how much control you want and how much time you want to spend on the infrastructure.

The Zebra VPS profile

The channel's recommended VPS profile:

  • Provider: Zebra VPS (the channel's pick for the price/performance trade-off)
  • Tier: 2 GB RAM, 40 GB storage
  • Price: $2/month (4 GB RAM promo tier is $3)
  • OS: Ubuntu 22.04 or later
  • Use case: throwaway sandbox — if the agent goes rogue, reset the box and you're back to a $2/month bill

The instance is online 24/7, reinstallable, and serves as the runtime for the agent. The discipline is to treat the box as isolated: don't reuse the Google account tied to your calendar, don't point OpenClaw at a Mac holding crypto wallets, and don't put the box on the same network as your real infrastructure.

NemoClaw: the privacy layer

NemoClaw is the channel's second-most-viewed video (31,868 views) and the production version of the sandboxing story. From the source video's summary: NemoClaw is "an open-source security and privacy layer for OpenClaw" built in collaboration with OpenClaw's creator Peter Steinberger. It is a wrapper, not a fork — you do not need to reinstall OpenClaw. You add NemoClaw as a layer on top of your existing agent.

Key features

The NemoClaw wrapper ships with six feature groups:

  • Isolated sandboxes — agents run in secure containers, not in the host's user space
  • Policy-based security — granular control over agent permissions via declarative policy files
  • Network isolation — controlled external access; the agent cannot reach arbitrary network endpoints without explicit policy
  • Data privacy controls — protect sensitive information from leaving the sandbox
  • Privacy router — intelligent data routing that strips or masks sensitive fields before they reach the model
  • Hybrid model strategy — mix local and cloud models securely, with the privacy router mediating which data goes to which model

The point of the wrapper is that you do not have to choose between "the agent has access to my data" and "the agent cannot do its job." The wrapper gives the agent scoped access to the data it needs, with policy-based controls on what it can do with the data.

Important: you don't need to start from scratch

If you already have an OpenClaw agent, you can add NemoClaw as a layer on top. You do not need to reinstall OpenClaw, and you do not need to migrate your agent's data. The wrapper sits between your OpenClaw agent and the resources it touches, mediating access via the policy layer.

Installation: the two paths

Method 1: agent-assisted (fastest, 10–20 minutes)

This is the recommended method if you already have an OpenClaw orchestrator agent.

Step 1: share the documentation. Send your agent the NemoClaw docs:

Learn and understand Nvidia's NemoClaw from nvidia.com/nemo

Step 2: request the install. Tell the agent:

Can you set up a NemoClaw agent in our Discord server?

Step 3: provide resources. The agent will ask for:

  • Zebra VPS credentials (IP, username, password)
  • Discord bot token (a new one, separate from any existing bot)
  • API key preference (the free nvidia.com/nemotron-3-super on OpenRouter is the default)

Step 4: let the agent handle it. The orchestrator will:

  1. SSH into the VPS
  2. Install NemoClaw
  3. Configure security layers
  4. Set up Discord integration
  5. Test the installation

The full flow takes 10–20 minutes. The agent-driven install is the channel's default for anyone who already has an orchestrator. The manual path is the fallback.

Method 2: manual VPS install (5–10 minutes of active work)

Step 1: get a VPS. Sign up for Zebra VPS, choose the 2 GB RAM plan ($2/month), note your credentials (IP, SSH username, SSH password).

Step 2: connect to the VPS.

ssh ubuntu@YOUR_VPS_IP

Step 3: install NemoClaw.

curl -fsSL https://nvidia.com/nemo/install.sh | bash

Step 4: configure. The setup wizard prompts for:

  • Model provider (default: OpenRouter with nvidia.com/nemotron-3-super)
  • API key
  • Security policies (default: basic)
  • Messaging platform (Discord, Telegram, or both)

Step 5: verify.

nemo status

The status output should show the NemoClaw daemon running, the model provider connected, and the messaging platform authenticated. If any of those is missing, the install is incomplete — re-run the wizard or check the troubleshooting flow.

