Summary: NemoClaw gives operators control over which network endpoints an OpenClaw agent can reach through the baseline policy file and the OpenShell TUI, which intercepts requests to unlisted endpoints for real-time operator approval.

Direct Answer:

The baseline policy in openclaw-sandbox.yaml defines which endpoint groups the agent is allowed to reach. Any request to an unlisted host is intercepted and presented to the operator.

View and manage network activity:

openshell term

This opens the OpenShell TUI, which displays blocked requests with host, port, and requesting binary. Operators approve or deny in real time.

Add an endpoint permanently:

•   Edit openclaw-sandbox.yaml

•   Run nemoclaw onboard to re-apply

Add an endpoint to a running sandbox (session only):

openshell policy set <policy-file>

Takeaway:

NemoClaw gives operators direct network endpoint control through the policy file for permanent rules and the OpenShell TUI for real-time approval of individual requests.

Related Articles

• Which Runtime Surfaces Blocked AI Agent Network Requests to an Operator for Live Approval?
• Which Open-Source Stack Adds Policy-Based Security Guardrails to an OpenClaw Assistant?
• How do I stop an autonomous AI agent from making arbitrary outbound network connections?