# Network Policies [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#network-policies "Link to this heading") NemoClaw runs with a deny-by-default network policy. The sandbox can only reach endpoints that are explicitly allowed. Any request to an unlisted destination is intercepted by OpenShell, and the operator is prompted to approve or deny it in real time through the TUI. ## Baseline Policy [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#baseline-policy "Link to this heading") The baseline policy is defined in `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`. Note Hermes sandboxes use an agent-specific baseline policy in `agents/hermes/policy-additions.yaml` so Hermes runtime binaries can reach the service endpoints they need while keeping the same deny-by-default model. ### Filesystem [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#filesystem "Link to this heading") | Path | Access | | --- | --- | | `/sandbox`, `/tmp`, `/dev/null` | Read-write | | `/usr`, `/lib`, `/proc`, `/dev/urandom`, `/app`, `/etc`, `/var/log` | Read-only | The sandbox process runs as a dedicated `sandbox` user and group. Landlock LSM enforcement applies on a best-effort basis. ### Network Policies [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#id1 "Link to this heading") The following endpoint groups are allowed by default: | Policy | Endpoints | Binaries | Rules | | --- | --- | --- | --- | | `nvidia` | `integrate.api.nvidia.com:443`, `inference-api.nvidia.com:443` | `/usr/local/bin/openclaw` | POST to inference and embedding paths, GET to model listings | | `clawhub` | `clawhub.ai:443` | `/usr/local/bin/openclaw`, `/usr/local/bin/node` | GET, POST | | `openclaw_api` | `openclaw.ai:443` | `/usr/local/bin/openclaw`, `/usr/local/bin/node` | GET, POST | | `openclaw_docs` | `docs.openclaw.ai:443` | `/usr/local/bin/openclaw` | GET only | | `npm_registry` | `registry.npmjs.org:443` | `/usr/local/bin/openclaw` only (openclaw plugins install) | GET only | All endpoints use TLS termination and are enforced at port 443. Note GitHub access (`github.com`, `api.github.com`) is not included in the baseline policy. Apply the `github` preset during onboarding if your agent needs GitHub access. See [Customize the Network Policy](https://docs.nvidia.com/nemoclaw/latest/network-policy/customize-network-policy.html). Messaging endpoints for Telegram, Discord, and Slack are not included in the baseline policy. Enable the channel during onboarding or apply the matching messaging preset so the sandbox can reach that platform. ## Policy Tiers [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#policy-tiers "Link to this heading") During onboarding, the wizard prompts for a policy tier that determines the default set of presets applied on top of the baseline policy. The baseline policy is always applied regardless of the selected tier. | Tier | Presets included | Description | | --- | --- | --- | | Restricted | None | Base sandbox only. No third-party network access beyond inference and core agent tooling. | | Balanced (default) | npm, pypi, huggingface, brew, brave | Full dev tooling and web search. No messaging platform access. | | Open | npm, pypi, huggingface, brew, brave, slack, discord, telegram, jira, outlook | Broad access across third-party services including messaging and productivity. | After selecting a tier, a combined preset and access-mode screen lets you include or exclude individual presets and toggle each between read (GET only) and read-write (GET + POST/PUT/PATCH) access. Tier-default presets are pre-selected; additional presets can be added from the full list. Tier definitions are stored in `nemoclaw-blueprint/policies/tiers.yaml`. In non-interactive mode, set the tier with `NEMOCLAW_POLICY_TIER`: ``` $ NEMOCLAW_POLICY_TIER=open nemoclaw onboard --non-interactive --yes-i-accept-third-party-software ``` Copy to clipboard If the value does not match a known tier, onboarding exits with an error listing the valid options. ### Inference [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#inference "Link to this heading") The baseline policy allows only the `local` inference route. External inference providers are reached through the OpenShell gateway, not by direct sandbox egress. ## Operator Approval Flow [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#operator-approval-flow "Link to this heading") When the agent attempts to reach an endpoint not listed in the policy, OpenShell intercepts the request and presents it in the TUI for operator review: 1. The agent makes a network request to an unlisted host. 2. OpenShell blocks the connection and logs the attempt. 3. The TUI command `openshell term` displays the blocked request with host, port, and requesting binary. 4. The operator approves or denies the request. 5. If approved, the endpoint is added to the running policy for the session. To try this, run the walkthrough: ``` $ ./scripts/walkthrough.sh ``` Copy to clipboard This opens a split tmux session with the TUI on the left and the agent on the right. ## Modifying the Policy [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#modifying-the-policy "Link to this heading") ### Static Changes [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#static-changes "Link to this heading") Edit `nemoclaw-blueprint/policies/openclaw-sandbox.yaml` and re-run the onboard wizard: ``` $ nemoclaw onboard ``` Copy to clipboard ### Dynamic Changes [\#](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html\#dynamic-changes "Link to this heading") Apply policy updates to a running sandbox without restarting: ``` $ openshell policy update --add-endpoint api.example.com:443:read-only:rest:enforce ``` Copy to clipboard To replace the live policy with a complete raw policy file, use `openshell policy set`: ``` $ openshell policy set --policy ``` Copy to clipboard