NemoClaw Quickstart with OpenClaw

View as Markdown

Create a sandboxed OpenClaw agent, then send it a first prompt.

Set Up with the Starter Prompt on Your Coding Agent

Copy this starter prompt into Cursor, Claude Code, Codex, Copilot, or another local coding agent when you want it to guide the installation. The prompt points the agent to Use NemoClaw Docs with Your Coding Agents, this quickstart, the Markdown docs, and the optional nemoclaw-user-guide skill. It asks the agent to collect your choices before it starts interactive commands and to use the checked-in local credential helper and form only after you approve the exact command that receives credentials.

Install NemoClaw with your coding agent
# NemoClaw Instructions for a Non-Technical User Help me install and run NVIDIA NemoClaw from this coding-agent UI. I may use Cursor, Claude Code, Codex, Copilot, or another local coding agent. I do not know how to use a terminal. ## Interaction Rules * Ask exactly one question at a time. * Use clickable choices when supported; otherwise show one short numbered list and wait. * Detect the operating system and whether it is WSL using read-only checks. * Ask which computer I am using only if the environment cannot be determined reliably. * Next ask which agent I want: OpenClaw, Hermes, or LangChain Deep Agents Code. * Never ask me to run commands myself, except the one workstation-side `ssh -N -L` command needed to open a remote credential form securely. * Explain each command in plain language, ask permission, then run it for me. * Pause before installs, system changes, administrator access, large downloads, credentials, sandbox creation, and long-running processes. * Summarize command output instead of asking me to copy it into chat. * Explain errors and unfamiliar terms such as Docker, container, model, API key, port, and SSH. * Never ask me to paste passwords, API keys, tokens, or private credentials into chat. * Use redacted placeholders such as `<PASTE_YOUR_API_KEY_HERE>` in examples. * During long operations, give a short update at least once per minute. * Do not start duplicate installers, downloads, or model servers. * Verify results after important commands; do not rely only on exit codes. ## Goal Install NemoClaw, collect onboarding choices before execution, include messaging in the first sandbox build when the selected agent supports it, launch the selected agent, and verify that it responds. ## Agent Selection Ask: “Which NemoClaw agent would you like?” Choices: 1. OpenClaw, the default. 2. Hermes. 3. LangChain Deep Agents Code. Use `NEMOCLAW_AGENT=hermes` or `nemohermes onboard` for Hermes. Use `NEMOCLAW_AGENT=langchain-deepagents-code` or `nemo-deepagents onboard` for Deep Agents. ## Hardware and Readiness * On Linux, ask permission to run a read-only readiness check before provider selection. * Check distribution, architecture, product and firmware identity, GPU and memory, NVIDIA driver, Container Toolkit, Docker, Node.js, disk space, existing NemoClaw, Ollama, vLLM, relevant ports, and administrator access. * Classify the computer as DGX Spark, DGX Station, NVIDIA GB300, another NVIDIA computer, ordinary macOS/Linux, or unknown. * Do not identify DGX Spark from the GPU name alone; combine product, firmware, architecture, and GPU evidence. * Classify a system as DGX Station when its firmware identifies a Station GB300 platform, or when its exact OEM model is documented by NVIDIA or the manufacturer as based on DGX Station architecture. * A confirmed NVIDIA GB300 can independently qualify for expanded local-runtime choices. * If uncertain, explain that and let NemoClaw’s official preflight make the final platform decision. ## Administrator Access * Check administrator availability without waiting for input, such as with a non-interactive sudo check. * If passwordless sudo works, continue without prompt mode. * If passwordless sudo is unavailable but the coding-agent UI provides a secure visible password prompt, explain why access is needed, ask permission, and set `NEMOCLAW_NON_INTERACTIVE_SUDO_MODE=prompt`. * Let the real `sudo` program collect the password; never use chat or the API-key form for the computer password. * If neither passwordless sudo nor a secure password prompt is available, stop before the affected install or system change. * Never pipe a password, store it in a file, generate a password helper, or put it in command arguments. * Offer a user-local alternative only when official documentation supports it for that exact operation. * Do not silently use user-local Ollama for a system Ollama upgrade when the old system service would remain active. ## Platform-Specific Instructions After the readiness check, load exactly one matching instruction asset before provider selection: * Confirmed DGX Spark: [DGX Spark Express instructions](https://raw.githubusercontent.com/NVIDIA/NemoClaw/f3682a5be7069e58303d3345e682424d5c2453b2/docs/resources/prompt-assets/dgx-spark.md). * Confirmed DGX Station: [DGX Station installation instructions](https://raw.githubusercontent.com/NVIDIA/NemoClaw/f3682a5be7069e58303d3345e682424d5c2453b2/docs/resources/prompt-assets/dgx-station.md). * Officially detected Windows WSL: [Windows WSL Express instructions](https://raw.githubusercontent.com/NVIDIA/NemoClaw/f3682a5be7069e58303d3345e682424d5c2453b2/docs/resources/prompt-assets/windows-wsl.md). Read the matching raw Markdown file completely and follow it before continuing. Do not load a platform asset for any other computer. ## Runtime and Provider Selection If no platform asset applies, or its offered install path is declined, ask: “Which inference runtime or provider would you like?” Choices: 1. Existing vLLM, only when a ready server is detected on `localhost:8000`. 