nvidia-nemoclaw
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseNVIDIA NemoClaw
NVIDIA NemoClaw
Skill by ara.so — Daily 2026 Skills collection.
NVIDIA NemoClaw is an open-source TypeScript CLI plugin that simplifies running OpenClaw always-on AI assistants securely. It installs and orchestrates the NVIDIA OpenShell runtime, creates policy-enforced sandboxes, and routes all inference through NVIDIA cloud (Nemotron models). Network egress, filesystem access, syscalls, and model API calls are all governed by declarative policy.
Status: Alpha — interfaces and APIs may change without notice.
由ara.so开发的Skill — 2026每日Skill合集。
NVIDIA NemoClaw是一款开源TypeScript CLI插件,可简化OpenClaw全天候AI助手的安全运行。它负责安装和编排NVIDIA OpenShell运行时,创建受策略约束的沙箱,并将所有推理请求路由至NVIDIA云端(Nemotron模型)。网络出站、文件系统访问、系统调用以及模型API调用均由声明式策略管控。
状态: Alpha版本 — 接口和API可能会在未提前通知的情况下变更。
Installation
安装
Prerequisites
前置要求
- Linux Ubuntu 22.04 LTS or later
- Node.js 20+ and npm 10+ (Node.js 22 recommended)
- Docker installed and running
- NVIDIA OpenShell installed
- Linux Ubuntu 22.04 LTS或更高版本
- Node.js 20+及npm 10+(推荐Node.js 22)
- Docker已安装并运行
- NVIDIA OpenShell已安装
One-Line Installer
一键安装脚本
bash
curl -fsSL https://nvidia.com/nemoclaw.sh | bashThis installs Node.js (if absent), runs the guided onboard wizard, creates a sandbox, configures inference, and applies security policies.
bash
curl -fsSL https://nvidia.com/nemoclaw.sh | bash该脚本会安装Node.js(如果未安装),运行引导式配置向导,创建沙箱,配置推理服务,并应用安全策略。
Manual Install (from source)
手动安装(从源码)
bash
git clone https://github.com/NVIDIA/NemoClaw.git
cd NemoClaw
npm install
npm run build
npm link # makes `nemoclaw` available globallybash
git clone https://github.com/NVIDIA/NemoClaw.git
cd NemoClaw
npm install
npm run build
npm link # 使`nemoclaw`命令全局可用Environment Variables
环境变量
bash
undefinedbash
undefinedRequired: NVIDIA cloud API key for Nemotron inference
必填:用于Nemotron推理的NVIDIA云端API密钥
export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
Optional: override default model
可选:覆盖默认模型
export NEMOCLAW_MODEL="nvidia/nemotron-3-super-120b-a12b"
export NEMOCLAW_MODEL="nvidia/nemotron-3-super-120b-a12b"
Optional: custom sandbox data directory
可选:自定义沙箱数据目录
export NEMOCLAW_SANDBOX_DIR="/var/nemoclaw/sandboxes"
Get an API key at [build.nvidia.com](https://build.nvidia.com).
---export NEMOCLAW_SANDBOX_DIR="/var/nemoclaw/sandboxes"
可前往[build.nvidia.com](https://build.nvidia.com)获取API密钥。
---Quick Start
快速开始
1. Onboard a New Agent
1. 接入新Agent
bash
nemoclaw onboardThe interactive wizard prompts for:
- Sandbox name (e.g. )
my-assistant - NVIDIA API key ()
$NVIDIA_API_KEY - Inference model selection
- Network and filesystem policy configuration
Expected output on success:
──────────────────────────────────────────────────
Sandbox my-assistant (Landlock + seccomp + netns)
Model nvidia/nemotron-3-super-120b-a12b (NVIDIA Cloud API)
──────────────────────────────────────────────────
Run: nemoclaw my-assistant connect
Status: nemoclaw my-assistant status
Logs: nemoclaw my-assistant logs --follow
──────────────────────────────────────────────────
[INFO] === Installation complete ===bash
nemoclaw onboard交互式向导会提示您输入以下信息:
- 沙箱名称(例如)
my-assistant - NVIDIA API密钥()
$NVIDIA_API_KEY - 推理模型选择
- 网络和文件系统策略配置
成功后的预期输出:
