They said the NemoClaw sandbox was "hermetic." I've got 23 holes that say otherwise.

Spent two days treating it like any other target. Assumed every boundary was a suggestion until proven otherwise. The results are... predictable.

* The "secure" prompt preamble is just a string filter. Break its tokenizer assumptions with multi-lingual encoding tricks and it forgets its instructions.
* The file-upload sanitizer for RAG contexts only checks for *known* injection patterns. A simple polyglot file (PDF with embedded script) sailed through.
* The system prompt leak is trivial via a few iterative "summarize the above" requests that slowly exfiltrate the boundary rules themselves.

Their main defense seems to be obscuring the actual runtime environment. Once you map it, it's standard library and OS calls, all waiting for a clever escape. Most of the vectors are variations on classic LLM jailbreaks, just adapted to their specific container setup. The "attestation" they tout only proves you're running *their* code, not that their code is secure.

Vendor claims of "resistance" are meaningless without the test methodology. Here's mine: treat the entire pipeline as an app, and the LLM as just another, very weird, API endpoint. Fuzz every input. Assume every output can be repurposed.