Customize the Sandbox Network Policy

Add, remove, or modify the endpoints that the sandbox is allowed to reach.

The sandbox policy is defined in a declarative YAML file in the NemoClaw repository and enforced at runtime by NVIDIA OpenShell. NemoClaw supports both static policy changes that persist across restarts and dynamic updates applied to a running sandbox through the OpenShell CLI.

Prerequisites

• A running NemoClaw sandbox for dynamic changes, or the NemoClaw source repository for static changes.

• The OpenShell CLI on your PATH.

Static Changes

Static changes modify the baseline policy file and take effect after the next sandbox creation.

Edit the Policy File

Open nemoclaw-blueprint/policies/openclaw-sandbox.yaml and add or modify endpoint entries.

Each entry in the network section defines an endpoint group with the following fields:

endpoints

Host and port pairs that the sandbox can reach.

binaries

Executables allowed to use this endpoint.

rules

HTTP methods and paths that are permitted.

Re-Run Onboard

Apply the updated policy by re-running the onboard wizard:

$ nemoclaw onboard

The wizard picks up the modified policy file and applies it to the sandbox.

Verify the Policy

Check that the sandbox is running with the updated policy:

$ nemoclaw <name> status

Dynamic Changes

Dynamic changes apply a policy update to a running sandbox without restarting it.

Create a Policy File

Create a YAML file with the endpoints to add. Follow the same format as the baseline policy in nemoclaw-blueprint/policies/openclaw-sandbox.yaml.

Apply the Policy

Use the OpenShell CLI to apply the policy update:

$ openshell policy set <policy-file>

The change takes effect immediately.

Scope of Dynamic Changes

Dynamic changes apply only to the current session. When the sandbox stops, the running policy resets to the baseline defined in the policy file. To make changes permanent, update the static policy file and re-run setup.

Policy Presets

NemoClaw ships preset policy files for common integrations in nemoclaw-blueprint/policies/presets/. Apply a preset as-is or use it as a starting template for a custom policy.

Available presets:

Preset	Endpoints
discord	Discord webhook API
docker	Docker Hub, NVIDIA container registry
huggingface	Hugging Face model registry
jira	Atlassian Jira API
npm	npm and Yarn registries
outlook	Microsoft 365 and Outlook
pypi	Python Package Index
slack	Slack API and webhooks
telegram	Telegram Bot API

To apply a preset to a running sandbox, pass it as a policy file:

$ openshell policy set nemoclaw-blueprint/policies/presets/pypi.yaml

To include a preset in the baseline, merge its entries into openclaw-sandbox.yaml and re-run nemoclaw onboard.

Related Topics

• Approve or Deny Agent Network Requests for real-time operator approval.

• Network Policies for the full baseline policy reference.

• OpenShell Policy Schema for the full YAML policy schema reference.

• OpenShell Sandbox Policies for applying, iterating, and debugging policies at the OpenShell layer.