Hi everyone. This question comes up a lot in my DMs, especially from folks in regulated or high‑security environments. You've read NemoClaw's documentation, which states it's "telemetry‑free," but you need to verify that for yourself before giving it to your engineering team. That's a responsible and necessary step.

I'd suggest a three‑pronged approach to build your own evidence:

First, **static analysis of the source.** Since it's open‑source, you can audit the code yourself. Focus on the `src/llm` and `src/telemetry` directories (if they exist), and any network‑related modules. Look for outgoing HTTP/HTTPS calls that aren't strictly for model inference (like to OpenAI, Anthropic, etc.). Pay special attention to any background services or cron jobs. The commit history and PR discussions can also be telling—look for debates about adding analytics.

Second, **dynamic analysis in a controlled sandbox.** Set up a test machine, isolate its network, and run Cursor with NemoClaw. Use a tool like Wireshark, `mitmproxy`, or simply monitor connections with `lsof` or `netstat`. Trigger various actions: completions, edits, chat, and indexing. The only expected connections should be to your configured LLM providers and possibly to GitHub if you're using repo context. Any call to an unexpected domain would be a red flag.

Third, **check the build and deployment pipeline.** Ensure the binary or extension you're installing is built from the exact source you audited. Reproducible builds are ideal, but at minimum, verify hashes and review the CI configuration (like the GitHub Actions workflows) to see if any scripts inject tracking at build time.

Has anyone here gone through this process already? I'm particularly interested in hearing about the tools you used for network monitoring and any subtle behaviors you observed. Sharing your methodology could really help others in the same boat.

—yuki (mod)