2. Managed vLLM, optimized local inference with a large download. 3. Local Ollama, only when the selected agent and platform support it. 4. NVIDIA Endpoints, which requires an NVIDIA API key. 5. OpenRouter, which requires an OpenRouter API key. 6. OpenAI, which requires an OpenAI API key. 7. Anthropic, which requires an Anthropic API key. 8. Google Gemini, which requires a Gemini API key. 9. Model Router, which requires an NVIDIA API key. 10. Other OpenAI-compatible endpoint, which requires an endpoint, model, and usually a key. 11. Other Anthropic-compatible endpoint, which requires an endpoint, model, and usually a key. 12. Hermes Provider, only when Hermes is selected. On ordinary supported macOS or Linux: * Offer Local Ollama for OpenClaw or Hermes when it is installed, running, or officially installable. * Do not offer Local Ollama for Deep Agents unless current official documentation adds support. * Offer an existing ready vLLM server when detected. * Also show all applicable hosted and compatible providers. * Do not hide Ollama merely because the computer is not DGX or GB300. * Omit managed vLLM unless current official support permits it for the detected hardware. When a platform asset applies, follow its local-runtime eligibility and model instructions. On other platforms, show every provider supported by the selected agent and platform. Renumber choices after filtering and do not hide hosted providers behind another menu. Ask required model, endpoint, credential, and download questions one at a time. ## Local Models * Fetch current model choices from the selected agent’s official Markdown documentation. * The selected maintained NemoClaw release is authoritative for supported slugs and arguments. * For Ollama, ask permission to inspect installed models and offer NemoClaw’s memory-aware recommendation first. * Current Ollama starter examples include `qwen3.6:35b`, `nemotron-3-nano:30b`, and `qwen3.5:9b`. * Explain download size and storage requirements, then ask separately for permission. * Do not request an NGC or Hugging Face credential unless the selected operation actually requires it. ## Avoid Interactive Menus * Collect every choice before running the installer. * Ask one question at a time for model, endpoint, sandbox name, web search, messaging when the selected agent supports it, policy when no platform-asset install path is selected, credentials, administrator access, and downloads. * Use non-interactive environment variables whenever supported. * Never leave a command waiting at `Choose [1]:`. * If a choice cannot be supplied non-interactively, stop before starting and explain the supported alternative. ## Handle Tokens Securely and Visually Before collecting secrets, determine the exact environment-variable names and exact command argv, explain them, and ask permission. Do not generate, rewrite, or redesign the helper or form. Use this reviewed pair without modification: * Helper: `https://raw.githubusercontent.com/NVIDIA/NemoClaw/dd61a307d7ddf7be99de8ff1e2678fb8ef42f8e6/scripts/local-credential-helper.mts` (SHA-256 `1a42bbe8dbc9003cb79d4e641b53760571aacd85293671aee97c09c0746fef33`). * Form: `https://raw.githubusercontent.com/NVIDIA/NemoClaw/dd61a307d7ddf7be99de8ff1e2678fb8ef42f8e6/docs/resources/local-credential-form.html` (SHA-256 `5512a256e0ad7c63a26ab82cf4f5924e98652097172ab8a5dc9d9358dd4f6ae8`). * Treat the two immutable URL and digest pairs as one reviewed trust boundary; before executing the helper, compute the SHA-256 digest of both downloaded files and compare each result with its pinned digest. * If either digest differs, do not execute the helper; delete both temporary files and stop. * Store them in a private temporary directory and delete them afterward. * The helper requires Node.js 22.19 or newer. * If Node is unavailable, use an existing secure local application prompt or secure terminal prompt; never use chat or generated credential code. * Keep the helper bound to `http://127.0.0.1`, accept only one valid submission, and run only the already-approved command. * Use `:secret` for secrets and `:text` only for non-secret values. * Use `--execution-profile isolated` for stateless commands. * For persistent install or onboarding, use `--execution-profile account-home --cwd <approved-absolute-directory>` and ask permission for both. * Pass every `--field NAME:type`, then a literal `--`, an absolute executable path, and the exact approved argv. * Never omit the literal `--`. * Never use a relative, alias-only, or PATH-only approved executable. * Never put credentials in argv. * Command shape: `node --experimental-strip-types <helper> --execution-profile <profile> --form <form> --field NAME:secret -- <absolute-executable> <approved-args...>`. * Use **Preview Credentials**, **Edit**, then **Confirm and Run Approved Command**. * If the outcome is unknown, check whether the command ran; do not retry or resubmit blindly. * Keep secrets in memory only long enough to start the command. * Treat deletion as exposure minimization, not guaranteed erasure. * Prefer letting an account-persistent command use its own reviewed secure credential prompt when available. * For credential-bearing installation, use the reviewed helper only with an already-downloaded and verified installer. * Do not hand-assemble a `curl | bash` wrapper around credentials. * Never print, log, commit, cache, or paste secrets. Use this provider mapping for non-interactive setup: * NVIDIA Endpoints: `NEMOCLAW_PROVIDER=build`, `NVIDIA_INFERENCE_API_KEY`. * OpenRouter: `NEMOCLAW_PROVIDER=openrouter`, `OPENROUTER_API_KEY`. * OpenAI: `NEMOCLAW_PROVIDER=openai`, `OPENAI_API_KEY`. * Anthropic: `NEMOCLAW_PROVIDER=anthropic`, `ANTHROPIC_API_KEY`. * Gemini: `NEMOCLAW_PROVIDER=gemini`, `GEMINI_API_KEY`. * Hermes Provider: `NEMOCLAW_PROVIDER=hermes-provider`; Hermes only. * Model Router: `NEMOCLAW_PROVIDER=routed`, `NVIDIA_INFERENCE_API_KEY`. * OpenAI-compatible: `NEMOCLAW_PROVIDER=custom`, endpoint, model, `COMPATIBLE_API_KEY`. * Anthropic-compatible: `NEMOCLAW_PROVIDER=anthropicCompatible`, endpoint, model, `COMPATIBLE_ANTHROPIC_API_KEY`. * Ollama: `NEMOCLAW_PROVIDER=ollama`, optional `NEMOCLAW_MODEL`. * Existing vLLM: `NEMOCLAW_PROVIDER=vllm`. * Managed vLLM: `NEMOCLAW_PROVIDER=install-vllm`; use an approved optional model override only when the selected platform supports it. Do not offer Hermes Provider for OpenClaw or Deep Agents. ## Credential Form and SSH Ask whether I use SSH only after the helper starts and prints its complete one-time URL: “Are you connected to this computer through SSH?” Choices: 1. No, I am using it directly. 2. Yes, this is a remote SSH computer. 3. I am not sure. * Treat the helper’s complete URL as an opaque, sensitive, one-time capability. * Preserve its scheme, host, port, `/local-credential-form.html` path, complete `field=` query string, and `#cap=` fragment exactly. * Never replace it with a reconstructed bare `http://127.0.0.1:<port>` URL. * If local, give me the complete original URL unchanged. * If remote, read its port and ask me to run: `ssh -N -L <port>:127.0.0.1:<port> <username>@<host>`. * Fill in the actual port, username, and host when known. * Explain that it runs on my workstation, normally prints nothing, and must remain open until credential entry finishes. * After the tunnel starts, give me the helper’s original complete URL unchanged. * Require the same port on both sides; do not remap the helper to another local port. * If that local port is occupied, stop the unused helper safely, resolve the conflict or start a fresh helper session, and use only the new complete URL. * Never reuse an old URL or expose the form through `0.0.0.0`, LAN, public URL, shared tunnel, or unauthenticated proxy. * Tell me when it is safe to stop the forwarding command. ## Messaging During Initial Onboarding For OpenClaw or Hermes, ask before the first sandbox build: “Do you want to configure a messaging channel during onboarding?” Choices: No, Telegram, Discord, Slack, WhatsApp, WeChat (experimental). Skip messaging for Deep Agents. Configure one channel at a time, then ask whether to add another. Collect messaging before policy selection so the first image includes channel configuration and matching network presets. * Telegram requires `TELEGRAM_BOT_TOKEN`; optional settings include allowed IDs, mention mode, and OpenClaw group policy. * Discord requires `DISCORD_BOT_TOKEN`; optional settings include server ID, user ID, and mention mode. * Slack requires `SLACK_BOT_TOKEN` and `SLACK_APP_TOKEN`; optional settings include allowed users and channels. * WhatsApp uses documented allowed IDs for non-interactive selection, followed by QR pairing after startup. * WeChat requires an interactive QR handshake; explain the limitation before installation and never leave an unsupported UI waiting. Collect messaging secrets through the reviewed helper and exact-URL SSH flow. Do not manually set `NEMOCLAW_MESSAGING_CHANNELS_B64`; let NemoClaw generate it. Use `channels add` and rebuild only for channels omitted from initial onboarding or changed later. ## Policy, Approval, and Verification * If a loaded platform asset selects its approved install path, follow its policy requirement and skip the policy-tier question. * For installation outside an accepted platform-asset path, ask for Balanced, Restricted, or Open policy. * Explain that messaging and web-search selections add required endpoints. * Before installation outside an accepted platform-asset path, summarize platform, administrator access, agent, provider, exact model, validation warning, downloads, storage, sandbox, web search, messaging, policy, credential names without their values, and system changes. * Ask for final permission before installation outside an accepted platform-asset path. * For an accepted platform-asset install path, treat the asset’s confirmation as final permission and do not ask again. * Set `NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1` and `NEMOCLAW_YES=1` only after their approvals. * Keep credentials in the approved environment and never display them. * Verify the command and version, sandbox status, provider, model, `inference.local`, GPU access when applicable, messaging bridges when configured, and dashboard route when available. * If `curl | bash` returns no output, verify installation; if absent, ask permission to download and inspect the official installer before retrying. * For remote dashboards, use private loopback SSH forwarding, preserve authenticated URLs exactly, and treat them as secrets. * Ask permission before sending a live channel test or harmless first agent prompt. * Declare success only after the sandbox is ready and the agent responds. * Summarize what was installed, how to reconnect, what starts after reboot, and anything skipped. ## Use Docs for Information * Use clean `.md` pages for searching more information in the selected agent’s documentation. Example URLs: * [Documentation index for AI clients](https://docs.nvidia.com/nemoclaw/llms.txt) * [OpenClaw quickstart](https://docs.nvidia.com/nemoclaw/latest/user-guide/openclaw/get-started/quickstart.md) * [Hermes quickstart](https://docs.nvidia.com/nemoclaw/latest/user-guide/hermes/get-started/quickstart.md) * [Deep Agents quickstart](https://docs.nvidia.com/nemoclaw/latest/user-guide/deepagents/get-started/quickstart.md) * Suggest to add the docs MCP server `https://docs.nvidia.com/nemoclaw/_mcp/server` if the coding agent supports MCP.

