NVIDIA NemoClaw：开源TypeScript CLI插件，安全运行OpenClaw AI助手

nvidia-nemoclaw by aradotso/trending-skills

367 周安装量

10 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/aradotso/trending-skills --skill nvidia-nemoclaw

AI/机器学习自动化安全

🇨🇳中文介绍

NVIDIA NemoClaw

由 ara.so 提供的技能 — Daily 2026 技能集合。

NVIDIA NemoClaw 是一个开源的 TypeScript CLI 插件，旨在简化安全地运行 OpenClaw 常驻 AI 助手的过程。它会安装并编排 NVIDIA OpenShell 运行时，创建策略强制的沙箱，并通过 NVIDIA 云（Nemotron 模型）路由所有推理请求。网络出口、文件系统访问、系统调用和模型 API 调用均由声明式策略管理。

状态： Alpha 版 — 接口和 API 可能随时更改，恕不另行通知。

安装

先决条件

Linux Ubuntu 22.04 LTS 或更高版本
Node.js 20+ 和 npm 10+（推荐 Node.js 22）
Docker 已安装并正在运行
已安装 NVIDIA OpenShell

一键安装程序

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

如果未安装 Node.js，此命令会安装它，运行引导式设置向导，创建沙箱，配置推理，并应用安全策略。

手动安装（从源代码）

git clone https://github.com/NVIDIA/NemoClaw.git
cd NemoClaw
npm install
npm run build
npm link  # 使 `nemoclaw` 全局可用

环境变量

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

3. 与代理聊天（在沙箱内）

TUI（交互式聊天）：

sandbox@my-assistant:~$ openclaw tui

CLI（单条消息）：

sandbox@my-assistant:~$ openclaw agent --agent main --local -m "hello" --session-id test

主机命令 (`nemoclaw`)

命令	描述
`nemoclaw onboard`	交互式设置：网关、提供者、沙箱
`nemoclaw <name> connect`	在沙箱内打开交互式 shell
`nemoclaw <name> status`	显示 NemoClaw 级别的沙箱健康状态
`nemoclaw <name> logs --follow`	流式传输沙箱日志
`nemoclaw start`	启动辅助服务（Telegram 桥接、隧道）
`nemoclaw stop`	停止辅助服务
`nemoclaw deploy <instance>`	通过 Brev 部署到远程 GPU 实例
`openshell term`	启动 OpenShell TUI 用于监控和审批

插件命令 (`openclaw nemoclaw`，在沙箱内运行)

注意：这些命令正在积极开发中 — 请使用 nemoclaw 主机 CLI 作为主要接口。

命令	描述
`openclaw nemoclaw launch [--profile ...]`	在 OpenShell 沙箱内引导启动 OpenClaw
`openclaw nemoclaw status`	显示沙箱健康状态、蓝图状态和推理信息
`openclaw nemoclaw logs [-f]`	流式传输蓝图执行和沙箱日志

# 在 OpenShell 层列出所有沙箱
openshell sandbox list

# 检查特定沙箱
openshell sandbox inspect my-assistant

NemoClaw 编排四个组件：

组件	角色
插件	TypeScript CLI：启动、连接、状态、日志
蓝图	版本化的 Python 工件：沙箱创建、策略、推理设置
沙箱	隔离的 OpenShell 容器，运行带有策略强制出口/文件系统的 OpenClaw
推理	通过 OpenShell 网关路由的 NVIDIA 云模型调用

蓝图生命周期：

解析工件
验证摘要
规划资源
通过 OpenShell CLI 应用

TypeScript 插件使用

NemoClaw 提供了一个编程式的 TypeScript API，用于构建自定义集成。

import { NemoClawClient } from '@nvidia/nemoclaw';

const client = new NemoClawClient({
  apiKey: process.env.NVIDIA_API_KEY!,
  model: process.env.NEMOCLAW_MODEL ?? 'nvidia/nemotron-3-super-120b-a12b',
});

以编程方式创建沙箱

import { NemoClawClient, SandboxConfig } from '@nvidia/nemoclaw';

async function createSandbox() {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const config: SandboxConfig = {
    name: 'my-assistant',
    model: 'nvidia/nemotron-3-super-120b-a12b',
    policy: {
      network: {
        allowedEgressHosts: ['build.nvidia.com'],
        blockUnlisted: true,
      },
      filesystem: {
        allowedPaths: ['/sandbox', '/tmp'],
        readOnly: false,
      },
    },
  };

  const sandbox = await client.sandbox.create(config);
  console.log(`Sandbox created: ${sandbox.id}`);
  return sandbox;
}

