Approve or Deny Agent Network Requests
Review network requests that the agent makes to endpoints that are not listed in the sandbox policy. OpenShell intercepts those requests and presents them in the TUI for operator approval.
Prerequisites
- A running NemoClaw sandbox.
- The OpenShell CLI on your
PATH. - Access to the host where the sandbox is running.
Open the TUI
Start the OpenShell terminal UI to monitor sandbox activity:
Local Sandbox
Remote Sandbox
The TUI shows the sandbox state, active inference provider, and live network activity.
From the dashboard, select the running sandbox with j or k, then press Enter to open the sandbox view.
Trigger a Blocked Request
When the agent tries to reach an endpoint that is not in the baseline policy, OpenShell blocks the connection and displays the request in the TUI. The blocked request includes the following details:
- Host and port for the destination.
- Binary that initiated the request.
- HTTP method and path, if available.
Approve or Deny the Request
Blocked requests appear as pending entries in the sandbox view’s Network Rules panel.
After the sandbox opens, the TUI focuses the sandbox policy view.
Press r to focus Network Rules.
Use j or k to select a pending rule, and press Enter to inspect its details.
- Press
ato approve the selected pending rule and add the endpoint to the running policy for the current session. - Press
xto reject the selected pending rule and keep the endpoint blocked. - Press
Ato approve all pending rules, then pressyorEnterat the confirmation prompt.
Approved endpoints remain in the running policy for the sandbox instance. They reset to the baseline when you destroy and recreate the sandbox. They are not persisted to the baseline policy file. To keep an endpoint allowed for future sandbox instances, update the policy YAML or apply a preset as described in Customize the Sandbox Network Policy. Rejected rules stay blocked unless you later approve the same rule or add a matching endpoint to the policy.
Run the Walkthrough Script
The walkthrough script is available in the NemoClaw repository at scripts/walkthrough.sh.
It requires a cloned NemoClaw source checkout on the host where the sandbox is running.
If the sandbox runs on a remote host, SSH to that host before you clone the repository and run the script.
The script opens a split tmux session with the TUI on the left and the agent on the right.
The walkthrough requires tmux, the NVIDIA_INFERENCE_API_KEY environment variable, and at least one onboarded sandbox attached to the active gateway.
It attaches to an existing sandbox.
Related Topics
- Customize the Sandbox Network Policy to add endpoints permanently.
- Network Policies for the full baseline policy reference.
- Monitor Sandbox Activity for general sandbox monitoring.