Model options

The channel's coverage documents four model options, ranked by cost.

Free option: Nvidia Nemotron 3 Super

  • Cost: $0 per million input tokens, $0 per million output tokens
  • Provider: OpenRouter
  • Setup: sign up at OpenRouter.ai → create API key → select "Nvidia Nemotron 3 Super" as model

The free tier is enough for the test-channel pattern from 9.3. The model is "not very confident" on serious work (the host's framing), so the upgrade is task-specific.

Paid options

  • Minimax M2.5/M2.7 — best for task execution; popular on OpenRouter; affordable pricing. The default upgrade path for cost-sensitive production work.
  • Claude Opus/Sonnet 4.6 — recommended for architecture tasks; higher quality reasoning; more expensive. The default for any task that touches money, customer data, or production infrastructure.
  • Hunter Alpha — free tier available; good for experimentation. The default for "I want to try NemoClaw but I'm not ready to commit to a paid model."

The default is the free tier. The upgrade is task-by-task. The discipline is the same as 9.2: route by task, not by default.

Discord integration

The NemoClaw + Discord flow is the channel's recommended chat surface.

Step 1: create the Discord bot.

  1. Go to Discord Developer Portal
  2. Click "New Application"
  3. Name your application
  4. Go to the "Bot" section
  5. Click "Add Bot"
  6. Copy the bot token

Step 2: configure NemoClaw.

nemo config discord

Paste your Discord bot token when prompted. The CLI writes the token to the NemoClaw secrets store (not the config tree) and restarts the daemon.

Step 3: invite the bot to the server.

  1. Go to OAuth2 → URL Generator
  2. Select scopes: bot, applications.commands
  3. Select permissions: Send Messages, Read Messages, Embed Links
  4. Copy the generated URL
  5. Open the URL in a browser and invite the bot to your server

The permission set is the minimum the channel recommends. Administrator is not on the list (see 9.3 for the principle-of-least-privilege framing).

Security configuration

NemoClaw's security model is a layered stack. Each layer is a separate concern, and each can be configured independently.

The four layers

  • OpenShell — core infrastructure providing isolated sandboxes. The agent's shell commands run inside a container, not on the host. The blast radius of a wrong command is the container.
  • Policy-based guardrails — control what agents can access. The policy file is a declarative list of allowed and denied paths, network endpoints, and system commands.
  • Network isolation — restrict external connections. The agent cannot reach arbitrary network endpoints; it can only reach the endpoints explicitly allowlisted in the policy.
  • Data privacy controls — protect sensitive information. The privacy router strips or masks sensitive fields (API keys, PII, financial data) before they reach the model.

Configuring policies

The starter policy:

nemo policy set --level basic

basic is "deny by default, allow specific paths." The agent can read the files you have explicitly allowlisted; it cannot read anything else. The network is closed by default; the agent can only reach the endpoints you have explicitly allowlisted.

For custom rules:

nemo policy edit

The policy editor opens the policy file in nano (or your default editor). The policy file is YAML; the structure is:

filesystem:
  allow:
    - /home/ubuntu/openclaw/data
    - /home/ubuntu/openclaw/skills
  deny:
    - /home/ubuntu/.ssh
    - /home/ubuntu/.openclaw/.env

network:
  allow:
    - api.openrouter.ai
    - api.telegram.org
  deny:
    - "*"

commands:
  allow:
    - ls
    - cat
    - grep
  deny:
    - rm
    - mv
    - chmod

The exact policy depends on your use case. The discipline is "deny by default, allow as needed." The starter policy is the right place to start; the custom policy is the right place to grow into.