连接并发送消息

import { NemoClawClient } from '@nvidia/nemoclaw';

async function chatWithAgent(sandboxName: string, message: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const sandbox = await client.sandbox.get(sandboxName);
  const session = await sandbox.connect();

  const response = await session.agent.send({
    agentId: 'main',
    message,
    sessionId: `session-${Date.now()}`,
  });

  console.log('Agent response:', response.content);
  await session.disconnect();
}

chatWithAgent('my-assistant', 'Summarize the latest NVIDIA earnings report.');

import { NemoClawClient } from '@nvidia/nemoclaw';

async function checkStatus(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const status = await client.sandbox.status(sandboxName);

  console.log({
    sandbox: status.name,
    healthy: status.healthy,
    blueprint: status.blueprintState,
    inference: status.inferenceProvider,
    policyVersion: status.policyVersion,
  });
}

import { NemoClawClient } from '@nvidia/nemoclaw';

async function streamLogs(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const logStream = client.sandbox.logs(sandboxName, { follow: true });

  for await (const entry of logStream) {
    console.log(`[${entry.timestamp}] ${entry.level}: ${entry.message}`);
  }
}

应用网络策略更新（热重载）

import { NemoClawClient, NetworkPolicy } from '@nvidia/nemoclaw';

async function updateNetworkPolicy(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  // 网络策略在运行时支持热重载
  const updatedPolicy: NetworkPolicy = {
    allowedEgressHosts: [
      'build.nvidia.com',
      'api.github.com',
    ],
    blockUnlisted: true,
  };

  await client.sandbox.updatePolicy(sandboxName, {
    network: updatedPolicy,
  });

  console.log('Network policy updated (hot reload applied).');
}

层	保护内容	支持热重载？
网络	阻止未经授权的出站连接	✅ 是
文件系统	防止在 `/sandbox` 和 `/tmp` 之外进行读写	❌ 创建时锁定
进程	阻止权限提升和危险的系统调用	❌ 创建时锁定
推理	将模型 API 调用重定向到受控后端	✅ 是

当代理尝试访问未列出的主机时，OpenShell 会阻止该请求，并在 TUI 中显示以供操作员审批。

模式：用于开发的最小化沙箱

const config: SandboxConfig = {
  name: 'dev-sandbox',
  model: 'nvidia/nemotron-3-super-120b-a12b',
  policy: {
    network: { blockUnlisted: false },   // 开发环境宽松
    filesystem: { allowedPaths: ['/sandbox', '/tmp', '/home/dev'] },
  },
};

模式：生产环境严格沙箱

const config: SandboxConfig = {
  name: 'prod-assistant',
  model: 'nvidia/nemotron-3-super-120b-a12b',
  policy: {
    network: {
      allowedEgressHosts: ['build.nvidia.com'],
      blockUnlisted: true,
    },
    filesystem: {
      allowedPaths: ['/sandbox', '/tmp'],
      readOnly: false,
    },
  },
};

模式：部署到远程 GPU（Brev）

nemoclaw deploy my-gpu-instance --sandbox my-assistant



await client.deploy({
  instance: 'my-gpu-instance',
  sandboxName: 'my-assistant',
  provider: 'brev',
});

错误：沙箱未找到

Error: Sandbox 'my-assistant' not found

修复： 在 OpenShell 层检查 — NemoClaw 错误和 OpenShell 错误是分开的：

openshell sandbox list
nemoclaw my-assistant status

错误：NVIDIA API 密钥缺失或无效

Error: Inference provider authentication failed

export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
nemoclaw onboard  # 重新运行以重新配置

错误：Docker 未运行

Error: Cannot connect to Docker daemon

sudo systemctl start docker
sudo usermod -aG docker $USER  # 将当前用户添加到 docker 组
newgrp docker

错误：OpenShell 未安装

Error: 'openshell' command not found

修复： 首先安装 NVIDIA OpenShell，然后重新运行 NemoClaw 安装程序。

代理的出站请求被阻止

当您在 TUI 中看到请求被阻止的通知时：

openshell term        # 打开 TUI 以批准/拒绝请求
# 或者更新策略以允许该主机：
nemoclaw my-assistant policy update --allow-host api.example.com

查看完整调试日志

nemoclaw my-assistant logs --follow
# 或使用详细标志
nemoclaw my-assistant logs --follow --level debug

🇺🇸English

NVIDIA NemoClaw

Skill by ara.so — Daily 2026 Skills collection.

