NemoClawFollow these steps to get started with NemoClaw and your first sandboxed OpenClaw agent.
Make sure you have completed reviewing the Prerequisites before following this guide.
NemoClaw ships user skills for AI coding assistants. Load them when you want your assistant to walk through installation, inference choices, policy approvals, monitoring, or troubleshooting with NemoClaw-specific guidance. Refer to Agent Skills.
Download and run the installer script. The script installs Node.js if it is not already present, then runs the guided onboard wizard to create a sandbox, configure inference, and apply security policies.
NemoClaw creates a fresh OpenClaw instance inside the sandbox during the onboarding process.
The third-party software notice runs before Node.js or the NemoClaw CLI is installed.
The piped installer can prompt through your terminal when a TTY is available.
In non-TTY contexts, such as CI, an SSH command with piped stdin, or a shell script, pass explicit acceptance to the bash side of the pipe:
or pass the installer flag through bash -s:
To run both installation and onboarding without prompts, also set non-interactive mode and the provider variables your chosen inference path requires:
Do not place NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 before curl.
In NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 curl ... | bash, the variable applies only to curl, so the installer process cannot see the acceptance.
If you use nvm or fnm to manage Node.js, the installer might not update your current shell’s PATH.
If nemoclaw is not found after install, run source ~/.bashrc (or source ~/.zshrc for zsh) or open a new terminal.
On Linux, the installer checks Docker before it installs NemoClaw.
If Docker is missing, the installer downloads the official Docker convenience script, asks for sudo, installs Docker, and starts the Docker service when systemd is available.
If Docker is installed but your current shell cannot use the Docker socket yet, the installer adds your user to the docker group when needed and exits with a recovery command.
On macOS, the installer uses the Docker-driver OpenShell gateway path with Docker Desktop or Colima.
On DGX Spark, DGX Station, and Windows WSL, an interactive installer offers express install after you accept the third-party software notice.
Express install switches onboarding to non-interactive mode, allows sudo password prompts for required host changes, and selects the managed local inference path for that platform.
Unless NEMOCLAW_POLICY_TIER is set, it applies sandbox policy in suggested mode with the balanced tier by default, using the base sandbox policy plus supported package, model, web-search, and local-inference presets.
On DGX Spark, express install uses my-spark-assistant as the sandbox name unless NEMOCLAW_SANDBOX_NAME is already set.
On WSL, express install selects the Windows-host Ollama setup path.
Set NEMOCLAW_NO_EXPRESS=1 to skip the express prompt, or set NEMOCLAW_PROVIDER before launching the installer when you want to choose a provider yourself.
The installer auto-launches nemoclaw onboard when it can locate the freshly-installed binary.
If it cannot locate the binary, or if blocking host preflight checks fail, it does not launch the wizard automatically.
In that case, the installer prints the relevant diagnostics and a To finish setup, run: block with the explicit nemoclaw onboard command.
The onboard flow builds the sandbox image with NEMOCLAW_DISABLE_DEVICE_AUTH=1 so the dashboard is immediately usable during setup.
This is a build-time setting baked into the sandbox image, not a runtime knob.
If you export NEMOCLAW_DISABLE_DEVICE_AUTH after onboarding finishes, it has no effect on an existing sandbox.
After the installer launches nemoclaw onboard, the wizard runs preflight checks, starts or reuses the OpenShell gateway, asks for an inference provider and model, collects any required credential, then asks for the sandbox name.
It prints a review summary before it registers the provider with OpenShell.
After you confirm, NemoClaw registers inference, prompts for optional web search and messaging channels, builds and starts the sandbox, sets up OpenClaw, then applies the selected network policy tier and presets.
At any prompt, press Enter to accept the default shown in [brackets], type back to return to the previous prompt, or type exit to quit.
If existing sandbox sessions are running, the installer warns before onboarding because the setup can rebuild or upgrade sandboxes after the new sandbox launches.
The inference provider prompt presents a numbered list.
Pick the option that matches where you want inference traffic to go, then expand the matching helper below for the follow-up prompts and the API key environment variable to set. For the full list of providers and validation behavior, refer to Inference Options. Local Ollama appears when NemoClaw detects a usable local Ollama path or can offer an install or start action for your platform. The Model Router option appears when the blueprint router profile is enabled.
Export the API key before launching the installer so the wizard does not have to ask for it.
For example, run export NVIDIA_API_KEY=<your-key> before curl ... | bash.
If you entered a key incorrectly, refer to Reset a Stored Credential to clear and re-enter it.
Routes inference to models hosted on build.nvidia.com.
Use NVIDIA_API_KEY for the API key. Get one from the NVIDIA build API keys page.
Respond to the wizard as follows.
