Network Policies
NemoClaw runs with a deny-by-default network policy. The sandbox can only reach endpoints that are explicitly allowed. OpenShell intercepts any request to an unlisted destination and prompts the operator to approve or deny it in real time through the TUI.
Baseline Policy
The baseline policy is defined in nemoclaw-blueprint/policies/openclaw-sandbox.yaml.
Filesystem
/dev/pts is the pseudo-terminal (devpts) directory.
It is writable so PTY-based tools (tmux, script, and interactive shells) can allocate a terminal.
Without it, those tools fail with fork failed: Permission denied.
The sandbox process runs as a dedicated sandbox user and group.
Landlock LSM enforcement applies on a best-effort basis.
Network Policies
The following endpoint groups are allowed by default:
All endpoints use TLS termination and are enforced at port 443.
GitHub access (github.com, api.github.com) is not included in the baseline policy.
Apply the github preset during onboarding if your agent needs GitHub access.
Refer to Customize the Network Policy.
The baseline policy does not include messaging endpoints for Telegram, Discord, Slack, WeChat, or WhatsApp. Enable the channel during onboarding or apply the matching messaging preset so the sandbox can reach that platform. WeChat and WhatsApp are experimental. Review Messaging Channels before enabling them.
Policy Tiers
During onboarding, the wizard prompts for a policy tier that determines the default set of presets applied on top of the baseline policy. The baseline policy is always applied regardless of the selected tier.
After selecting a tier, a combined preset and access-mode screen lets you include or exclude individual presets and toggle each between read (GET only) and read-write (GET + POST/PUT/PATCH) access.
Tier-default presets are pre-selected; additional presets can be added from the built-in preset list available to the sandbox’s active agent.
NemoClaw filters tier defaults and built-in preset choices by the active agent’s supported integrations.
OpenClaw can select brave or tavily, while Hermes can select tavily only.
NemoClaw automatically suggests the preset that matches the selected provider and removes stale web search presets during resume reconciliation when you switch providers or disable web search.
Explicit custom preset lists and manual interactive selections remain operator-controlled.
OpenClaw onboarding also adds the openclaw-pricing preset on top of tier defaults so session-cost records can populate from LiteLLM and OpenRouter without manual configuration.
When the OpenClaw OTEL diagnostics feature is enabled with a local endpoint, NemoClaw adds the openclaw-diagnostics-otel-local preset on the same basis.
The applied set therefore reflects the chosen tier plus any agent-required presets, so policy-list may show one or more presets that do not appear in the tier table above.
The policy-list provenance tags are inferred from the current tier YAML and the active agent at display time and are not persisted per preset.
A preset whose name matches an entry in the sandbox’s current tier definition is labelled [from <tier> tier] even when an operator added it manually with policy-add after onboarding; agent-specific preset names are only labelled [from <agent> agent] when the active agent matches.
Claude Code direct egress is not included in any policy tier.
If you install and run the Claude Code CLI inside the sandbox with its own credentials, apply the claude-code preset explicitly.
Normal NemoClaw Anthropic inference still routes through the OpenShell gateway.
Tier definitions are stored in nemoclaw-blueprint/policies/tiers.yaml.
In non-interactive mode, set the tier with NEMOCLAW_POLICY_TIER:
Unset, blank, or whitespace-only NEMOCLAW_POLICY_TIER values use the balanced default.
In non-interactive onboarding, a non-blank value that does not match a known tier exits before preflight, gateway, or inference side effects and lists the valid options.
Interactive onboarding ignores an invalid environment value and shows the normal tier prompt.
Inference
The baseline policy allows only the local inference route.
External inference providers are reached through the OpenShell gateway, not by direct sandbox egress.
Operator Approval Flow
When the agent attempts to reach an endpoint not listed in the policy, OpenShell intercepts the request and presents it in the TUI for operator review. The flow has these steps:
- The agent makes a network request to an unlisted host.
- OpenShell blocks the connection and logs the attempt.
- The TUI command
openshell termdisplays the blocked request with host, port, and requesting binary. - The operator approves or denies the request.
- If approved, the endpoint is added to the running policy for the session.
To try this, run the walkthrough:
This opens a split tmux session with the TUI on the left and the agent on the right.
Modifying the Policy
Static Changes
Edit nemoclaw-blueprint/policies/openclaw-sandbox.yaml and re-run the onboard wizard:
Dynamic Changes
Apply policy updates to a running sandbox without restarting:
To replace the live policy with a complete base policy file, export the current base policy and use openshell policy set.
Requires OpenShell 0.0.72+ for the round-trippable policy get --base and policy set --wait syntax.
NemoClaw strips the OpenShell metadata header and exits non-zero if it cannot validate the base policy.
Do not add --raw when you plan to edit and reapply the file.
Edit or review current-policy.yaml, then apply it: