For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
User Guide
User Guide
    • Home
      • Overview
      • Architecture Overview
      • Ecosystem
      • Release Notes
      • Prerequisites
      • Quickstart with Hermes
      • Inference Options
      • Use Local Inference
      • Switch Inference Providers
      • Manage Sandbox Lifecycle
      • Runtime Controls
      • Set Up Messaging Channels
      • Workspace Files
      • Backup and Restore
      • Install Hermes Plugins
      • Approve or Deny Network Requests
      • Customize the Network Policy
      • Integration Policy Examples
      • Monitor Sandbox Activity
      • Security Best Practices
      • Credential Storage
      • Architecture Details
      • Commands
      • Which CLI to Use
      • Network Policies
      • Troubleshooting
      • Agent Skills
      • Report Vulnerabilities
      • License
      • Discord
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogoNemoClaw
On this page
  • Prerequisites
  • Open the TUI
  • Trigger a Blocked Request
  • Approve or Deny the Request
  • Run the Walkthrough
  • Related Topics
Network Policy

Approve or Deny Agent Network Requests

||View as Markdown|
Previous

Install Hermes Plugins

Next

Customize the Sandbox Network Policy

Review and act on network requests that the agent makes to endpoints not listed in the sandbox policy. OpenShell intercepts these requests and presents them in the TUI for operator approval.

Prerequisites

  • A running NemoClaw sandbox.
  • The OpenShell CLI on your PATH.

Open the TUI

Start the OpenShell terminal UI to monitor sandbox activity:

$openshell term

For a remote sandbox, pass the instance name:

$ssh my-gpu-box 'cd ~/nemoclaw && . .env && openshell term'

The TUI displays the sandbox state, active inference provider, and a live feed of network activity.

Trigger a Blocked Request

When the agent attempts to reach an endpoint that is not in the baseline policy, OpenShell blocks the connection and displays the request in the TUI. The blocked request includes the following details:

  • Host and port of the destination.
  • Binary that initiated the request.
  • HTTP method and path, if available.

Approve or Deny the Request

The TUI presents an approval prompt for each blocked request.

  • Approve the request to add the endpoint to the running policy for the current session.
  • Deny the request to keep the endpoint blocked.

Approved endpoints remain in the running policy until the sandbox stops. They are not persisted to the baseline policy file. To keep an endpoint allowed after a restart, update the policy YAML or apply a preset as described in Customize the Sandbox Network Policy.

Run the Walkthrough

From the NemoClaw repository root, run the walkthrough script after you have onboarded at least one sandbox and it is reachable:

$./scripts/walkthrough.sh

This script opens a split tmux session with the TUI on the left and the agent on the right. The walkthrough requires tmux and the NVIDIA_API_KEY environment variable, and it assumes an existing sandbox to attach to.

Related Topics

  • Customize the Sandbox Network Policy to add endpoints permanently.
  • Network Policies for the full baseline policy reference.
  • Monitor Sandbox Activity for general sandbox monitoring.