Running NemoClaw or OpenClaw locally? Audit your server before you give an AI agent the keys.

NVIDIA just announced NemoClaw at GTC 2026 today. If you're in the OpenClaw community, you're probably already thinking about running it locally on a dedicated machine. Before you do — your server needs to be clean first. An always-on AI agent with access to your files, tools, and network is only as secure as the infrastructure it runs on. Here's what to check before you hand over the keys. 1. Your Docker ports might be publicly exposed NemoClaw and OpenClaw both run in Docker. The most common misconfiguration in any Docker setup is this: ports: "11434:11434" That binds to 0.0.0.0 — meaning your AI agent's inference port is accessible from the public internet, not just localhost. UFW won't catch it. Docker bypasses UFW entirely by inserting rules directly into iptables PREROUTING. The fix: ports: "127.0.0.1:11434:11434" Check every port mapping in your compose file before NemoClaw goes live. 2. Your firewall has IPv4/IPv6 mismatches You locked down IPv4. IPv6 is wide open. Same result