FailSafe Secures NVIDIA's NemoClaw Agents

The FailSafe SWARM engine recently completed a proactive security assessment of NVIDIA NemoClaw (alpha), an open-source reference stack for running OpenClaw autonomous agents inside NVIDIA OpenShell sandboxed containers. The project provides a CLI plugin, a versioned blueprint for orchestrating sandbox creation, YAML-based security policy enforcement, and inference provider routing.

The codebase, comprising approximately 12,700 lines across JavaScript, TypeScript, Shell, and Python, was evaluated by the FailSafe SWARM engine. The review identified three Medium severity security findings. Overall, the codebase demonstrates strong security practices: shell arguments are consistently quoted, credentials are stored with restrictive file permissions, and the sandbox enforces capability dropping and user privilege separation. The findings identified represent defense-in-depth gaps rather than directly exploitable critical vulnerabilities.

Summary of Findings

During the assessment, FailSafe identified the following vulnerabilities:

1. Incomplete SSRF Blocklist in Endpoint Validation (Medium)
2. Prototype Pollution via Unsanitized Config Path (Medium)
3. Path Traversal in Rollback via Unsanitized Run ID (Medium)

All findings were responsibly disclosed to the NVIDIA engineering team and have been successfully resolved and merged into the main repository.

Deep Dive, Path Traversal via Unsanitized Run ID

One of the most notable findings discovered during the agentic assessment was a Path Traversal vulnerability in the rollback execution flow, officially tracked and resolved in Pull Request #1559.

The Vulnerability

The actionRollback() function inside nemoclaw/src/blueprint/runner.ts accepts a --run-id CLI argument. This argument was concatenated directly into a path.join() call without prior sanitization or validation.

Because Node.js path.join() inherently resolves .. path components, this allowed the resulting directory to escape the intended .nemoclaw/state/runs/ directory tree.

The function subsequently performed three filesystem operations against the attacker-controlled path:

• A directory listing (readdirSync)
• A file read (readFileSync for plan.json)
• A file write (writeFileSync for a rolled_back marker file)

Crucially, the sandbox_name parsed from the traversed plan.json was then passed directly to openshell sandbox stop and openshell sandbox remove commands, creating an escalation vector where an attacker could theoretically target arbitrary sandboxes outside the intended run scope.

The Remediation

Following the FailSafe disclosure, our submitted patch was reviewed, accepted, and merged by the NVIDIA maintainers. The defense-in-depth fix enforces two boundaries:

1. Strict Regex Validation: Run IDs are now strictly validated against ^[a-zA-Z0-9_-]+$, ensuring only alphanumeric characters, hyphens, and underscores are processed.
2. Prefix Boundary Checking: A resolved-path prefix check was added to verify that the final stateDir strictly begins with the intended runsRoot directory, neutralizing any absolute path injections.

Securing the Open-Source AI Ecosystem

The rapid deployment of autonomous AI agents requires infrastructure that is secure by design. Open-source sandboxing frameworks like NVIDIA NemoClaw are critical to ensuring that agentic execution remains safely contained.

By continuously subjecting these foundational projects to agentic penetration testing, FailSafe ensures that the infrastructure powering the next generation of AI remains resilient against emerging threat vectors.