> ## Documentation Index
> Fetch the complete documentation index at: https://docs.memanto.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview & Ecosystem

> How MemantoClaw integrates with OpenClaw and OpenShell.

<img alt="MemantoClaw" src="https://mintcdn.com/memanto/II1GP7bpRVzYh2QP/logo/MemAntoClaw.webp?fit=max&auto=format&n=II1GP7bpRVzYh2QP&q=85&s=d90b46fb8698eca43942a89d99da7284" style={{width:'300px',borderRadius:'10px'}} width="840" height="1088" data-path="logo/MemAntoClaw.webp" />

# MemantoClaw

**MemantoClaw** is an open-source reference stack that simplifies running [OpenClaw](https://openclaw.ai/) always-on assistants safely with built-in long-term memory.

It combines three core technologies:

* **Autonomy ([OpenClaw](https://openclaw.ai))**: A powerful open-source agent framework.
* **Security ([NVIDIA OpenShell](https://github.com/NVIDIA/OpenShell))**: A hardened sandbox that restricts network egress and file access.
* **Memory (Memanto)**: A long-term memory architecture powered by Moorcheh that carries context across sessions.

## 🏗️ Architecture

<img alt="High-level architecture overview" src="https://mintcdn.com/memanto/5a0T_-DNLe9b95rq/images/memantoclaw/memantoclaw-diagram-2.png?fit=max&auto=format&n=5a0T_-DNLe9b95rq&q=85&s=a130faf4350a341574b75eeb361e8e9e" width="1623" height="763" data-path="images/memantoclaw/memantoclaw-diagram-2.png" />

MemantoClaw keeps sensitive host integrations outside the sandbox while preserving a seamless agent experience inside it:

* The **host** manages credentials and provider routing to long-term memory services.
* The **sandbox** runs OpenClaw under OpenShell policy enforcement.
* The agent receives only the context it needs for each task, not raw host credentials or memory databases.

This gives you autonomous workflows with strong controls over network, filesystem, and process behavior.

## The Ecosystem and How the Stack Fits Together

Three pieces usually appear together in a MemantoClaw deployment, each with a distinct scope:

| Project         | Scope                                                                                                                                                                   |
| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **OpenClaw**    | The assistant: runtime, tools, memory, and behavior inside the container. It does not define the sandbox or the host gateway.                                           |
| **OpenShell**   | The execution environment: sandbox lifecycle, network, filesystem, and process policy, inference routing, and the operator-facing `openshell` CLI for those primitives. |
| **MemantoClaw** | The reference stack that implements the definition above on the host: CLI and plugin, versioned blueprint, state migration helpers, and Moorcheh memory bridge.         |

MemantoClaw sits above OpenShell in the operator workflow. It drives OpenShell APIs and CLI to create and configure the sandbox that runs OpenClaw. Models and endpoints sit behind OpenShell's inference routing. MemantoClaw onboarding wires provider choice into that routing, and inherently injects the Memanto memory bridge.

## MemantoClaw Path versus OpenShell Path

Both paths assume OpenShell can sandbox a workload. The difference is who owns the integration work.

* **MemantoClaw path**: You adopt the reference stack. MemantoClaw's blueprint encodes a hardened image, default policies, Moorcheh integration, and orchestration so `memantoclaw onboard` can provision a validated environment with minimal manual configuration.
* **OpenShell path**: You use OpenShell as the platform and supply your own container, install steps, policy YAML, provider setup, and any host bridges.

### What MemantoClaw Adds Beyond the OpenShell Community Sandbox

| Capability              | `openshell sandbox create --from openclaw`                            | `memantoclaw onboard`                                                      |
| ----------------------- | --------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| **Sandbox isolation**   | Yes. OpenShell applies seccomp filters, Landlock, privilege dropping. | Yes. MemantoClaw applies these and layers a more restrictive policy.       |
| **Credential handling** | You create providers manually.                                        | Creates providers automatically and filters sensitive host env vars.       |
| **Image hardening**     | Standard system tools included.                                       | Strips build toolchains (`gcc`, `make`) and network probes (`netcat`).     |
| **Filesystem policy**   | Bundled policy for OpenClaw.                                          | More restrictive read-only/read-write layout. Gateway config is immutable. |
| **Inference setup**     | Manual configuration.                                                 | Wizard validates credentials, configures routing automatically.            |
| **Memory integration**  | Manual vector DB provisioning required.                               | **Zero-config Memanto integration via Moorcheh**.                          |

## The Memanto Advantage

### Unified API Key for Memory and Inference

MemantoClaw simplifies credential management by bundling both long-term memory access and native LLM inference into a **single API key**.

Instead of juggling separate keys for your vector database (or Moorcheh memory service) and your LLM inference provider, your Moorcheh API key authenticates both. When you run `memantoclaw onboard`, you provide this one key, and MemantoClaw automatically configures the OpenShell inference gateway to proxy your LLM requests while simultaneously enabling the zero-config memory bridge.

### Secure and Real-time Memory

By leveraging Moorcheh's infrastructure, the Memanto memory layer offers zero-wait ingestion (no indexing delays) and a secure host-bridge architecture where memory stays safely on Moorcheh, and the sandbox only receives specific retrieved context.

## Deep Dive: How It Works

<img alt="Runtime routing and proxy flow" src="https://mintcdn.com/memanto/5a0T_-DNLe9b95rq/images/memantoclaw/memantoclaw-diagram-1.png?fit=max&auto=format&n=5a0T_-DNLe9b95rq&q=85&s=c97081d478b8705099d6d92e8d84bcf2" width="3368" height="3144" data-path="images/memantoclaw/memantoclaw-diagram-1.png" />

At a high level, MemantoClaw handles each request inside the OpenShell container by letting OpenClaw process the query, work with short-term context, and route memory and model calls through dedicated host-aware proxies. One path connects to Memanto for durable long-term memory, while the other handles inference through Moorcheh-native endpoints.

That routing pattern is what keeps credentials and external integrations on the host side, while the agent runtime remains isolated in the sandbox.

<br />

<hr />

*For complete, unabridged technical details on this topic, refer to the official [NVIDIA NemoClaw Documentation](https://docs.nvidia.com/nemoclaw/latest/about/overview.html). Portions of this guide are summarized and adapted from NVIDIA Corporation (Copyright © 2026), licensed under the Apache License, Version 2.0.*