Architecture integration

In a multi-agent OpenClaw setup, NemoClaw runs as an additional secure agent under the orchestrator. The architecture:

Main Orchestrator (Opus 4.6)
├── Research Agent (Minimax M2.7)
├── Task Executor (Minimax M2.7)
├── Discord Manager (Sonnet 4.6)
└── NemoClaw Agent (Nemotron 3 Super) ← Secure layer

The orchestrator dispatches sensitive operations to NemoClaw. NemoClaw executes in a sandbox. The orchestrator receives the result. The audit trail is the receipt for every operation.

The benefits of the architecture:

  • Secure handling of sensitive operations — anything that touches customer data, payment information, or production infrastructure goes through NemoClaw
  • Isolated environment for risky tasks — the sandbox contains the blast radius of a wrong action
  • Additional layer of verification — the orchestrator can verify NemoClaw's results before propagating them
  • Compliance-friendly architecture — the audit trail and the policy-based controls are the receipts for any compliance review

The pattern is the same shape as the "human-in-the-loop" pattern from 9.3, with NemoClaw as the human-equivalent reviewer. The orchestrator proposes; NemoClaw disposes (in a sandbox); the orchestrator acts on the result.

Troubleshooting

The four most common install failures, with the channel's recommended fix.

Installation fails on Windows

Problem: Docker Desktop issues on Windows.

Solution: NemoClaw requires Linux. Use one of:

  1. Install on VPS (recommended) — the cleanest path
  2. Use WSL2 (advanced; see the NemoClaw Windows setup guide) — the path for users who need local-only
  3. Use agent-assisted installation on VPS — the path for users who already have an orchestrator

Agent can't install NemoClaw

Problem: the orchestrator encounters errors during the install.

Solution:

  1. Ensure the VPS has sufficient resources (2 GB+ RAM)
  2. Verify SSH credentials are correct
  3. Check the VPS is running Ubuntu/Debian
  4. Try the manual installation method

NemoClaw won't start

Problem: the service fails to start after installation.

Solution:

  1. Check logs: nemo logs
  2. Verify configuration: nemo config check
  3. Ensure the API key is valid
  4. Restart the service: nemo restart

Discord bot not responding

Problem: the bot appears online but doesn't respond.

Solution:

  1. Verify the bot token is correct
  2. Check the bot has proper permissions in Discord (see 9.3 §Discord for the minimum permission set)
  3. Ensure NemoClaw is running: nemo status
  4. Review logs: nemo logs discord

Try it yourself

The hands-on goal: a working NemoClaw install on a Zebra VPS, with the basic policy set, the free model tier, and a Discord bot that responds in a test channel.

  1. Sign up for Zebra VPS. The 2 GB RAM plan is $2/month. Note your credentials (IP, SSH username, SSH password).
  2. Connect via SSH. ssh ubuntu@YOUR_VPS_IP. Verify you can sudo.
  3. Install NemoClaw via the manual path. curl -fsSL https://nvidia.com/nemo/install.sh | bash. Run the wizard with the default settings (OpenRouter + nvidia.com/nemotron-3-super, basic policy, Discord).
  4. Verify the install. nemo status. All three (daemon, model, Discord) should be connected.
  5. Set the basic policy. nemo policy set --level basic. Verify the policy file with nemo policy show.
  6. Create a Discord test channel. #nemoclaw-test in your server. This is the bot's first home.
  7. Configure the Discord integration. nemo config discord. Paste the bot token. The CLI writes to the secrets store and restarts the daemon.
  8. Invite the bot to the server. OAuth2 → URL Generator → bot + applications.commandsSend Messages, Read Messages, Embed Links → open the URL.
  9. Test the bot in the test channel. Send a message. Verify the bot responds. Verify the bot does not respond in other channels.
  10. Read the policy file. nemo policy edit. Understand the allow/deny rules. Adjust the file-system allowlist to include any paths the agent needs to read.
  11. Run the bot for a week in the test channel. Watch the behaviour. Look for drift. Look for scope creep.
  12. Document the install. A short note in your private log: VPS IP, model tier, policy level, Discord channel, and the date you last verified the audit trail.

