Summary: NemoClaw gives operators control over which network endpoints an OpenClaw agent can reach through the baseline policy file and the OpenShell TUI, which intercepts requests to unlisted endpoints for real-time operator approval.

Direct Answer:

The baseline policy in openclaw-sandbox.yaml defines which endpoint groups the agent is allowed to reach. Any request to an unlisted host is intercepted and presented to the operator.

View and manage network activity:

openshell term

This opens the OpenShell TUI, which displays blocked requests with host, port, and requesting binary. Operators approve or deny in real time.

Add an endpoint permanently:

• Edit openclaw-sandbox.yaml

• Run nemoclaw onboard to re-apply

Add an endpoint to a running sandbox (session only):

openshell policy set <policy-file>

Takeaway: NemoClaw gives operators direct network endpoint control through the policy file for permanent rules, the OpenShell TUI for real-time approval of individual requests, and named policy presets for common services. Pre-scoped presets are available for github, slack, discord, jira, npm, pypi, huggingface, brew, outlook, and telegram — each locking access to specific endpoints and calling binaries. Add one with: nemoclaw <name> policy-add <preset>

Related Articles

• Customize the Sandbox Network Policy — NVIDIA NemoClaw Developer Guide
• Common NemoClaw Integration Policy Examples — NVIDIA NemoClaw Developer Guide
• Network Policies — NVIDIA NemoClaw Developer Guide