Setup and context
AI agent security has become critical for production mobile applications. Combining NemoClaw with Rork enables developers to build powerful AI-driven features while maintaining strict security boundaries.
This guide provides implementation-level details for advanced security configurations using OpenShell policies. It assumes you have experience building with Rork and foundational knowledge of AI security principles.
Understanding NemoClaw and OpenShell Policies
NemoClaw is a security framework that enforces strict behavioral constraints on AI agents. OpenShell policies deliver:
- API access whitelisting and blacklisting
- User input sanitization
- Role-based database access control
- Automatic audit logging and traceability
Integrating NemoClaw into Rork-built mobile apps provides defense-in-depth security across client and server layers.
OpenShell Policy Configuration
OpenShell policies use JSON-based definitions. When integrating with Rork's Cloudflare Workers backend, the core structure looks like this:
const nemoclawPolicy = {
version: "1.0",
agent: {
id: "app-agent-prod-001",
maxTokensPerRequest: 2048,
allowedModels: ["gemini-2.0-pro", "claude-3-5-sonnet"],
enforceContextWindow: true
},
permissions: {
database: {
allowed: ["users", "transactions"],
deniedTables: ["admin_logs", "api_keys"],
maxRowsPerQuery: 1000
},
externalAPIs: {
whitelist: ["https://api.stripe.com/v1", "https://api.sendgrid.com/v3"],
requireHTTPS: true,
timeout: 30000
}
}
};Implementing Agents in Rork Apps
Using Rork's Vibe Coding approach, implement agents with this pattern:
export default function AiAgentScreen() {
const [userInput, setUserInput] = useState("");
const [response, setResponse] = useState("");
const invokeAgent = async (prompt) => {
const requestPayload = {
agentId: "app-agent-prod-001",
policy: "openshell-v1",
userMessage: prompt,
timestamp: new Date().toISOString(),
userId: await getUserId()
};
try {
const response = await fetch("https://api.rorklab.net/v1/agent/invoke", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${RORK_API_TOKEN}`
},
body: JSON.stringify(requestPayload)
});
const result = await response.json();
if (result.success) {
setResponse(result.agentResponse);
}
} catch (error) {
console.error("Agent invocation failed:", error);
}
};
return (
<View style={{ flex: 1, padding: 16 }}>
<TextInput placeholder="Ask the agent..." value={userInput} onChangeText={setUserInput} />
<Button title="Send" onPress={() => invokeAgent(userInput)} />
<Text>{response}</Text>
</View>
);
}Security Best Practices
1. Token Management
Work with Rork's environment variables to manage NemoClaw tokens securely:
- Store API tokens in
.env.local(never commit to version control) - Rotate tokens regularly (every 90 days)
- Use Secure Enclave / Keychain instead of device local storage
2. Data Minimization Principle
Provide agents only the data they need:
- Remove personally identifiable information (PII)
- Hash user IDs before passing to agents
- Automatically mask sensitive fields in all communications
3. Real-Time Monitoring
Combine Cloudflare Workers with NemoClaw for anomaly detection:
export default {
async fetch(request) {
const payload = await request.json();
if (payload.tokensUsed > 4000) {
await logViolation({
type: "EXCESSIVE_TOKENS",
agentId: payload.agentId,
tokens: payload.tokensUsed
});
return new Response("Policy violation", { status: 403 });
}
return new Response("OK");
}
};Related Resources
Learn more about advanced AI agent development with Rork:
Summary
Combining NemoClaw with Rork creates a robust, secure foundation for production mobile AI agents. By properly configuring OpenShell policies, you protect user data while unlocking powerful capabilities.