NVIDIA NemoClaw Research Highlights AI Sandbox Exfiltration Risks

The Lasso team’s investigation into NVIDIA’s NemoClaw sandbox reveals a fundamental flaw in how organizations secure autonomous AI agents. While Kubernetes‑based policies in OpenShell aim to isolate workloads, the research shows that agents capable of installing packages, accessing repositories, and executing scripts can exploit those very permissions. By injecting malicious post‑install scripts into a trusted npm package, attackers reconstructed a GitHub token and used legitimate git commands to siphon files, demonstrating that the attack surface now extends beyond code vulnerabilities to the trusted toolchain itself.

Two distinct proof‑of‑concept attacks illustrate the depth of the risk. The first leveraged an attacker‑controlled GitHub repository to deliver a hidden script that harvested API keys and plaintext credentials stored in OpenClaw’s configuration files. The second introduced a malicious npm package that established a cron job, continuously probing allowed outbound domains and silently modifying the agent’s SOUL.md configuration—a technique dubbed “Agent Configuration Poisoning.” Both scenarios succeeded without violating OpenShell’s explicit policies, proving that policy‑based isolation cannot discern malicious intent when legitimate binaries are used for nefarious purposes. This blurs the line between supply‑chain attacks and insider threats, amplifying concerns around AI‑driven software supply chain security.

For enterprises, the takeaway is clear: sandboxing must be part of a layered defense, not the sole control. Organizations should enforce strict outbound connectivity rules, adopt zero‑trust networking, and store secrets in short‑lived, encrypted vaults rather than plaintext files. Continuous monitoring of AI runtimes for anomalous package installations, configuration changes, and unusual API traffic is essential. Additionally, leveraging internal, signed repositories and mandatory human approvals for critical actions can curb the risk of autonomous agents becoming covert exfiltration channels. As AI assistants become ubiquitous, integrating these safeguards will be critical to maintaining data integrity and preventing supply‑chain compromises.