Commands#
The nemoclaw CLI is the primary interface for managing NemoClaw sandboxes.
It is installed automatically by the installer (curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash).
/nemoclaw Slash Command#
The /nemoclaw slash command is available inside the OpenClaw chat interface for quick actions:
Subcommand |
Description |
|---|---|
|
Show slash-command help and host CLI pointers |
|
Show sandbox and inference state |
|
Show onboarding status and reconfiguration guidance |
|
Show rollback instructions for returning to the host installation |
Standalone Host Commands#
The nemoclaw binary handles host-side operations that run outside the OpenClaw plugin context.
nemoclaw help, nemoclaw --help, nemoclaw -h#
Show the top-level usage summary and command groups.
Running nemoclaw with no arguments shows the same help output.
$ nemoclaw help
nemoclaw --version, nemoclaw -v#
Print the installed NemoClaw CLI version.
$ nemoclaw --version
nemoclaw onboard#
Run the interactive setup wizard (recommended for new installs). The wizard creates an OpenShell gateway, registers inference providers, builds the sandbox image, and creates the sandbox. Use this command for new installs and for recreating a sandbox after changes to policy or configuration.
$ nemoclaw onboard [--non-interactive] [--resume] [--recreate-sandbox] [--from <Dockerfile>] [--agent <name>] [--yes-i-accept-third-party-software]
Warning
For NemoClaw-managed environments, use nemoclaw onboard when you need to create or recreate the OpenShell gateway or sandbox.
Avoid openshell self-update, npm update -g openshell, openshell gateway start --recreate, or openshell sandbox create directly unless you intend to manage OpenShell separately and then rerun nemoclaw onboard.
The installer detects existing sandbox sessions before onboarding and prints a warning if any are found.
To make the installer abort instead of continuing, set NEMOCLAW_SINGLE_SESSION=1:
$ NEMOCLAW_SINGLE_SESSION=1 curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
The wizard prompts for a provider first, then collects the provider credential if needed.
Supported non-experimental choices include NVIDIA Endpoints, OpenAI, Anthropic, Google Gemini, and compatible OpenAI or Anthropic endpoints.
Credentials are stored in ~/.nemoclaw/credentials.json. For file permissions, plaintext storage behavior, and hardening guidance, see Credential Storage.
The legacy nemoclaw setup command is deprecated; use nemoclaw onboard instead.
After provider selection, the wizard prompts for a policy tier that controls the default set of network policy presets applied to the sandbox. Three tiers are available:
Tier |
Description |
|---|---|
Restricted |
Base sandbox only. No third-party network access beyond inference and core agent tooling. |
Balanced (default) |
Full dev tooling and web search. Package installs, model downloads, and inference. No messaging platform access. |
Open |
Broad access across third-party services including messaging and productivity. |
After selecting a tier, the wizard shows a combined preset and access-mode screen where you can include or exclude individual presets and toggle each between read and read-write access. For details on tiers and the presets each includes, see Network Policies.
In non-interactive mode, set the tier with NEMOCLAW_POLICY_TIER (default: balanced):
$ NEMOCLAW_POLICY_TIER=restricted nemoclaw onboard --non-interactive --yes-i-accept-third-party-software
If you enable Brave Search during onboarding, NemoClaw currently stores the Brave API key in the sandbox’s OpenClaw configuration. That means the OpenClaw agent can read the key. NemoClaw explores an OpenShell-hosted credential path first, but the current OpenClaw Brave runtime does not consume that path end to end yet. Treat Brave Search as an explicit opt-in and use a dedicated low-privilege Brave key.
For non-interactive onboarding, you must explicitly accept the third-party software notice:
$ nemoclaw onboard --non-interactive --yes-i-accept-third-party-software
or:
$ NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1 nemoclaw onboard --non-interactive
To enable Brave Search in non-interactive mode, set:
$ BRAVE_API_KEY=... \
nemoclaw onboard --non-interactive
BRAVE_API_KEY enables Brave Search in non-interactive mode and also enables web_fetch.