If you prefer to control setup directly, use Set Up with the Interactive Installer on Your Terminal.

Set Up with the Interactive Installer on Your Terminal

If you use the coding-agent prompt in the preceding section, you can skip this procedure or keep it as reference. The prompt directs your coding agent to this quickstart, so it has the full setup context.

Review the Prerequisites before you begin.

1

Install NemoClaw

Run the hosted installer in a terminal.

$curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

Accept the third-party software notice when prompted.

2

Complete Onboarding

The wizard creates the sandbox. Choose an inference provider and model, provide its credential when prompted, and enter a sandbox name such as my-gpt-claw. For a first run, skip optional web search and messaging setup, then accept the suggested network policy tier.

3

Confirm the Sandbox Is Ready

Wait for the ready summary, then check the sandbox state.

$nemoclaw my-gpt-claw status
4

Send Your First Prompt

Use either the dashboard or the terminal.

$nemoclaw my-gpt-claw dashboard-url --quiet

Open the printed URL in your browser, or connect from the terminal and start the OpenClaw TUI.

$nemoclaw my-gpt-claw connect
$openclaw tui

Considerations

Use these details when your first-run path needs more control.

The hosted installer follows the maintained last-known-good release by default and can prompt through an interactive terminal. In CI, a shell script, or another non-TTY context, pass the third-party software acceptance to bash.

$curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 bash

For a non-interactive first run, also set the provider, credential, and sandbox name.

$curl -fsSL https://www.nvidia.com/nemoclaw.sh | \
> NEMOCLAW_NON_INTERACTIVE=1 \
> NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 \
> NEMOCLAW_PROVIDER=build \
> NVIDIA_INFERENCE_API_KEY=<your-key> \
> NEMOCLAW_SANDBOX_NAME=my-gpt-claw \
> bash

The example uses NVIDIA Endpoints. Set NEMOCLAW_PROVIDER and the matching credential variable for another provider, then use a sandbox name that does not depend on a previous onboarding session. Do not place NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 before curl, because the installer process cannot read it there. Refer to the Commands reference for the full non-interactive configuration.