NVIDIA NemoClaw is an open-source TypeScript CLI plugin that simplifies running OpenClaw always-on AI assistants securely. It installs and orchestrates the NVIDIA OpenShell runtime, creates policy-enforced sandboxes, and routes all inference through NVIDIA cloud (Nemotron models). Network egress, filesystem access, syscalls, and model API calls are all governed by declarative policy.

Status: Alpha — interfaces and APIs may change without notice.

Installation

Prerequisites

Linux Ubuntu 22.04 LTS or later
Node.js 20+ and npm 10+ (Node.js 22 recommended)
Docker installed and running
NVIDIA OpenShell installed

One-Line Installer

curl -fsSL https://nvidia.com/nemoclaw.sh | bash

This installs Node.js (if absent), runs the guided onboard wizard, creates a sandbox, configures inference, and applies security policies.

Manual Install (from source)

git clone https://github.com/NVIDIA/NemoClaw.git
cd NemoClaw
npm install
npm run build
npm link  # makes `nemoclaw` available globally

Environment Variables

# Required: NVIDIA cloud API key for Nemotron inference
export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"

# Optional: override default model
export NEMOCLAW_MODEL="nvidia/nemotron-3-super-120b-a12b"

# Optional: custom sandbox data directory
export NEMOCLAW_SANDBOX_DIR="/var/nemoclaw/sandboxes"

Get an API key at build.nvidia.com.

Quick Start

1. Onboard a New Agent

nemoclaw onboard

The interactive wizard prompts for:

Sandbox name (e.g. my-assistant)
NVIDIA API key ($NVIDIA_API_KEY)
Inference model selection
Network and filesystem policy configuration

Expected output on success:

──────────────────────────────────────────────────
Sandbox      my-assistant (Landlock + seccomp + netns)
Model        nvidia/nemotron-3-super-120b-a12b (NVIDIA Cloud API)
──────────────────────────────────────────────────
Run:         nemoclaw my-assistant connect
Status:      nemoclaw my-assistant status
Logs:        nemoclaw my-assistant logs --follow
──────────────────────────────────────────────────
[INFO]  === Installation complete ===

2. Connect to the Sandbox

nemoclaw my-assistant connect

3. Chat with the Agent (inside sandbox)

TUI (interactive chat):

sandbox@my-assistant:~$ openclaw tui

CLI (single message):

sandbox@my-assistant:~$ openclaw agent --agent main --local -m "hello" --session-id test

Key CLI Commands

Host Commands (`nemoclaw`)

Command	Description
`nemoclaw onboard`	Interactive setup: gateway, providers, sandbox
`nemoclaw <name> connect`	Open interactive shell inside sandbox
`nemoclaw <name> status`	Show NemoClaw-level sandbox health
`nemoclaw <name> logs --follow`	Stream sandbox logs
`nemoclaw start`	Start auxiliary services (Telegram bridge, tunnel)
`nemoclaw stop`

Plugin Commands (`openclaw nemoclaw`, run inside sandbox)

Note: These are under active development — use nemoclaw host CLI as the primary interface.

Command	Description
`openclaw nemoclaw launch [--profile ...]`	Bootstrap OpenClaw inside OpenShell sandbox
`openclaw nemoclaw status`	Show sandbox health, blueprint state, and inference
`openclaw nemoclaw logs [-f]`	Stream blueprint execution and sandbox logs

OpenShell Inspection

# List all sandboxes at the OpenShell layer
openshell sandbox list

# Check specific sandbox
openshell sandbox inspect my-assistant

Architecture

NemoClaw orchestrates four components:

Component	Role
Plugin	TypeScript CLI: launch, connect, status, logs
Blueprint	Versioned Python artifact: sandbox creation, policy, inference setup
Sandbox	Isolated OpenShell container running OpenClaw with policy-enforced egress/filesystem
Inference	NVIDIA cloud model calls routed through OpenShell gateway

Blueprint lifecycle:

Resolve artifact
Verify digest
Plan resources
Apply through OpenShell CLI

TypeScript Plugin Usage

NemoClaw exposes a programmatic TypeScript API for building custom integrations.