Choose [1]: prompt, press Enter (or type 1) to select NVIDIA Endpoints.NVIDIA_API_KEY: prompt, paste your key if it is not already exported.Choose model [1]: prompt, pick a curated model from the list (for example, Nemotron 3 Super 120B, GLM-5, MiniMax M2.7, GPT-OSS 120B, or DeepSeek V4 Pro), or pick Other... to enter any model ID from the NVIDIA Endpoints catalog.NemoClaw validates the model against the catalog API before creating the sandbox.
Use this option for Nemotron and other models hosted on build.nvidia.com. If you run NVIDIA Nemotron from a self-hosted NIM, an enterprise gateway, or any other endpoint, choose Option 3 instead, since all Nemotron models expose OpenAI-compatible APIs.
Routes inference to the OpenAI API at https://api.openai.com/v1.
Use OPENAI_API_KEY for the API key. Get one from the OpenAI API keys page.
Respond to the wizard as follows.
Choose [1]: prompt, type 2 to select OpenAI.OPENAI_API_KEY: prompt, paste your key if it is not already exported.Choose model [1]: prompt, pick a curated model (for example, gpt-5.4, gpt-5.4-mini, gpt-5.4-nano, or gpt-5.4-pro-2026-03-05), or pick Other… to enter any OpenAI model ID.Routes inference to any server that implements /v1/chat/completions, including OpenRouter, LocalAI, llama.cpp, vLLM behind a proxy, and any compatible gateway.
Use COMPATIBLE_API_KEY for the API key. Set it to whatever credential your endpoint expects. If your endpoint does not require auth, use any non-empty placeholder.
Respond to the wizard as follows.
Choose [1]: prompt, type 3 to select Other OpenAI-compatible endpoint.OpenAI-compatible base URL prompt, enter the provider’s base URL. Find the exact value in your provider’s API documentation. NemoClaw appends /v1 automatically, so leave that suffix off.COMPATIBLE_API_KEY: prompt, paste your key if it is not already exported.Other OpenAI-compatible endpoint model []: prompt, enter the model ID exactly as it appears in your provider’s model catalog.For example, when you use NVIDIA’s OpenAI-compatible inference endpoint, enter https://inference-api.nvidia.com as the base URL and the model ID your endpoint exposes, such as openai/openai/gpt-5.5.
NemoClaw sends a real inference request to validate the endpoint and model.
If the endpoint does not return the streaming events OpenClaw needs from the Responses API, NemoClaw falls back to the chat completions API and configures OpenClaw to use openai-completions.
NVIDIA Nemotron models expose OpenAI-compatible APIs, so this option is the right choice for any Nemotron deployment that does not live on build.nvidia.com. Common examples include a self-hosted NIM container, an enterprise NVIDIA AI Enterprise gateway, or a vLLM/SGLang server running Nemotron weights. Point the base URL at your endpoint and enter the Nemotron model ID exactly as your server reports it.
Routes inference to the Anthropic Messages API at https://api.anthropic.com.
Use ANTHROPIC_API_KEY for the API key. Get one from the Anthropic console keys page.
Respond to the wizard as follows.
Choose [1]: prompt, type 4 to select Anthropic.ANTHROPIC_API_KEY: prompt, paste your key if it is not already exported.Choose model [1]: prompt, pick a curated model (for example, claude-sonnet-4-6, claude-haiku-4-5, or claude-opus-4-6), or pick Other… to enter any Claude model ID.Routes inference to any server that implements the Anthropic Messages API at /v1/messages, including Claude proxies, Bedrock-compatible gateways, and self-hosted Anthropic-compatible servers.
Use COMPATIBLE_ANTHROPIC_API_KEY for the API key. Set it to whatever credential your endpoint expects.
Respond to the wizard as follows.
Choose [1]: prompt, type 5 to select Other Anthropic-compatible endpoint.Anthropic-compatible base URL prompt, enter the proxy or gateway’s base URL from its documentation.COMPATIBLE_ANTHROPIC_API_KEY: prompt, paste your key if it is not already exported.Other Anthropic-compatible endpoint model []: prompt, enter the model ID exactly as it appears in your gateway’s model catalog.Routes inference to Google’s OpenAI-compatible Gemini endpoint at https://generativelanguage.googleapis.com/v1beta/openai/.
Use GEMINI_API_KEY for the API key. Get one from Google AI Studio API keys.
Respond to the wizard as follows.
Choose [1]: prompt, type 6 to select Google Gemini.GEMINI_API_KEY: prompt, paste your key if it is not already exported.Choose model [5]: prompt, pick a curated model (for example, gemini-3.1-pro-preview, gemini-3.1-flash-lite-preview, gemini-3-flash-preview, gemini-2.5-pro, gemini-2.5-flash, or gemini-2.5-flash-lite), or pick Other… to enter any Gemini model ID.Routes inference to a local Ollama instance. Depending on your platform, the wizard can use an existing daemon, start an installed daemon, or offer an install action.
No API key is required. On non-WSL hosts, NemoClaw generates a token and starts an authenticated proxy so containers can reach Ollama without exposing the daemon directly to your network.