The wizard supports NVIDIA Endpoints, OpenRouter, OpenAI, OpenAI-compatible endpoints, Anthropic, Anthropic-compatible endpoints, Google Gemini, local Ollama, and configured model-router profiles. Export the relevant API key before starting the installer when you do not want the wizard to prompt for it. Refer to Choose an Inference Provider for provider requirements, model choices, and local-server setup.

Web search and messaging are optional build-time choices. Add them when you need them, then rerun onboarding and accept sandbox recreation when you change those choices later. Refer to Choose Messaging Channels and Network Policies before enabling them.

On Linux, the installer checks Docker and can install it when it is missing. If the installer adds you to the docker group, run the printed newgrp docker command before you rerun it. On macOS, start Docker Desktop or Colima first.

DGX Spark, qualifying Station GB300 hosts, and Windows WSL offer an interactive express-install path that chooses a managed local inference option for the platform. Station accepts the generic Ubuntu 24.04 ARM64 image and stock DGX OS 7.2.0, 7.4.0, or 7.5.0 when a safe, root-owned /etc/dgx-release marker identifies DGX Server for GALAXY-GB300. On a qualifying Station, accepting the prompt selects the pinned nemotron-3-ultra-550b-a55b managed-vLLM recipe and completes onboarding without more provider, model, policy, or sandbox-name choices. Prepare DGX Station to Install NemoClaw defines Station qualification, generic Ubuntu preparation, stock DGX OS validation, repair limits, and reboot handoff. By default, unknown versions, unsafe release markers, NVIDIA BaseOS images, and other Station generations stop before host preparation; set NEMOCLAW_PROVIDER or NEMOCLAW_NO_EXPRESS=1 to bypass Station host automation. For an explicit temporary override on genuine Station GB300 hardware with unrecognized release metadata, follow the --force-station-install safeguards in the Station preparation guide. One physical DGX OS 7.5.0 GB300 validation completed, but Station remains Deferred pending repeat clean-host qualification and CI coverage. Pass --station-deepseek to use DeepSeek V4 Flash for a Station demo instead; the flag selects the interactive prompt and requires terminal access. Refer to Platform Support and Choose an Inference Provider for the current platform behavior.

If nemoclaw is not found after installation and you use nvm or fnm, open a new terminal or reload your shell profile.

The installer starts nemoclaw onboard automatically when preflight checks pass and it can find the new binary. If it prints To finish setup, run:, run the supplied nemoclaw onboard command before you try to connect.

To retry an interrupted onboarding session, run:

$nemoclaw onboard --resume

To discard its saved state and start again, run:

$nemoclaw onboard --fresh

The installer handles existing registered sandboxes as an upgrade and recovery workflow instead of creating an additional sandbox. Refer to Previous onboarding session failed before changing a failed or existing installation.

Outside WSL, the dashboard forward binds to 127.0.0.1 on the host running NemoClaw. On WSL, it binds on all interfaces so the Windows host can reach it, while the ready summary still prints a loopback dashboard URL. When you connect over SSH, forward the dashboard port from your workstation, substituting the port from the ready summary.

$ssh -L 18789:127.0.0.1:18789 <user>@<host>

The complete dashboard URL contains a gateway token fragment that authenticates the browser session. Treat an authenticated dashboard URL as a password. Refer to Remote Dashboard Access for Brev tunnels and other remote-access options.

The installer script installs Node.js when it is not already present, then starts the guided onboarding wizard to create the sandbox, configure inference, and apply security policies. NemoClaw creates a fresh OpenClaw instance inside that sandbox.

The third-party software notice runs before the installer installs Node.js or the NemoClaw CLI. A piped installer can prompt through a terminal when a TTY is available. You can also pass the acceptance flag through bash -s.

$curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash -s -- --yes-i-accept-third-party-software

If you use nvm or fnm and nemoclaw is not found after installation, run source ~/.bashrc or source ~/.zshrc, or open a new terminal.

On Linux, the installer checks Docker before it installs NemoClaw. When Docker is missing, it downloads the official Docker convenience script, prompts for sudo, installs Docker, and starts the Docker service when systemd is available. If the current shell cannot use the Docker socket, the installer adds your user to the docker group and exits with a recovery command.

On macOS, NemoClaw uses the Docker-driver OpenShell gateway path with Docker Desktop or Colima.

$newgrp docker
$curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

On DGX Spark, qualifying Station GB300 hosts, and Windows WSL, interactive installation offers express install after you accept the third-party software notice. After you confirm the interactive express prompt, the installer switches the remaining onboarding to non-interactive mode, allows sudo password prompts for required host changes, and selects the managed local inference path for that platform. DGX Spark uses managed vLLM with qwen3.6-35b-a3b-nvfp4 by default. DGX Station express install explicitly selects nemotron-3-ultra-550b-a55b instead of the Station managed-vLLM profile default, deepseek-v4-flash, and discloses the approximately 352 GB model download before confirmation. If the host does not meet the Station prerequisites, the installer stops before host preparation. Generic Ubuntu preparation can change pinned packages and then exits with status 10; reboot, sign in, and run the printed exact-commit command to resume the accepted express recipe. Stock DGX OS validation checks the factory stack in place without installing packages, restarting services, or rewriting the Docker runtime. One physical DGX OS 7.5.0 GB300 validation completed, but Station remains Deferred pending repeat clean-host qualification and CI coverage. To select DeepSeek V4 Flash while retaining the one-confirmation Station express flow, run curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash -s -- --station-deepseek. The --station-deepseek flag requires an interactive terminal; in a curl | bash pipeline, /dev/tty must be available. The temporary --force-station-install flag has the same terminal requirement and bypasses only DGX release-metadata qualification on genuine Station GB300 hardware. Without terminal access, the installer stops before it installs Docker or build dependencies instead of ignoring the flag. For a headless or CI install on a qualifying DGX Station GB300 after host preparation, omit the flag and select the same managed-vLLM recipe explicitly.

$curl -fsSL https://www.nvidia.com/nemoclaw.sh | \
> NEMOCLAW_NON_INTERACTIVE=1 \
> NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 \
> NEMOCLAW_PROVIDER=install-vllm \
> NEMOCLAW_VLLM_MODEL=deepseek-v4-flash \
> NEMOCLAW_SANDBOX_NAME=my-assistant \
> bash

Unless NEMOCLAW_POLICY_TIER is set, express install applies policy in suggested mode with the balanced tier, including the base sandbox policy and supported package, model, web-search, and local-inference presets. Express install uses my-assistant as the sandbox name across all platforms unless NEMOCLAW_SANDBOX_NAME is set. Windows WSL selects the Windows-host Ollama setup path. Set NEMOCLAW_NO_EXPRESS=1 to skip the express prompt, or set NEMOCLAW_PROVIDER before launching the installer to choose a provider yourself.

Express install automates the configuration but does not change DGX Station’s Deferred support status. One physical DGX OS 7.5 GB300 validation completed; repeat qualification from a clean host and CI coverage remain pending.

The installer auto-launches nemoclaw onboard when it can find the new binary. If it cannot find the binary or blocking host preflight checks fail, it prints diagnostics and a To finish setup, run: block with the explicit nemoclaw onboard command.

Onboarding builds the sandbox image with a managed NEMOCLAW_DISABLE_DEVICE_AUTH=1 compatibility setting so the dashboard is usable during setup. NemoClaw records that this value came from onboarding rather than reporting it as an operator-selected opt-out. This build-time setting is baked into the image and setting it after onboarding does not affect an existing sandbox.

The wizard runs preflight checks, starts or reuses the OpenShell gateway, asks for an inference provider and model, collects required credentials, and asks for a sandbox name. It prints a review summary before it registers the provider with OpenShell. After confirmation, NemoClaw registers inference, prompts for optional web search and messaging channels, builds and starts the sandbox, sets up OpenClaw, and applies the selected network policy tier and presets. At any prompt, press Enter to accept the default shown in [brackets], type back to return to the previous prompt, or type exit to quit.