The wizard prompts for a sandbox name.
Names must follow RFC 1123 subdomain rules: lowercase alphanumeric characters and hyphens only, and must start and end with an alphanumeric character.
Uppercase letters are automatically lowercased.
Names that match global CLI commands (status, list, debug, etc.) are rejected to avoid routing conflicts.
If you enable Slack during onboarding, the wizard collects both the Bot Token (SLACK_BOT_TOKEN) and the App-Level Token (SLACK_APP_TOKEN).
Socket Mode requires both tokens.
The app-level token is stored in a dedicated slack-app OpenShell provider and forwarded to the sandbox alongside the bot token.
If you enable Discord during onboarding, the wizard can also prompt for a Discord Server ID, whether the bot should reply only to @mentions or to all messages in that server, and an optional Discord User ID.
NemoClaw bakes those values into the sandbox image as Discord guild workspace config so the bot can respond in the selected server, not just in DMs.
If you leave the Discord User ID blank, the guild config omits the user allowlist and any member of the configured server can message the bot.
Guild responses remain mention-gated by default unless you opt into all-message replies.
Before creating the gateway, the wizard runs preflight checks.
It verifies that Docker is reachable, warns on untested runtimes such as Podman, and prints host remediation guidance when prerequisites are missing.
The preflight also enforces the OpenShell version range declared in the blueprint (min_openshell_version and max_openshell_version).
If the installed OpenShell version falls outside this range, onboarding exits with an actionable error and a link to compatible releases.
--from <Dockerfile>#
Build the sandbox image from a custom Dockerfile instead of the stock NemoClaw image. The entire parent directory of the specified file is used as the Docker build context, so any files your Dockerfile references (scripts, config, etc.) must live alongside it.
$ nemoclaw onboard --from path/to/Dockerfile
The file can have any name; if it is not already named Dockerfile, onboard copies it to Dockerfile inside the staged build context automatically.
All NemoClaw build arguments (NEMOCLAW_MODEL, NEMOCLAW_PROVIDER_KEY, NEMOCLAW_INFERENCE_BASE_URL, etc.) are injected as ARG overrides at build time, so declare them in your Dockerfile if you need to reference them.
In non-interactive mode, the path can also be supplied via the NEMOCLAW_FROM_DOCKERFILE environment variable:
$ NEMOCLAW_NON_INTERACTIVE=1 NEMOCLAW_FROM_DOCKERFILE=path/to/Dockerfile nemoclaw onboard
If a --resume is attempted with a different --from path than the original session, onboarding exits with a conflict error rather than silently building from the wrong image.
nemoclaw list#
List all registered sandboxes with their model, provider, and policy presets.
$ nemoclaw list
nemoclaw deploy#
Warning
The nemoclaw deploy command is deprecated.
Prefer provisioning the remote host separately, then running the standard NemoClaw installer and nemoclaw onboard on that host.
Deploy NemoClaw to a remote GPU instance through Brev. This command remains as a compatibility wrapper for the older Brev-specific bootstrap flow.
$ nemoclaw deploy <instance-name>
nemoclaw <name> connect#
Connect to a sandbox by name.
On a TTY, a one-shot hint prints before dropping into the sandbox shell, reminding you to run openclaw tui inside.
Set NEMOCLAW_NO_CONNECT_HINT=1 to suppress the hint in scripted workflows.
If the sandbox is running an outdated agent version, a non-blocking warning prints before connecting with a nemoclaw <name> rebuild hint.
$ nemoclaw my-assistant connect
nemoclaw <name> status#
Show sandbox status, health, and inference configuration.
For local Ollama and local vLLM routes, the command also probes the host-side health endpoint and reports whether the backend is reachable.
If the backend is down, the output includes an Inference: unreachable line with the local URL and a remediation hint.