On WSL, NemoClaw can also use Ollama on the Windows host through host.docker.internal.
Respond to the wizard as follows.
Choose [1]: prompt, type 7 to select Local Ollama.Choose model [1]: prompt, pick from Ollama models if any are already installed. If none are installed, pick a starter model to pull and load now, or pick Other… to enter any Ollama model ID.For setup details, including GPU recommendations and starter model choices, refer to Use a Local Inference Server.
Starts a host-side model router and routes sandbox inference through OpenShell to that router.
The router chooses from the model pool in nemoclaw-blueprint/router/pool-config.yaml for each request.
Use NVIDIA_API_KEY for the model pool credentials.
Respond to the wizard as follows.
Choose [1]: prompt, type 8 to select Model Router (experimental).NVIDIA_API_KEY: prompt, paste your key if it is not already exported.For scripted setup, set:
The router listens on the host at port 4000.
The sandbox still calls https://inference.local/v1, so do not point in-sandbox tools at the host router port directly.
NEMOCLAW_EXPERIMENTAL=1 is set and the host has a NIM-capable GPU. NemoClaw pulls and manages a NIM container.localhost:8000. No flag is required for the menu entry. NemoClaw auto-detects the loaded model.NEMOCLAW_EXPERIMENTAL=1 or NEMOCLAW_PROVIDER=install-vllm. NemoClaw pulls and starts a vLLM container on supported hosts.For setup, refer to Use a Local Inference Server.
After you enter the sandbox name, the wizard prints a review summary and asks for final confirmation before registering the provider, prompting for optional integrations, and building the sandbox image. For example, if you picked an OpenAI-compatible endpoint, the summary looks like the following:
The default is Y, so you can press Enter once to continue. Answer n to abort cleanly, fix the entries, and re-run nemoclaw onboard.
Non-interactive runs (NEMOCLAW_NON_INTERACTIVE=1) print the summary for log clarity but skip the prompt.
After you confirm the summary, NemoClaw registers the selected provider with the OpenShell gateway and sets the inference.local route.
The wizard then asks whether to enable Brave Web Search.
If you enable it, enter a Brave Search API key when prompted.
The wizard also offers messaging channels such as Telegram, Discord, Slack, WeChat, and WhatsApp.
Press a channel number to toggle it, then press Enter to continue.
If you leave all channels unselected, pressing Enter skips messaging setup.
If you select a channel, NemoClaw validates the token format before it bakes the channel configuration into the sandbox.
For example, Slack bot tokens must start with xoxb-.
WeChat and WhatsApp are experimental.
Review Messaging Channels before enabling them.
After the sandbox image builds and OpenClaw starts inside the sandbox, NemoClaw asks which network policy tier to apply.
Web search and messaging selections happen before this point so the sandbox image and the policy suggestions stay aligned.
The default Balanced tier includes common development presets such as npm, PyPI, Hugging Face, Homebrew, and Brave Search when the selected agent supports web search.
Use the arrow keys or j and k to move, Space to select, and Enter to confirm.
The preset selector lets you include more destinations, such as GitHub, Jira, Slack, Telegram, or local inference.
Press r to toggle a selected preset between read-only and read-write when the preset supports both modes.
When the install completes, a summary confirms the running environment.
Before printing the summary, NemoClaw verifies that the sandbox gateway and dashboard port forward are reachable.
Inference route and messaging bridge checks are reported as warnings when they need more time or additional configuration.
The Model and provider line reflects the inference option you picked during onboarding.
The example below shows the result if you picked an OpenAI-compatible endpoint during onboarding.
If you picked a different option, the Model line shows that provider’s model and label instead. For example, you might see gpt-5.4 (OpenAI), claude-sonnet-4-6 (Anthropic), gemini-2.5-flash (Google Gemini), llama3.1:8b (Local Ollama), nvidia-routed (Model Router), or <your-model> (Other OpenAI-compatible endpoint).
You can chat with the agent from the terminal or the browser.
The onboard wizard starts a background port forward to the sandbox dashboard, then prints the dashboard URL in the install summary.
The default host port is 18789.
If that port is already taken, NemoClaw uses the next free dashboard port, such as 18790, and prints that port in the final URL.
If the chosen port becomes occupied after the sandbox build starts, onboarding rolls back the newly-created sandbox and asks you to retry instead of printing an unreachable dashboard URL.
The install transcript does not print the gateway token.
If the browser requires authentication, use the dashboard-url --quiet command to print a complete URL explicitly.
Open the dashboard URL in your browser.
If the browser asks for authentication, run nemoclaw my-gpt-claw dashboard-url --quiet and open the returned URL.
Treat the authenticated URL like a password.
Connect to the sandbox and use the OpenClaw CLI.
Navigate to the following topics to learn more about NemoClaw.
Use the following topics to learn how to use NemoClaw.