Reference: NemoClaw on DGX Spark — install order, non-interactive installer quirks, dashboard SSH tunnel, network policy (including wttr.in / weather), TUI vs CLI, DNS and proxy notes, and where official docs live. March 2026.
1. Install on the DGX (root, non-interactive)
Optional: ssh from your Mac, then bash if you prefer a clean shell. Replace YOUR_NVIDIA_API_KEY only on the host.
export NVIDIA_API_KEY="YOUR_NVIDIA_API_KEY"
export NEMOCLAW_NON_INTERACTIVE=1
export PATH="/root/.local/bin:$(npm config get prefix 2>/dev/null)/bin:$PATH"
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
grep -q '.local/bin' ~/.bashrc || echo 'export PATH="/root/.local/bin:$PATH"' >> ~/.bashrc
export PATH="/root/.local/bin:$PATH"
rm -rf /root/NemoClaw
git clone --depth 1 https://github.com/NVIDIA/NemoClaw.git /root/NemoClaw
chmod +x /root/NemoClaw/scripts/setup-spark.sh
/root/NemoClaw/scripts/setup-spark.sh
cd /root
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash -s -- --non-interactive
export PATH="/root/.local/bin:$(npm config get prefix)/bin:$PATH"
nemoclaw --version && openshell --versionWhy bash -s -- --non-interactive: the installer clears NON_INTERACTIVE at the start of main(); use the flag and/or NEMOCLAW_NON_INTERACTIVE=1. Plain curl … | bash without that often drops you into interactive onboard.
If docker ps fails after Spark setup: newgrp docker or log out and SSH in again.
2. Dashboard from a Mac
On the DGX (example sandbox my-assistant):
export PATH="/root/.local/bin:$PATH"
openshell forward start -d 18789 my-assistantOn the Mac (leave open):
ssh -i ~/.ssh/id_ed25519 -N -L 18789:127.0.0.1:18789 root@192.168.1.182Browser: http://127.0.0.1:18789/ (add #token=… if required).
3. Official documentation (NemoClaw + OpenShell)
- NemoClaw (rendered): docs.nvidia.com/nemoclaw/latest
- Source on the DGX:
/root/NemoClaw/docs/or/root/.nemoclaw/source/docs/(same tree as GitHubNVIDIA/NemoClaw). - OpenShell (rendered): docs.nvidia.com/openshell/latest — policy hot-reload: Sandbox policies.
- Approve blocked egress (TUI): Approve or Deny Network Requests —
openshell term; approvals are session-only. - Customise policy: Customize the Sandbox Network Policy — static (
openclaw-sandbox.yaml+nemoclaw onboard) vs dynamic (openshell policy set).
4. Allow a host from the TUI (UI)
export PATH="$HOME/.local/bin:$PATH"
openshell termNavigate to pending / blocked requests for your sandbox and approve. This updates the running policy until the sandbox stops — it does not persist into the baseline YAML on disk.
5. Allow a host from the CLI (no TUI)
Example sandbox name: my-assistant. OpenShell workflow:
openshell policy get my-assistant --full > /tmp/my-assistant-policy.yaml
# Edit file: add a network_policies block (host, ports, rules, binaries)
openshell policy set my-assistant --policy /tmp/my-assistant-policy.yaml --wait
openshell policy list my-assistantThere is no documented openshell policy approve <id> — approval in the product sense is TUI or YAML + policy set.
6. Editing openclaw-sandbox.yaml (e.g. weather / wttr.in)
Baseline file (typical path after global install):
$(npm root -g)/nemoclaw/nemoclaw-blueprint/policies/openclaw-sandbox.yamlAdd under network_policies: a weather block. Prefer access: full on ports 80 and 443 (TCP passthrough / no L7 inspection) so curl through the egress proxy works without CONNECT vs plain-GET mismatches:
weather:
name: weather
endpoints:
- host: wttr.in
port: 443
access: full
- host: wttr.in
port: 80
access: full
binaries:
- { path: /usr/bin/curl }Why not protocol: rest + rules: only? If the TUI/log shows policy: weather but reason: endpoint has L7 rules; use CONNECT, the policy matched but the proxy rejected the way the request was sent (e.g. plain GET on port 80 while L7 rules expect a CONNECT tunnel). Easiest fix: use the YAML above, or drop protocol/tls/rules for this host. Prefer curl to https://wttr.in/… and, if needed, --proxy "$HTTPS_PROXY".
Editing alone does not apply the change. On the host:
openshell policy set my-assistant \
--policy "$(npm root -g)/nemoclaw/nemoclaw-blueprint/policies/openclaw-sandbox.yaml" \
--waitOr run nemoclaw onboard to reapply the static baseline (may recreate the sandbox depending on the wizard).
Do you need to restart? No DGX reboot. openshell policy set … --wait hot-reloads network policy. Gateway “Healthy” is enough.
Caution: edits under node_modules/nemoclaw/… can be overwritten on the next npm install -g nemoclaw; keep a copy or patch the tree under ~/.nemoclaw/source for durability.
7. When curl still fails: EAI_AGAIN and empty output
getaddrinfo EAI_AGAIN wttr.in— DNS/resolver path inside the sandbox; traffic often must go through the egress proxy. Inside the sandbox checkecho $HTTP_PROXY $HTTPS_PROXY. If set, try:curl -sS --proxy "$HTTPS_PROXY" "https://wttr.in/London?format=3".- OPA
denyonwttr.in+/usr/bin/curl— allow host and binary in one block. If the log saysendpoint has L7 rules; use CONNECT, switch theweatherblock toaccess: full(see §6) and reapply policy. - Other sites (Google, httpbin) — default baseline is deny-by-default; failure is often policy, not “no internet”.
ping: command not found— normal in minimal images; usecurlfor checks.
8. Presets and permanent baseline
nemoclaw my-assistant policy-add
nemoclaw my-assistant policy-listOfficial presets include telegram, slack, discord, npm, pypi, docker, huggingface, jira, outlook. There is no dedicated “weather” preset — add wttr.in manually as above.
Static permanence: merge into openclaw-sandbox.yaml and nemoclaw onboard. Dynamic: openshell policy set — see Nemo/OpenShell docs for session scope vs baseline.
9. Uninstall (optional)
export PATH="/root/.local/bin:$(npm config get prefix 2>/dev/null)/bin:$PATH"
( nemoclaw uninstall --yes ) 2>/dev/null || true
# … remove clones, ~/.nemoclaw, openshell binary, /tmp nemoclaw files (see full runbook)10. Related
Alpha notice and breaking changes: see NemoClaw docs and _includes/alpha-statement.md in the repo. NVIDIA API / Endpoints validation errors: check keys at build.nvidia.com or switch provider during interactive onboard.
