Approve or Deny Agent Network Requests

View as Markdown

Review network requests that the agent makes to endpoints that are not listed in the sandbox policy. OpenShell intercepts those requests and presents them in the TUI for operator approval.

1

Prerequisites

  • A running NemoClaw sandbox.
  • The OpenShell CLI on your PATH.
  • Access to the host where the sandbox is running.
2

Open the TUI

Start the OpenShell terminal UI to monitor sandbox activity:

$openshell term

The TUI shows the sandbox state, active inference provider, and live network activity. From the dashboard, select the running sandbox with j or k, then press Enter to open the sandbox view.

3

Trigger a Blocked Request

When the agent tries to reach an endpoint that is not in the baseline policy, OpenShell blocks the connection and displays the request in the TUI. The blocked request includes the following details:

  • Host and port for the destination.
  • Binary that initiated the request.
  • HTTP method and path, if available.
4

Approve or Deny the Request

Blocked requests appear as pending entries in the sandbox view’s Network Rules panel. After the sandbox opens, the TUI focuses the sandbox policy view. Press r to focus Network Rules. Use j or k to select a pending rule, and press Enter to inspect its details.

  • Press a to approve the selected pending rule and add the endpoint to the running policy for the current session.
  • Press x to reject the selected pending rule and keep the endpoint blocked.
  • Press A to approve all pending rules, then press y or Enter at the confirmation prompt.

Approved endpoints remain in the running policy for the sandbox instance. They reset to the baseline when you destroy and recreate the sandbox. They are not persisted to the baseline policy file. To keep an endpoint allowed for future sandbox instances, update the policy YAML or apply a preset as described in Customize the Sandbox Network Policy. Rejected rules stay blocked unless you later approve the same rule or add a matching endpoint to the policy.

5

Run the Walkthrough Script

The walkthrough script is available in the NemoClaw repository at scripts/walkthrough.sh. It requires a cloned NemoClaw source checkout on the host where the sandbox is running.

1

If the sandbox runs on a remote host, SSH to that host before you clone the repository and run the script.

2

Clone the NemoClaw repository on the host where the sandbox is running. Do this even if you installed NemoClaw with the public installer, because the walkthrough script is a source-checkout helper.

$git clone https://github.com/NVIDIA/NemoClaw.git ~/nemoclaw
$cd ~/nemoclaw
3

Onboard at least one sandbox and confirm that it is attached to the active gateway.

4

Run the walkthrough script from the NemoClaw repository root.

$./scripts/walkthrough.sh

The script opens a split tmux session with the TUI on the left and the agent on the right. The walkthrough requires tmux, the NVIDIA_INFERENCE_API_KEY environment variable, and at least one onboarded sandbox attached to the active gateway. It attaches to an existing sandbox.