Bypassing NemoClaw Sandbox Isolation for Local Nemotron 9B Agent

Local NemoClaw Workaround for Full Local Inference

A developer has documented a method to bypass NVIDIA's NemoClaw sandbox isolation to run a fully local AI agent. NemoClaw, launched at GTC, is an enterprise sandbox for AI agents built on OpenShell (k3s + Landlock + seccomp) that by default expects cloud API connections and heavily restricts local networking.

Technical Implementation Details

The developer wanted 100% local inference on WSL2 + RTX 5090 and punched through the sandbox to reach a vLLM instance. The solution involved multiple components:

• Host iptables configuration: Allowed traffic from Docker bridge to vLLM on port 8000
• Pod TCP Relay: Custom Python relay in the Pod's main namespace bridging sandbox veth → Docker bridge
• Sandbox iptables injection: Used nsenter to inject ACCEPT rule into the sandbox's OUTPUT chain, bypassing the default REJECT
• Tool Call Translation: Built a custom Gateway that intercepts the streaming SSE response from vLLM, buffers it, parses Nemotron 9B's <TOOLCALL>[...]</TOOLCALL> text output, and rewrites it into OpenAI-compatible tool_calls in real-time

This configuration allows opencode inside the sandbox to use Nemotron as a fully autonomous agent. Everything runs locally with no data leaving the machine. The setup is volatile (WSL2 reboots wipe the iptables hacks), but enables a 9B model to execute terminal commands inside a locked-down enterprise container.