──────────────────────────────────────────────────
沙箱 my-assistant(Landlock + seccomp + netns)
模型 nvidia/nemotron-3-super-120b-a12b(NVIDIA云端API)
──────────────────────────────────────────────────
连接命令: nemoclaw my-assistant connect
状态查询: nemoclaw my-assistant status
日志查看: nemoclaw my-assistant logs --follow
──────────────────────────────────────────────────
[INFO] === 安装完成 ===2. Connect to the Sandbox
2. 连接到沙箱
bash
nemoclaw my-assistant connectbash
nemoclaw my-assistant connect3. Chat with the Agent (inside sandbox)
3. 与Agent对话(在沙箱内)
TUI (interactive chat):
bash
sandbox@my-assistant:~$ openclaw tuiCLI (single message):
bash
sandbox@my-assistant:~$ openclaw agent --agent main --local -m "hello" --session-id testTUI(交互式聊天):
bash
sandbox@my-assistant:~$ openclaw tuiCLI(单条消息):
bash
sandbox@my-assistant:~$ openclaw agent --agent main --local -m "hello" --session-id testKey CLI Commands
核心CLI命令
Host Commands (nemoclaw
)
nemoclaw主机命令(nemoclaw
)
nemoclaw| Command | Description |
|---|---|
| Interactive setup: gateway, providers, sandbox |
| Open interactive shell inside sandbox |
| Show NemoClaw-level sandbox health |
| Stream sandbox logs |
| Start auxiliary services (Telegram bridge, tunnel) |
| Stop auxiliary services |
| Deploy to remote GPU instance via Brev |
| Launch OpenShell TUI for monitoring and approvals |
| 命令 | 描述 |
|---|---|
| 交互式设置:网关、服务商、沙箱 |
| 在沙箱内打开交互式Shell |
| 查看NemoClaw层面的沙箱健康状态 |
| 流式输出沙箱日志 |
| 启动辅助服务(Telegram桥接、隧道) |
| 停止辅助服务 |
| 通过Brev部署到远程GPU实例 |
| 启动OpenShell TUI进行监控和审批 |
Plugin Commands (openclaw nemoclaw
, run inside sandbox)
openclaw nemoclaw插件命令(openclaw nemoclaw
,在沙箱内运行)
openclaw nemoclawNote: These are under active development — usehost CLI as the primary interface.nemoclaw
| Command | Description |
|---|---|
| Bootstrap OpenClaw inside OpenShell sandbox |
| Show sandbox health, blueprint state, and inference |
| Stream blueprint execution and sandbox logs |
注意:这些命令仍在积极开发中 — 请以主机CLI作为主要操作接口。nemoclaw
| 命令 | 描述 |
|---|---|
| 在OpenShell沙箱内启动OpenClaw |
| 查看沙箱健康状态、蓝图状态和推理服务情况 |
| 流式输出蓝图执行和沙箱日志 |
OpenShell Inspection
OpenShell沙箱检查
bash
undefinedbash
undefinedList all sandboxes at the OpenShell layer
在OpenShell层面列出所有沙箱
openshell sandbox list
openshell sandbox list
Check specific sandbox
检查特定沙箱
openshell sandbox inspect my-assistant
---openshell sandbox inspect my-assistant
---Architecture
架构
NemoClaw orchestrates four components:
| Component | Role |
|---|---|
| Plugin | TypeScript CLI: launch, connect, status, logs |
| Blueprint | Versioned Python artifact: sandbox creation, policy, inference setup |
| Sandbox | Isolated OpenShell container running OpenClaw with policy-enforced egress/filesystem |
| Inference | NVIDIA cloud model calls routed through OpenShell gateway |
Blueprint lifecycle:
- Resolve artifact
- Verify digest
- Plan resources
- Apply through OpenShell CLI
NemoClaw负责编排四个核心组件:
| 组件 | 作用 |
|---|---|
| 插件 | TypeScript CLI:启动、连接、状态查询、日志查看 |
| 蓝图 | 版本化Python制品:沙箱创建、策略配置、推理服务设置 |
| 沙箱 | 隔离的OpenShell容器,运行OpenClaw并受策略约束网络出站和文件系统访问 |
| 推理服务 | NVIDIA云端模型请求通过OpenShell网关路由 |
蓝图生命周期:
- 解析制品
- 验证摘要
- 规划资源
- 通过OpenShell CLI应用配置
TypeScript Plugin Usage
TypeScript插件使用
NemoClaw exposes a programmatic TypeScript API for building custom integrations.