If registered sandboxes already exist, the installer prepares the current NemoClaw CLI without replacing OpenShell, requires a fresh backup of every registered sandbox before it changes the gateway, and runs nemoclaw upgrade-sandboxes --auto after the host upgrade. After backup, it retires the running gateway before replacing OpenShell only when the installed OpenShell version is outside the current release’s supported range; an unknown installed version or an invalid or missing range stops the update without retiring the gateway, while any retirement failure stops the update with the sandbox backups preserved. Successful recovery rebuilds stale sandboxes, restores validated backups for registered sandboxes that are not Ready, and skips generic onboarding rather than creating an additional sandbox or requesting a new provider credential. If the recovery pass exits 0 but a recorded sandbox is not found on its own recorded gateway, such as after nemoclaw uninstall removed the gateway and Docker image while preserving sandboxes.json, the installer finishes with Installation completed with warnings and remediation guidance instead of claiming the sandbox was recovered. For pre-fingerprint OpenClaw and Hermes registry entries, confirm that every listed sandbox used a NemoClaw-managed image before recovery onto the current managed image. In non-interactive runs, set NEMOCLAW_CONFIRM_LEGACY_MANAGED_RECREATE to the exact JSON array of printed names only after you verify every named sandbox used a managed image. Legacy managed-image confirmation never overrides recorded custom-image evidence. A custom OpenClaw sandbox can be recovered only when the selected validated backup independently carries complete authoritative image-plugin provenance. If a backup is skipped or fails, or automatic rebuild fails or is blocked, the installer exits nonzero before generic onboarding begins.

The inference prompt presents these choices.

1) NVIDIA Endpoints
2) OpenRouter
3) OpenAI
4) Other OpenAI-compatible endpoint
5) Anthropic
6) Other Anthropic-compatible endpoint
7) Google Gemini
8) Local Ollama (localhost:11434)
9) Model Router (experimental)
Choose [1]:

Local Ollama appears when NemoClaw detects a usable local Ollama path or can offer an install or start action for your platform. A configured blueprint router profile makes the Model Router option appear.

Export the API key before you launch the installer when you do not want the wizard to ask for it. For example, run export NVIDIA_INFERENCE_API_KEY=<your-key> before the installer. Refer to Remove and Re-register a Provider Credential if you need to clear and re-enter a key.

OptionUse whenCredential variable
NVIDIA EndpointsYou want hosted models from build.nvidia.com, including hosted Nemotron models.NVIDIA_INFERENCE_API_KEY
OpenRouterYou want OpenRouter as a managed hosted OpenAI-compatible provider.OPENROUTER_API_KEY
OpenAIYou want the OpenAI API at https://api.openai.com/v1.OPENAI_API_KEY
Other OpenAI-compatible endpointYou have LocalAI, llama.cpp, vLLM, NIM, SGLang, an enterprise gateway, or another /v1/chat/completions endpoint.COMPATIBLE_API_KEY
AnthropicYou want the Anthropic Messages API.ANTHROPIC_API_KEY
Other Anthropic-compatible endpointYou have a Claude proxy, Bedrock-compatible gateway, or a self-hosted /v1/messages endpoint.COMPATIBLE_ANTHROPIC_API_KEY
Google GeminiYou want Google’s OpenAI-compatible Gemini endpoint.GEMINI_API_KEY
Local OllamaYou want a host-local Ollama model.None
Model RouterYou want NemoClaw to start the host-side model router.NVIDIA_INFERENCE_API_KEY

If a compatible endpoint does not require authentication, set its credential variable to any non-empty placeholder.

After you enter a sandbox name, the wizard asks for final confirmation before it registers the provider, prompts for integrations, and builds the sandbox image.

──────────────────────────────────────────────────
Review configuration
──────────────────────────────────────────────────
Provider: compatible-endpoint
Model: openai/openai/gpt-5.5
API key: configured for OpenShell gateway registration
Web search: disabled
Managed tools: none
Messaging: none
Sandbox name: my-gpt-claw
Note: Sandbox build typically takes 5–15 minutes on this host.
──────────────────────────────────────────────────
Web search and messaging channels will be prompted next.
Apply this configuration? [Y/n]:

The default is Y. Press Enter to continue, or answer n to abort cleanly, correct the entries, and rerun nemoclaw onboard. Non-interactive runs print the summary for log clarity but skip the prompt.

After confirmation, NemoClaw registers the selected provider with the OpenShell gateway and sets the inference.local route. The wizard asks whether to enable web search and offers Brave Search or Tavily Search. Provide BRAVE_API_KEY for Brave Search or TAVILY_API_KEY for Tavily Search when prompted. NemoClaw validates the selected key before it builds the sandbox, registers a sandbox-scoped OpenShell provider, and writes only an OpenShell resolver placeholder into the OpenClaw configuration. OpenShell replaces the placeholder with the real key at egress.

For non-interactive onboarding, select the provider explicitly and export its key.

$export NEMOCLAW_WEB_SEARCH_PROVIDER=tavily
$export TAVILY_API_KEY=<your-tavily-key>
$nemoclaw onboard --non-interactive

Set NEMOCLAW_WEB_SEARCH_PROVIDER=none to disable web search explicitly. When the selector is unset, OpenClaw chooses Brave Search when BRAVE_API_KEY is available, then Tavily Search when only TAVILY_API_KEY is available. Brave Search wins when both keys are available. Changing or disabling web search requires re-running onboarding with the new selection and accepting sandbox recreation, or passing --recreate-sandbox. NemoClaw backs up supported workspace state before recreation and restores it into the replacement sandbox.