The Policy section displays the live enforced policy (fetched via openshell policy get --full), which reflects presets added or removed after sandbox creation.
If the sandbox is running an outdated agent version, the output includes an Update line with the available version and a nemoclaw <name> rebuild hint.
$ nemoclaw my-assistant status
nemoclaw <name> logs#
View sandbox logs.
Use --follow to stream output in real time.
$ nemoclaw my-assistant logs [--follow]
nemoclaw <name> destroy#
Stop the NIM container and delete the sandbox. This removes the sandbox from the registry.
Warning
This command permanently deletes the sandbox and its persistent volume.
All workspace files (SOUL.md, USER.md, IDENTITY.md, AGENTS.md, MEMORY.md, and daily memory notes) are lost.
Back up your workspace first with nemoclaw <name> snapshot create or see Backup and Restore.
If you want to upgrade the sandbox while preserving state, use nemoclaw <name> rebuild instead.
$ nemoclaw my-assistant destroy
nemoclaw <name> policy-add#
Add a policy preset to a sandbox. Presets extend the baseline network policy with additional endpoints. Before applying, the command shows which endpoints the preset would open and prompts for confirmation.
$ nemoclaw my-assistant policy-add
Flag |
Description |
|---|---|
|
Preview the endpoints a preset would open without applying changes |
Use --dry-run to audit a preset before applying it:
$ nemoclaw my-assistant policy-add --dry-run
nemoclaw <name> policy-list#
List available policy presets and show which ones are applied to the sandbox.
$ nemoclaw my-assistant policy-list
nemoclaw <name> policy-remove#
Remove a previously applied policy preset from a sandbox. The command lists only the presets currently applied, prompts you to select one, shows the endpoints that would be removed, and asks for confirmation before narrowing egress.
$ nemoclaw my-assistant policy-remove
Flag |
Description |
|---|---|
|
Preview which endpoints would be removed without applying changes |
Unchecking a preset in the onboard TUI checkbox also removes it from the sandbox.
nemoclaw <name> skill install <path>#
Deploy a skill directory to a running sandbox.
The command validates the SKILL.md frontmatter (a name field is required), uploads all non-dot files preserving subdirectory structure, and performs agent-specific post-install steps.
$ nemoclaw my-assistant skill install ./my-skill/
The skill directory must contain a SKILL.md file with YAML frontmatter that includes a name field.
Skill names must contain only alphanumeric characters, dots, hyphens, and underscores.
Files with names starting with . (dotfiles) are skipped and listed in the output.
Files with unsafe path characters are rejected to prevent shell injection.
If the skill already exists on the sandbox, the command updates it in place and preserves chat history. For new installs, the agent session index is refreshed so the agent discovers the skill on the next session.
nemoclaw <name> rebuild#
Upgrade a sandbox to the current agent version while preserving workspace state.
The command backs up workspace state, destroys the old sandbox, recreates it with the current image via onboard --resume, and restores workspace state into the new sandbox.
Credentials are stripped from backups before storage.
$ nemoclaw my-assistant rebuild [--yes] [--verbose]
Flag |
Description |
|---|---|
|
Skip the confirmation prompt |
|
Log SSH commands, exit codes, and session state (also enabled by |
The sandbox must be running for the backup step to succeed.
After restore, the command runs openclaw doctor --fix for cross-version structure repair.
nemoclaw backup-all#
Back up all registered running sandboxes to ~/.nemoclaw/rebuild-backups/.
Sandboxes that are not running are skipped.
$ nemoclaw backup-all
The installer calls backup-all automatically before onboarding to protect against data loss during OpenShell upgrades.
nemoclaw <name> snapshot create#
Create a timestamped snapshot of sandbox state.
Snapshots are stored in ~/.nemoclaw/rebuild-backups/<name>/.
$ nemoclaw my-assistant snapshot create
nemoclaw <name> snapshot list#
List available snapshots for a sandbox with timestamps and item counts.