Common pitfalls

  • Running NemoClaw on Windows natively — the platform requires Linux. Use a VPS, WSL2, or the agent-assisted path. The "I'll just install it on my Windows box" path is the source of the "Docker Desktop issues" failure mode.
  • Granting Administrator permission to the Discord bot — the principle-of-least-privilege rule from 9.3 applies here too. Use specific permissions; do not use Administrator.
  • Skipping the policy configurationbasic is the default, but it is also the minimum. If your use case touches sensitive data, the policy needs custom rules. The starter policy is the floor, not the ceiling.
  • Using a paid model for test-channel runs — the free nvidia.com/nemotron-3-super is enough for the test-channel pattern. Save the paid tier for the production channel.
  • Granting the NemoClaw agent access to your real Google account — the VPS is isolated. The Google account on the VPS should be a fresh account with no calendar, no contacts, no email history. The blast radius of a compromised VPS with a real Google account is your real Google account.
  • Pointing NemoClaw at a Mac holding crypto wallets — same shape. The agent's runtime should not be on a machine with high-value credentials. The VPS is the right home.
  • Letting the NemoClaw agent's permission set drift — the policy file is a living document. As you add integrations, update the policy. The monthly audit from 9.1 §Access control is the cadence.
  • Trusting the daemon's "I'm running" status without verifying the integrationsnemo status shows the daemon is running, but not that the Discord bot is actually responding. Send a test message in the test channel. The status is necessary, not sufficient.
  • Reusing the Discord bot token across NemoClaw and the main OpenClaw agent — the tokens are separate. The NemoClaw bot is a new bot in the Discord Developer Portal, with its own token, its own permission set, and its own channel list.
  • Skipping the test-channel pattern — the bot goes directly to the production channel. The second-channel test from 9.3 §Try it yourself applies here too. Test in #nemoclaw-test for a week; promote to the production channel only after the test is clean.
  • Treating the policy file as a one-time setup — the policy is a living document. As the agent's tasks evolve, the policy evolves. The monthly review is the only thing that keeps the policy current.
  • Forgetting to update the policy when you add a new integration — the new integration needs explicit allowlist entries for its file paths, network endpoints, and system commands. Without the entries, the integration fails silently.

Sources

  • NemoClaw Setup Guide: FASTEST Way to Install — 31,868 views · video_id: qEFaeLlfLmk. The NemoClaw install, the security layers, the policy configuration, the architecture integration, the troubleshooting flow. The channel's second-most-viewed video.
  • How to Build Your OpenClaw AI Agent the RIGHT Way — 2,690 views · video_id: Zkw8jIDzspc. The "right way" framing — VPS over Mac, permissions, what the agent is allowed to touch. Cross-listed with 9.3 for the scope-not-root framing.
  • MaxClaw: One-Click to Set Up Openclaw FULLY (SO EASY) — 42,714 views · video_id: N-z8RGOhEas. The MaxClaw hosted variant (cross-listed with 9.5 for the 3am-girlfriend framing). The hosted MaxClaw is the easier version of the sandboxing pattern; the VPS + NemoClaw is the production version.
  • Supabase querySELECT video_id, title, views, summary_content, summary_key_takeaways, transcript_content FROM public.videos WHERE video_id = ANY(ARRAY['qEFaeLlfLmk', 'Zkw8jIDzspc', 'N-z8RGOhEas']); against project ttxdssgydwyurwwnjogq.
  • External references cited in the source:
    • Discord Developer Portal — Discord bot creation
    • OpenRouter — model routing (used for nvidia.com/nemotron-3-super, Hunter Alpha, Minimax M2.5)
    • nvidia.com/nemo — the one-line install handoff to an existing OpenClaw orchestrator
    • Nvidia Nemotron — the free model tier