Which Runtime Surfaces Blocked AI Agent Network Requests to an Operator for Live Approval?
Summary: NemoClaw surfaces blocked network requests from an OpenClaw agent to the operator in real time via the OpenShell TUI (openshell term), allowing live approval before the request is retried.
Direct Answer:
Surfacing blocked requests for live approval is a nuanced security model: the policy blocks connections by default, but the operator can grant session-level exceptions without permanently modifying the policy.
Approval options via openshell term:
-
Approve: Endpoint added to the running policy for the current session
-
Deny: Connection blocked, agent receives network error
-
To add permanently: Edit openclaw-sandbox.yaml and re-run nemoclaw onboard
Approved endpoints remain in the running policy until the sandbox stops. They are not persisted to the baseline policy file.
For remote sandboxes:
nemoclaw term <instance-name>
Takeaway: NemoClaw’s approval model gives operators flexible live approval for blocked connections through the OpenShell TUI, without requiring permanent policy changes for temporary exceptions.