> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.nvidia.com/nemoclaw/llms.txt. > For full documentation content, see https://docs.nvidia.com/nemoclaw/llms-full.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.nvidia.com/nemoclaw/_mcp/server. # Runtime Controls and Sandbox Mutability > Consolidated reference for what you can change on a running NemoClaw sandbox, what requires rebuild or re-onboard, and the operator-only `shields up` / `shields down` / `shields status` commands. This page is the single reference for two related operator questions about a running NemoClaw sandbox: 1. *Which parts of my sandbox can I change while it is running, and which require a rebuild or re-onboard?* 2. *How do I temporarily lower or restore the sandbox security posture for an operator session?* The mutability table below answers question 1. The shields commands answer question 2. ## What you can change at runtime NemoClaw applies its security posture in three layers — what is baked into the sandbox image at onboard, what is hot-reloadable on the running sandbox, and what requires a rebuild or re-onboard. The table below maps each commonly changed item to the layer that owns it and the command that changes it. | Item | When the change takes effect | How to change it | | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | Inference provider (cloud, NVIDIA Endpoints, local Ollama / vLLM, compatible-endpoint, …) | Rebuild required (`openclaw.json` is locked at sandbox creation) | `nemoclaw rebuild` after picking a different provider via `nemoclaw inference set` | | Inference model on the current provider | Rebuild required for OpenClaw; hot-reloadable for managed routers | `nemoclaw rebuild` (OpenClaw) or `nemoclaw inference set` (router-based) | | Sub-agent (Hermes / OpenClaw / …) | Re-onboard required (the sub-agent and its workspace are baked at onboard) | `nemoclaw onboard --recreate-sandbox` | | Network policy preset (slack, discord, telegram, brave, …) | Runtime — applies on the next request; rebuild only required if the preset adds bind-mounted secrets | `nemoclaw policy-add ` / `policy-remove ` | | Network allow-list (custom hosts) | Runtime — picks up at next request | `openshell policy set` or interactive approval prompt at the gateway | | Channel tokens (Slack / Discord / Telegram bot credentials) | Rebuild required (tokens are baked into the sandbox image at onboard so they never leave the host clear-text) | `nemoclaw channels add ` then accept the rebuild prompt | | Channel enable/disable (turn a configured channel off without removing the token) | Rebuild required (`openclaw.json` is the source of truth at runtime, see #3453) | `nemoclaw channels stop ` then rebuild | | Dashboard forward port | Runtime — port is re-resolved on next `connect` | `NEMOCLAW_DASHBOARD_PORT= nemoclaw connect` | | Dashboard bind address (loopback vs all interfaces) | Runtime — applies on next `connect` | `NEMOCLAW_DASHBOARD_BIND=0.0.0.0 nemoclaw connect` (see #3259) | | Web search backend (Brave, Tavily, etc.) | Runtime via `web.backend` config flag; rebuild only if `web.fetchEnabled` flips | `nemoclaw config set --key web.backend --value tavily` | | Filesystem layout (Landlock zones, read-only mounts, container caps) | **Locked at creation** — no runtime change | Re-onboard with `nemoclaw onboard --recreate-sandbox` | | Sandbox name | **Locked at creation** | Re-onboard with a different `--name` | | GPU passthrough enable / device selector | **Locked at creation** | Re-onboard with `--gpu` / `--sandbox-gpu-device` | | Shields posture (locked ↔ default mutable) | Runtime (operator-only) | `nemoclaw shields up` / `shields down` — see the next section | | Agents allow-list (`agents.list` in `openclaw.json`) | Runtime — hot-reloaded by OpenClaw on config change | Edit `openclaw.json` while shields are down | | `openclaw.json` keys (general — model, agents.list, web.backend, channel config, etc.) | Mixed: locked under `shields up`, runtime-editable under `shields down`. Individual keys still follow the rebuild rules in the rows above (e.g. provider switch requires rebuild even after editing the JSON). | `nemoclaw shields down`, edit `/opt/nemoclaw/openclaw.json` inside the sandbox, then `nemoclaw shields up` | If a row above conflicts with what you observe, the runtime source of truth inside the sandbox is `/opt/nemoclaw/openclaw.json`; the host registry caches metadata but the image and OpenClaw read from the in-sandbox file. ## Shields commands Shields are an operator-only switch that toggles the sandbox between its default mutable state and a locked-down posture. The sandbox itself cannot raise or lower its own shields — every transition is initiated from the host so a compromised agent cannot escape its policy by editing config. Three commands manage the posture. The commands are hidden from the standard `--help` output because they are operator workflows, not developer workflows; everything below documents the full surface. ### `shields status` Print the current shields mode (`mutable_default`, `locked`, or `temporarily_unlocked`), the active policy preset, and any pending automatic restore timer. ```console $ nemoclaw my-assistant shields status Shields: locked Policy: strict Auto-restore: not scheduled (use `shields down --timeout 10m` to schedule) ``` ### `shields up` Raise shields: lock `openclaw.json` (and other mutable config files) against in-sandbox edits and apply the restrictive network policy that was captured the last time the sandbox was shielded. This is the default expected state for a sandbox the operator has handed off to an agent. ```console $ nemoclaw my-assistant shields up ✓ Shields raised: config locked, restrictive policy applied ``` `shields up` takes no flags. If no saved snapshot exists yet (a fresh sandbox), the snapshot is taken from the current state. ### `shields down` Lower shields: unlock config and apply a permissive (or operator-named) network policy so the operator can edit `openclaw.json`, swap presets, or run interactive maintenance. ```console $ nemoclaw my-assistant shields down --timeout 10m --reason "rotating slack token" ✓ Shields lowered for 10m (policy: permissive); auto-restore at 14:32 UTC ``` | Flag | Default | Effect | | ---------------------- | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--timeout ` | *no auto-restore* | After the duration elapses, a detached host-side timer re-runs `shields up` automatically. Accepts `5m`, `30s`, `1h`, etc. | | `--reason ` | *empty* | Recorded in the shields audit log on the host. Required by some org policies; recommended for any cross-team session. | | `--policy ` | `permissive` | Apply this named policy preset while shields are down instead of the default permissive set. Use a tighter preset (e.g. `messaging-only`) when the maintenance window only needs a subset of egress. | The auto-restore timer is detached from the `shields down` invocation — closing your terminal does not cancel the restore. If the timer process is killed before the deadline (e.g. host reboot), `shields status` will surface the inconsistency on the next check (see #3112 for the fail-open fix). ## See also The mutability table above is a consolidated index of information that lives in more detail on per-topic pages: * [Manage Sandbox Lifecycle](/manage-sandboxes/lifecycle) — full rebuild / re-onboard / upgrade workflow. * [Switch Inference Providers](/inference/switch-inference-providers) — the rebuild path for provider and model changes. * [Customize Network Policy](/network-policy/customize-network-policy) and [Approve Network Requests](/network-policy/approve-network-requests) — runtime policy editing and operator approval flow. * [Security Best Practices](/security/best-practices) — the per-attack-surface posture table that this page complements. * [OpenClaw Security Controls](/security/openclaw-controls) — application-layer controls that operate independently of NemoClaw. * [CLI Commands Reference](/reference/commands) — full flag surface for every `nemoclaw` command, including the env vars that affect runtime behavior.