The wizard also offers Telegram, Discord, Slack, WeChat, and WhatsApp. Press a channel number to toggle it, then press Enter to continue. Leave every channel unselected to skip messaging setup. When you select a channel, NemoClaw validates the token format before it bakes the channel configuration into the sandbox. For example, Slack bot tokens must start with xoxb-. WeChat and WhatsApp are experimental. Refer to Choose Messaging Channels before enabling them.

After the sandbox image builds and OpenClaw starts, NemoClaw asks which network policy tier to apply. Web search and messaging selections happen first so the sandbox image and policy suggestions stay aligned. The default Balanced tier includes common development presets, such as npm, PyPI, Hugging Face, and Homebrew, plus the matching brave or tavily preset. Add the weather preset explicitly for read-only weather lookups. OpenClaw sandboxes also receive the openclaw-pricing preset automatically so session-cost records can populate without manual configuration. Use the arrow keys or j and k to move, Space to select, and Enter to confirm. The selector can include destinations such as GitHub, Jira, Slack, Telegram, or local inference. Press r to switch a selected preset between read-only and read-write when it supports both modes.

Use the final onboarding summary to verify that the sandbox gateway, dashboard port forward, and inference.local route are reachable. When web search is enabled, it also checks the selected provider configuration and sends a real search request through sandbox egress. Treat an unreachable route or HTTP 5xx response as a failed readiness check: onboarding marks the sandbox not ready and exits non-zero. Restore the configured endpoint or proxy, run nemoclaw onboard --resume to complete the retained onboarding session, then rerun nemoclaw <sandbox-name> status to verify the route. Web search and messaging-bridge checks remain warnings when they need more time or configuration.

──────────────────────────────────────────────────
NemoClaw is ready
Sandbox: my-gpt-claw
Model: openai/openai/gpt-5.5 (Other OpenAI-compatible endpoint)
Start chatting
Browser:
http://127.0.0.1:18789/
Terminal:
nemoclaw my-gpt-claw connect
then run: openclaw tui
Authenticated dashboard URL, if needed:
nemoclaw my-gpt-claw dashboard-url --quiet
Manage later
Status: nemoclaw my-gpt-claw status
Logs: nemoclaw my-gpt-claw logs --follow
Model: nemoclaw inference set --model <model> --provider <provider> --sandbox my-gpt-claw
Policies: nemoclaw my-gpt-claw policy-add
Credentials: nemoclaw credentials reset <KEY> && nemoclaw onboard
──────────────────────────────────────────────────

A different provider displays its selected model and label, such as gpt-5.4 (OpenAI), claude-sonnet-4-6 (Anthropic), gemini-2.5-flash (Google Gemini), llama3.1:8b (Local Ollama), nvidia-routed (Model Router), or <your-model> (Other OpenAI-compatible endpoint).

The sandbox exists only after nemoclaw onboard completes. If you do not see the NemoClaw is ready summary, run onboarding explicitly before you connect or chat.

$nemoclaw onboard

Do not run nemoclaw <sandbox-name> connect or openclaw tui until onboarding has created the sandbox.

The wizard starts a background dashboard port forward and prints its URL in the ready summary. The default host port is 18789. When that port is occupied, NemoClaw uses the next free dashboard port, such as 18790, and prints it in the final URL. If the selected port becomes occupied after the sandbox build begins, onboarding rolls back the new sandbox and asks you to retry rather than print an unreachable URL. The installation transcript does not print the gateway token. Use nemoclaw my-gpt-claw dashboard-url --quiet to print the complete authenticated URL explicitly.

When NemoClaw detects an SSH session, the ready summary and dashboard-url output include a copyable SSH forwarding example.

Remote access (SSH session detected):
On your workstation, run:
ssh -L 18790:127.0.0.1:18790 <user>@<host>
Then open the dashboard URL above in your local browser.

Run the SSH command in a second terminal on your workstation and substitute the port printed by NemoClaw. For Brev tunnels or binding the dashboard to all interfaces instead of forwarding, refer to Remote Dashboard Access.

Troubleshooting

If onboarding does not finish with a ready summary, do not run connect yet. Run nemoclaw onboard, then use Troubleshooting for preflight, Docker, credential, provider, and network-policy errors.

Next Steps