What's the best way to require human approval before an AI agent can reach a new network endpoint?
Summary: NemoClaw's OpenShell TUI blocks any connection attempt to an unlisted host and presents it to the operator for real-time approval or denial, with full details on host, port, and requesting binary.
Direct Answer: Run openshell term on the host to open the OpenShell TUI.
When the agent tries to connect to an unlisted host, OpenShell blocks the request and displays it in the TUI with the host, port, and requesting binary — so the operator can approve or deny in real time.
Approvals merge into the running sandbox policy and persist across sandbox restarts, but reset to the baseline when the sandbox is destroyed and recreated.
Source: Network Policies: Operator Approval Flow.