Out of the box, an Open Claw agent can read every file on your server, hit any URL on the internet, and execute any shell command it decides is useful. That is one prompt away from data exfiltration, ransomware-style damage, or a leaked API key dump.

I open the video with the threat model so you understand what each layer of the stack is actually defending against. If you skip this part, the rest of the config feels arbitrary. It's not.

The community has shipped a whole family of Open Claw forks: nanobot for hacking, nanoclaw for Docker isolation, zero claw for raw speed, pico claw and null claw for Raspberry Pi. Each one trades something off.

I walk through all of them and explain why Nemo Claw is the strongest pick for production: it locks the original Open Claw inside Nvidia's Open Shell sandbox and exposes everything via YAML policies you control.

Fresh Ubuntu 24.04 base. Tailscale VPN plus UFW firewall so SSH is reachable only inside your private mesh. Cloudflare Tunnel on top so no public IP is ever exposed. Nvidia Open Shell sandbox running the agent itself. YAML policies defining every allowed action.

Each layer has a job and you can see exactly what gets blocked when one fails. Defense in depth, applied to AI agents.

Spin up a Hetzner VPS, install Docker, lock SSH behind Tailscale, set up the Cloudflare tunnel, then drop Nemo Claw inside Open Shell. Wire it to Gemini and Telegram via BotFather. Stress-test the policies by asking the agent for credentials (denied) and to write a one-pager (allowed, after editing the YAML).

Every command is on screen. By the end you have a hardened, always-on AI employee you can actually trust on a real server.

An unrestricted agent on an open server is a credential leak waiting for the right prompt. The 5-layer stack flips the default from "can do anything" to "can do exactly what I allow." That's the whole difference between a weekend demo and a production AI employee.