Import and Initialize

import { NemoClawClient } from '@nvidia/nemoclaw';

const client = new NemoClawClient({
  apiKey: process.env.NVIDIA_API_KEY!,
  model: process.env.NEMOCLAW_MODEL ?? 'nvidia/nemotron-3-super-120b-a12b',
});

Create a Sandbox Programmatically

import { NemoClawClient, SandboxConfig } from '@nvidia/nemoclaw';

async function createSandbox() {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const config: SandboxConfig = {
    name: 'my-assistant',
    model: 'nvidia/nemotron-3-super-120b-a12b',
    policy: {
      network: {
        allowedEgressHosts: ['build.nvidia.com'],
        blockUnlisted: true,
      },
      filesystem: {
        allowedPaths: ['/sandbox', '/tmp'],
        readOnly: false,
      },
    },
  };

  const sandbox = await client.sandbox.create(config);
  console.log(`Sandbox created: ${sandbox.id}`);
  return sandbox;
}

Connect and Send a Message

import { NemoClawClient } from '@nvidia/nemoclaw';

async function chatWithAgent(sandboxName: string, message: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const sandbox = await client.sandbox.get(sandboxName);
  const session = await sandbox.connect();

  const response = await session.agent.send({
    agentId: 'main',
    message,
    sessionId: `session-${Date.now()}`,
  });

  console.log('Agent response:', response.content);
  await session.disconnect();
}

chatWithAgent('my-assistant', 'Summarize the latest NVIDIA earnings report.');

Check Sandbox Status

import { NemoClawClient } from '@nvidia/nemoclaw';

async function checkStatus(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const status = await client.sandbox.status(sandboxName);

  console.log({
    sandbox: status.name,
    healthy: status.healthy,
    blueprint: status.blueprintState,
    inference: status.inferenceProvider,
    policyVersion: status.policyVersion,
  });
}

Stream Logs

import { NemoClawClient } from '@nvidia/nemoclaw';

async function streamLogs(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  const logStream = client.sandbox.logs(sandboxName, { follow: true });

  for await (const entry of logStream) {
    console.log(`[${entry.timestamp}] ${entry.level}: ${entry.message}`);
  }
}

Apply a Network Policy Update (Hot Reload)

import { NemoClawClient, NetworkPolicy } from '@nvidia/nemoclaw';

async function updateNetworkPolicy(sandboxName: string) {
  const client = new NemoClawClient({
    apiKey: process.env.NVIDIA_API_KEY!,
  });

  // Network policies are hot-reloadable at runtime
  const updatedPolicy: NetworkPolicy = {
    allowedEgressHosts: [
      'build.nvidia.com',
      'api.github.com',
    ],
    blockUnlisted: true,
  };

  await client.sandbox.updatePolicy(sandboxName, {
    network: updatedPolicy,
  });

  console.log('Network policy updated (hot reload applied).');
}

Security / Protection Layers

Layer	What it protects	Hot-reloadable?
Network	Blocks unauthorized outbound connections	✅ Yes
Filesystem	Prevents reads/writes outside `/sandbox` and `/tmp`	❌ Locked at creation
Process	Blocks privilege escalation and dangerous syscalls	❌ Locked at creation
Inference	Reroutes model API calls to controlled backends	✅ Yes

When the agent attempts to reach an unlisted host, OpenShell blocks the request and surfaces it in the TUI for operator approval.

