Install OpenClaw Plugins | NVIDIA NemoClaw

OpenClaw plugins extend the OpenClaw runtime with hooks, services, tools, or provider integrations. They are different from NemoClaw-managed agent skills:

Plugins are code packages loaded by OpenClaw.
Skills are SKILL.md directories that teach an agent how to perform a task.
Policy presets are network-egress rules that control what sandboxed code can reach.

Today, the supported NemoClaw path for OpenClaw plugins is to bake the plugin into a custom sandbox image and onboard from that Dockerfile.

Prepare a Build Directory

Put the Dockerfile and everything it needs to COPY in one directory. nemoclaw onboard --from <Dockerfile> uses the Dockerfile’s parent directory as the Docker build context.

my-plugin-sandbox/
├── Dockerfile
└── my-plugin/
    ├── package.json
    └── src/

Example Dockerfile

Use the custom image to copy the plugin into the OpenClaw extensions directory and let OpenClaw refresh its config before NemoClaw starts the sandbox.

1 ARG SANDBOX_BASE=ghcr.io/nvidia/nemoclaw/sandbox-base:latest
2 FROM ${SANDBOX_BASE}
3 
4 COPY my-plugin/ /opt/my-plugin/
5 WORKDIR /opt/my-plugin
6 RUN npm ci --no-audit --no-fund && npm run build
7 
8 RUN mkdir -p /sandbox/.openclaw/extensions \
9  && cp -a /opt/my-plugin /sandbox/.openclaw/extensions/my-plugin \
10  && openclaw doctor --fix
11 
12 WORKDIR /opt/nemoclaw

If the plugin needs configuration in openclaw.json, apply it after openclaw doctor --fix so the base config exists first.

Create the Sandbox

Point nemoclaw onboard --from at the Dockerfile in the build directory.

1 $ nemoclaw onboard --from ./my-plugin-sandbox/Dockerfile

If you need a second sandbox alongside an existing one, use a dedicated build directory and rerun onboarding with the sandbox name and ports you intend to use.

Network Access

Plugins still run inside the sandbox policy boundary. If a plugin needs network egress, add or update a policy preset for the required hostnames and binaries before rebuilding the sandbox.

For example, see Network Policies for policy concepts and Customize Network Policy for custom preset workflows.

Common Mistakes

These are the most common places where plugin installation gets mixed up with other NemoClaw extension paths.

Do not use nemoclaw <sandbox> skill install for OpenClaw plugins. That command only installs SKILL.md agent skills.
Do not put a Dockerfile in a broad directory such as /tmp unless you intend to send that whole directory as the Docker build context.
Keep plugin dependencies in the build stage or plugin directory; avoid copying unrelated host files into the sandbox image.

Next Steps

Review Sandbox Hardening before adding plugin code to a shared or long-lived sandbox.
Review Network Policies to plan plugin egress rules.
Follow Customize Network Policy if the plugin needs a custom preset.