$ nemoclaw my-assistant snapshot list
nemoclaw <name> snapshot restore [timestamp]#
Restore sandbox state from a snapshot. If no timestamp is provided, the latest snapshot is used. Partial timestamp prefixes are accepted if they match exactly one snapshot.
$ nemoclaw my-assistant snapshot restore
$ nemoclaw my-assistant snapshot restore 2026-04-14T
openshell term#
Open the OpenShell TUI to monitor sandbox activity and approve network egress requests. Run this on the host where the sandbox is running.
$ openshell term
For a remote Brev instance, SSH to the instance and run openshell term there, or use a port-forward to the gateway.
nemoclaw start#
Start optional host auxiliary services. This is the cloudflared tunnel when cloudflared is installed (for a public URL to the dashboard). Channel messaging (Telegram, Discord, Slack) is not started here; it is configured during nemoclaw onboard and runs through OpenShell-managed constructs.
$ nemoclaw start
nemoclaw stop#
Stop host auxiliary services started by nemoclaw start (for example cloudflared).
$ nemoclaw stop
nemoclaw status#
Show the sandbox list and the status of host auxiliary services (for example cloudflared).
$ nemoclaw status
nemoclaw setup-spark#
Warning
The nemoclaw setup-spark command is deprecated.
Use the standard installer and run nemoclaw onboard instead, because current OpenShell releases handle the older DGX Spark cgroup behavior.
This command remains as a compatibility alias to nemoclaw onboard.
$ nemoclaw setup-spark
nemoclaw debug#
Collect diagnostics for bug reports.
Gathers system info, Docker state, gateway logs, and sandbox status into a summary or tarball.
Use --sandbox <name> to target a specific sandbox, --quick for a smaller snapshot, or --output <path> to save a tarball that you can attach to an issue.
$ nemoclaw debug [--quick] [--sandbox NAME] [--output PATH]
Flag |
Description |
|---|---|
|
Collect minimal diagnostics only |
|
Target a specific sandbox (default: auto-detect) |
|
Write diagnostics tarball to the given path |
nemoclaw credentials list#
List the names of all credentials stored in ~/.nemoclaw/credentials.json.
Values are not printed.
$ nemoclaw credentials list
nemoclaw credentials reset <KEY>#
Remove a stored credential by name.
After removal, re-running nemoclaw onboard re-prompts for that key.
$ nemoclaw credentials reset NVIDIA_API_KEY
Flag |
Description |
|---|---|
|
Skip the confirmation prompt |
nemoclaw uninstall#
Run uninstall.sh to remove NemoClaw sandboxes, gateway resources, related images and containers, and local state.
The CLI uses the local uninstall.sh first and falls back to the hosted script if the local file is unavailable.
Flag |
Effect |
|---|---|
|
Skip the confirmation prompt |
|
Leave the |
|
Also remove NemoClaw-pulled Ollama models |
$ nemoclaw uninstall [--yes] [--keep-openshell] [--delete-models]
Environment Variables#
NemoClaw reads the following environment variables to configure service ports.
Set them before running nemoclaw onboard or any command that starts services.
All ports must be non-privileged integers between 1024 and 65535.
Variable |
Default |
Service |
|---|---|---|
|
8080 |
OpenShell gateway |
|
18789 |
Dashboard UI |
|
8000 |
vLLM / NIM inference |
|
11434 |
Ollama inference |
If a port value is not a valid integer or falls outside the allowed range, the CLI exits with an error.
$ export NEMOCLAW_DASHBOARD_PORT=19000
$ nemoclaw onboard
These overrides apply to onboarding, status checks, health probes, and the uninstaller. Defaults are unchanged when no variable is set.
Legacy nemoclaw setup#
Deprecated. Use nemoclaw onboard instead.
Running nemoclaw setup now delegates directly to nemoclaw onboard.
$ nemoclaw setup