Common Patterns

Pattern: Minimal Sandbox for Development

const config: SandboxConfig = {
  name: 'dev-sandbox',
  model: 'nvidia/nemotron-3-super-120b-a12b',
  policy: {
    network: { blockUnlisted: false },   // permissive for dev
    filesystem: { allowedPaths: ['/sandbox', '/tmp', '/home/dev'] },
  },
};

Pattern: Production Strict Sandbox

const config: SandboxConfig = {
  name: 'prod-assistant',
  model: 'nvidia/nemotron-3-super-120b-a12b',
  policy: {
    network: {
      allowedEgressHosts: ['build.nvidia.com'],
      blockUnlisted: true,
    },
    filesystem: {
      allowedPaths: ['/sandbox', '/tmp'],
      readOnly: false,
    },
  },
};

Pattern: Deploy to Remote GPU (Brev)

nemoclaw deploy my-gpu-instance --sandbox my-assistant



await client.deploy({
  instance: 'my-gpu-instance',
  sandboxName: 'my-assistant',
  provider: 'brev',
});

Troubleshooting

Error: Sandbox not found

Error: Sandbox 'my-assistant' not found

Fix: Check at the OpenShell layer — NemoClaw errors and OpenShell errors are separate:

openshell sandbox list
nemoclaw my-assistant status

Error: NVIDIA API key missing or invalid

Error: Inference provider authentication failed

Fix:

export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
nemoclaw onboard  # re-run to reconfigure

Error: Docker not running

Error: Cannot connect to Docker daemon

Fix:

sudo systemctl start docker
sudo usermod -aG docker $USER  # add current user to docker group
newgrp docker

Error: OpenShell not installed

Error: 'openshell' command not found

Fix: Install NVIDIA OpenShell first, then re-run the NemoClaw installer.

Agent blocked on outbound request

When you see a blocked request notification in the TUI:

openshell term        # open TUI to approve/deny the request
# OR update policy to allow the host:
nemoclaw my-assistant policy update --allow-host api.example.com

View Full Debug Logs

nemoclaw my-assistant logs --follow
# or with verbose flag
nemoclaw my-assistant logs --follow --level debug

Documentation Links

Weekly Installs

367

Repository

aradotso/trending-skills

GitHub Stars

First Seen

8 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

gemini-cli363

github-copilot363

codex363

amp363

cline363

kimi-cli363

AI Elements：基于shadcn/ui的AI原生应用组件库，快速构建对话界面

56,200 周安装

NVIDIA NemoClaw：开源TypeScript CLI插件，安全运行OpenClaw AI助手

🇨🇳中文介绍

NVIDIA NemoClaw

安装

先决条件

一键安装程序

手动安装（从源代码）

环境变量

相关 Skills

快速开始

1. 设置新代理

2. 连接到沙箱

3. 与代理聊天（在沙箱内）

主要 CLI 命令

主机命令 (nemoclaw)

插件命令 (openclaw nemoclaw，在沙箱内运行)

OpenShell 检查

架构

TypeScript 插件使用

导入和初始化

以编程方式创建沙箱

连接并发送消息

检查沙箱状态

流式传输日志

应用网络策略更新（热重载）

安全 / 保护层

常见模式

模式：用于开发的最小化沙箱

模式：生产环境严格沙箱

模式：部署到远程 GPU（Brev）

故障排除

错误：沙箱未找到

错误：NVIDIA API 密钥缺失或无效

错误：Docker 未运行

错误：OpenShell 未安装

代理的出站请求被阻止

查看完整调试日志

文档链接

🇺🇸English

NVIDIA NemoClaw

Installation

Prerequisites

One-Line Installer

Manual Install (from source)

Environment Variables

Quick Start

1. Onboard a New Agent

2. Connect to the Sandbox

3. Chat with the Agent (inside sandbox)

Key CLI Commands

Host Commands (nemoclaw)

Plugin Commands (openclaw nemoclaw, run inside sandbox)

OpenShell Inspection

Architecture

TypeScript Plugin Usage

Import and Initialize

Create a Sandbox Programmatically

Connect and Send a Message

Check Sandbox Status

Stream Logs

Apply a Network Policy Update (Hot Reload)

Security / Protection Layers

Common Patterns

Pattern: Minimal Sandbox for Development

Pattern: Production Strict Sandbox

Pattern: Deploy to Remote GPU (Brev)

Troubleshooting

Error: Sandbox not found

Error: NVIDIA API key missing or invalid

Error: Docker not running

Error: OpenShell not installed

Agent blocked on outbound request

View Full Debug Logs

Documentation Links

最新 Skills

主机命令 (`nemoclaw`)

插件命令 (`openclaw nemoclaw`，在沙箱内运行)

Host Commands (`nemoclaw`)

Plugin Commands (`openclaw nemoclaw`, run inside sandbox)