OpenClaw's viral popularity shows AI agents have arrived, according to Jensen Huang, but it's also highlighted the new application security risks they pose.
"The most popular open source project in the history of humanity," as Nvidia's CEO described it, has put a spotlight on the ways AI agents expose new application security risks.
In response, Nvidia's NemoClaw project and other new tools from vendors, including Docker and JFrog, this week aim to strengthen OpenClaw security to enable safer use by businesses.
OpenClaw, an autonomous personal AI assistant first created by a single programmer in November 2025, burst onto the scene in January and quickly became the most-starred project on GitHub, surpassing 190,000 stars in two weeks. It now has more than 250,000, more than Linux and the React JavaScript library, which took decades to reach that level.
"It exceeded what Linux did in 30 years," said Nvidia CEO Jensen Huang during a keynote presentation at Nvidia's GTC conference this week. "And it's that important."
Huang compared OpenClaw to the Windows OS and said every company must now have an OpenClaw strategy.
"OpenClaw has open-sourced, essentially, the operating system of agentic computers," Huang said. "It is no different from how Windows made it possible for us to create personal computers. Now, OpenClaw has made it possible for us to create personal agents. The implication is incredible."
However, OpenClaw's overnight success also meant early blunders, as its unfettered access to users' machines, ability to execute code and access the internet led to unintended consequences ranging from supply chain attacks to the agent making attempts to delete an entire email inbox.
Nvidia's answer to OpenClaw security issues is NemoClaw, a complementary set of utilities for OpenClaw. The toolkit centers on the OpenShell sandbox, which contains the OpenClaw agent within a K3s-based sandboxed execution environment running in a Docker container.
"We worked with [OpenClaw creator] Peter [Steinberger] to make OpenClaw enterprise secure, and we call that our Nvidia NemoClaw reference architecture for OpenClaw," Huang said. "You could download it, play with it, and connect to it, the policy engine of all of the SaaS companies in the world … with OpenShell."
NemoClaw vs. NanoClaw
NemoClaw isn't the first attempt to address OpenClaw security -- last week, Docker added support for another open source project, NanoClaw, to its Docker Sandboxes. NanoClaw also isolates a minimalist version of the "claw" agent inside Docker containers, and Docker Sandboxes further isolate it within a microVM. Docker officials stated the company will support other approaches, including OpenClaw itself. OpenShell requires Docker Desktop to run, according to its GitHub page.
It's too soon to tell which approach will be more effective technically, but Nvidia and OpenClaw itself have powerful sway in the industry overall, said Jim Mercer, an analyst at IDC.
"Docker certainly has pull with organizations, but not in this space to the extent that Nvidia does," Mercer said. "Hopefully at the end of the day somebody will come up with best practices around this, and some sort of a common way to approach this."
Ultimately, the success of these projects will come down to ease of use, said Torsten Volk, an analyst at Omdia, a division of Informa TechTarget.
Torsten Volk
"The concept is not unique. Making it easily accessible to developers is," Volk said. "Conceptually, if Docker Desktop is where [companies] want developers to work, then using their Sandboxes gives you one nice UI and API. There are tons more runtimes like OpenShell, and it has 55 stars."
NanoClaw, by comparison, has amassed more than 20,000 stars. It also whittles the OpenClaw codebase down so that it doesn't take as many resources to run on a local machine, which could also boost its appeal to some companies, said Jim Frey, an analyst at Omdia, who is in attendance at GTC and was briefed by Nvidia on the news.
"NemoClaws are not for the average user -- they require considerable compute," Frey said. "Examples given here were DGX Spark or DGX Station [Nvidia desktop supercomputers], both of which are some serious hardware."
Beyond the sandbox: JFrog tackles malicious skills
Nvidia partner JFrog this week launched a new AI agent skills registry in private beta for its AI catalog, addressing another emerging OpenClaw security worry. JFrog's Artifactory will also serve as the standard registry for AI models and agent skills within Nvidia's new AI-Q Blueprint, which is part of the NemoClaw reference architecture.
Agent skills are folders of instructions, scripts and resources that users can build to instruct agents to use tools effectively. Public agent skills repositories, most notably Anthropic's Agent Skills for Claude, enable developers to share skills. This new component of the AI agent stack also creates a new attack vector for AI applications, according to Yuval Fernbach, vice president and CTO of JFrog ML, in an interview this week.
One example of a malicious agent skill JFrog's research team uncovered hid a binary executable in a README file that, once installed, called an external API, Fernbach said.
"AI assets are quite new, and organizations are pushing to use them as much as possible. Attackers understand that and actually try to hide and add malicious content to skills, to MCP servers, to any of those assets, because we don't yet have the right tools to scan them to find those malicious calls," he said.
There are a lot of new ways of attacking modern applications that are just now fully starting to come to life.
Jim Mercer Analyst, IDC
JFrog's skills registry includes scans and AI-driven analysis to root out malicious skills. Other vendors such as Solo.io and Bitdefender have also introduced tools to secure agent skills, and OpenClaw's ClawHub marketplace partners with Google's VirusTotal to scan skills.
Regardless of the tool they choose, it's an indication that companies that want to incorporate OpenClaw have many new security risks to consider, according to IDC's Mercer.
"We're still trying to figure out what all the attack vectors are, but the hype around OpenClaw has really shined a light on the need to come up with a way to better secure some of these agentic capabilities," Mercer said. "There are a lot of new ways of attacking modern applications that are just now fully starting to come to life."
Nvidia Agent Toolkit treads on partners' turf
Nvidia's march from AI chips into AI applications didn't stop at NemoClaw. Huang used NemoClaw's introduction to segue into more open source AI model and agent orchestration initiatives during his presentation. The Nvidia Nemotron Coalition, also launched from the GTC keynote stage, is a frontier model collaboration between open model builders and AI developers that will create Nemotron-4.
Mike Leone
NemoClaw's OpenShell is part of a broader AI Agent Toolkit launched this week, which includes the AI-Q blueprint, open models such as Nemotron, and Nvidia cuOpt open agent skills. A host of software vendors were listed as launch partners for Agent Toolkit, including Adobe, Atlassian, Cisco, Cohesity, CrowdStrike, Red Hat, SAP, Salesforce, ServiceNow and Synopsys.
Agent Toolkit doesn't fully overlap with these vendors' AI agent orchestration platforms, but Nvidia's push into the application space could create some awkwardness for its vendor partners, said Mike Leone, an analyst at Omdia.
"NVIDIA selling GPUs and CUDA was one thing," Leone said. "Building open source foundation models and an agent orchestration platform on top of their own silicon is a fundamentally different conversation. … The overlap is growing and nobody's really talking about it openly yet. … Partners are going to have to get clear on what they uniquely bring pretty quickly."
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism. Have a tip? Email her.
Torsten Volk
Mike Leone
