NemoClawNemoClaw uses two host-side CLIs.
Use nemoclaw for NemoClaw-managed workflows.
Use openshell when you need a lower-level OpenShell operation that NemoClaw intentionally exposes.
If the task changes how NemoClaw creates, rebuilds, preserves, or configures a sandbox, start with nemoclaw.
If the task inspects or changes the live OpenShell gateway, TUI, raw policy, port forwarding, inference route, or sandbox file transfer, use openshell.
Do not create or recreate NemoClaw-managed sandboxes directly with openshell sandbox create unless you intend to manage OpenShell yourself.
Run nemoclaw onboard afterward if you need to return to a NemoClaw-managed environment.
nemoclaw For NemoClaw WorkflowsUse nemoclaw for operations where NemoClaw adds product-specific state, safety checks, backup behavior, credential handling, or OpenClaw configuration.
Install, onboard, or recreate a NemoClaw sandbox:
List, connect to, check, or delete NemoClaw-managed sandboxes:
Rebuild or upgrade while preserving workspace state:
Snapshot, restore, or mount sandbox state:
Add or remove NemoClaw policy presets:
Manage NemoClaw messaging channels, credentials, diagnostics, and cleanup:
openshell For OpenShell OperationsUse openshell when the docs explicitly call for a live OpenShell gateway operation or when you need a lower-level view beneath the NemoClaw wrapper.
Open the OpenShell TUI for network approvals and live activity:
Manage dashboard or service port forwards:
Inspect the underlying sandbox state:
Run one-off commands or move files without starting a NemoClaw chat session:
Inspect or replace raw OpenShell policy:
openshell policy update merges specific endpoint and rule changes into the live sandbox policy.
openshell policy set replaces the live policy with the file you provide.
For normal NemoClaw network access changes, prefer nemoclaw <name> policy-add so NemoClaw preserves presets and records the change for rebuilds.
This section covers common decisions when using the NemoClaw CLI and the OpenShell CLI.
Use nemoclaw onboard.
It starts the OpenShell gateway when needed, registers providers, builds the OpenClaw sandbox image, applies NemoClaw policy choices, and creates the sandbox.
Avoid running openshell gateway start --recreate or openshell sandbox create directly for NemoClaw-managed sandboxes.
Those commands do not update NemoClaw’s registry, session metadata, workspace-preservation flow, or OpenClaw-specific configuration.
Use nemoclaw <name> connect for an interactive NemoClaw sandbox shell.
It waits for readiness, handles stale SSH host keys after gateway restarts, and prints agent-specific hints.
Use openshell sandbox connect <name> only when you intentionally want the raw OpenShell connection path.
For a one-off command, use openshell sandbox exec instead of opening an interactive shell.
Use nemoclaw <name> status and nemoclaw <name> logs first.
They combine NemoClaw registry data, OpenShell state, OpenClaw process health, inference health, policy details, and messaging-channel warnings.
Use openshell sandbox list, openshell sandbox get, openshell logs <name> -n 20, or openshell doctor check when debugging lower-level OpenShell behavior.
When using openshell logs directly, -n <lines> controls the line count; use --tail only when you want live OpenShell log streaming.
Use openshell term.
The OpenShell TUI owns live network activity and operator approval prompts.
Approved endpoints are session-scoped unless you also add them to the policy through a NemoClaw preset or raw OpenShell policy update.
Use the NemoClaw commands for model or provider inspection and switches so the OpenShell route and the running agent config stay consistent:
For Hermes sandboxes, use the alias; it updates the route and /sandbox/.hermes/config.yaml without a rebuild or restart:
For a build-time agent setting change, rerun onboarding so the sandbox configuration is recreated consistently:
Verify either path with:
Use nemoclaw <name> policy-add or policy-remove for NemoClaw presets and custom preset files.
NemoClaw merges the new policy with the live policy and reapplies presets during rebuilds.
Use openshell policy update for precise live endpoint or REST rule changes.
Use openshell policy get --full and openshell policy set only when you need to edit and replace the raw policy file.
Use nemoclaw <name> snapshot create, snapshot restore, or share mount for normal workspace preservation and editing.
Use openshell sandbox upload and openshell sandbox download for manual file copies when you need exact control over source and destination paths.