NemoClaw提供了可编程的TypeScript API,用于构建自定义集成。
Import and Initialize
导入并初始化
typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
model: process.env.NEMOCLAW_MODEL ?? 'nvidia/nemotron-3-super-120b-a12b',
});typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
model: process.env.NEMOCLAW_MODEL ?? 'nvidia/nemotron-3-super-120b-a12b',
});Create a Sandbox Programmatically
通过代码创建沙箱
typescript
import { NemoClawClient, SandboxConfig } from '@nvidia/nemoclaw';
async function createSandbox() {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const config: SandboxConfig = {
name: 'my-assistant',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: {
allowedEgressHosts: ['build.nvidia.com'],
blockUnlisted: true,
},
filesystem: {
allowedPaths: ['/sandbox', '/tmp'],
readOnly: false,
},
},
};
const sandbox = await client.sandbox.create(config);
console.log(`Sandbox created: ${sandbox.id}`);
return sandbox;
}typescript
import { NemoClawClient, SandboxConfig } from '@nvidia/nemoclaw';
async function createSandbox() {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const config: SandboxConfig = {
name: 'my-assistant',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: {
allowedEgressHosts: ['build.nvidia.com'],
blockUnlisted: true,
},
filesystem: {
allowedPaths: ['/sandbox', '/tmp'],
readOnly: false,
},
},
};
const sandbox = await client.sandbox.create(config);
console.log(`沙箱已创建:${sandbox.id}`);
return sandbox;
}Connect and Send a Message
连接并发送消息
typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function chatWithAgent(sandboxName: string, message: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const sandbox = await client.sandbox.get(sandboxName);
const session = await sandbox.connect();
const response = await session.agent.send({
agentId: 'main',
message,
sessionId: `session-${Date.now()}`,
});
console.log('Agent response:', response.content);
await session.disconnect();
}
chatWithAgent('my-assistant', 'Summarize the latest NVIDIA earnings report.');typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function chatWithAgent(sandboxName: string, message: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const sandbox = await client.sandbox.get(sandboxName);
const session = await sandbox.connect();
const response = await session.agent.send({
agentId: 'main',
message,
sessionId: `session-${Date.now()}`,
});
console.log('Agent回复:', response.content);
await session.disconnect();
}
chatWithAgent('my-assistant', '总结最新的NVIDIA财报。');Check Sandbox Status
检查沙箱状态
typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function checkStatus(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const status = await client.sandbox.status(sandboxName);
console.log({
sandbox: status.name,
healthy: status.healthy,
blueprint: status.blueprintState,
inference: status.inferenceProvider,
policyVersion: status.policyVersion,
});
}typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function checkStatus(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const status = await client.sandbox.status(sandboxName);
console.log({
sandbox: status.name,
healthy: status.healthy,
blueprint: status.blueprintState,
inference: status.inferenceProvider,
policyVersion: status.policyVersion,
});
}Stream Logs
流式输出日志
typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function streamLogs(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const logStream = client.sandbox.logs(sandboxName, { follow: true });
for await (const entry of logStream) {
console.log(`[${entry.timestamp}] ${entry.level}: ${entry.message}`);
}
}typescript
import { NemoClawClient } from '@nvidia/nemoclaw';
async function streamLogs(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
const logStream = client.sandbox.logs(sandboxName, { follow: true });
for await (const entry of logStream) {
console.log(`[${entry.timestamp}] ${entry.level}: ${entry.message}`);
}
}Apply a Network Policy Update (Hot Reload)
应用网络策略更新(热重载)
typescript
import { NemoClawClient, NetworkPolicy } from '@nvidia/nemoclaw';
async function updateNetworkPolicy(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
// Network policies are hot-reloadable at runtime
const updatedPolicy: NetworkPolicy = {
allowedEgressHosts: [
'build.nvidia.com',
'api.github.com',
],
blockUnlisted: true,
};
await client.sandbox.updatePolicy(sandboxName, {
network: updatedPolicy,
});
console.log('Network policy updated (hot reload applied).');
}typescript
import { NemoClawClient, NetworkPolicy } from '@nvidia/nemoclaw';
async function updateNetworkPolicy(sandboxName: string) {
const client = new NemoClawClient({
apiKey: process.env.NVIDIA_API_KEY!,
});
// 网络策略支持运行时热重载
const updatedPolicy: NetworkPolicy = {
allowedEgressHosts: [
'build.nvidia.com',
'api.github.com',
],
blockUnlisted: true,
};
await client.sandbox.updatePolicy(sandboxName, {
network: updatedPolicy,
});
console.log('网络策略已更新(已应用热重载)。');
}Security / Protection Layers
安全/防护层
| Layer | What it protects | Hot-reloadable? |
|---|---|---|
| Network | Blocks unauthorized outbound connections | ✅ Yes |
| Filesystem | Prevents reads/writes outside | ❌ Locked at creation |
| Process | Blocks privilege escalation and dangerous syscalls | ❌ Locked at creation |
| Inference | Reroutes model API calls to controlled backends | ✅ Yes |
When the agent attempts to reach an unlisted host, OpenShell blocks the request and surfaces it in the TUI for operator approval.
| 防护层 | 防护内容 | 支持热重载? |
|---|---|---|
| 网络 | 阻止未授权的出站连接 | ✅ 是 |
| 文件系统 | 禁止在 | ❌ 创建后锁定 |
| 进程 | 阻止权限提升和危险系统调用 | ❌ 创建后锁定 |
| 推理服务 | 将模型API请求路由至受控后端 | ✅ 是 |
当Agent尝试访问未在白名单中的主机时,OpenShell会阻止该请求,并在TUI中显示提示供操作员审批。
Common Patterns
常见使用模式
Pattern: Minimal Sandbox for Development
模式:开发用最小权限沙箱
typescript
const config: SandboxConfig = {
name: 'dev-sandbox',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: { blockUnlisted: false }, // permissive for dev
filesystem: { allowedPaths: ['/sandbox', '/tmp', '/home/dev'] },
},
};typescript
const config: SandboxConfig = {
name: 'dev-sandbox',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: { blockUnlisted: false }, // 开发环境宽松模式
filesystem: { allowedPaths: ['/sandbox', '/tmp', '/home/dev'] },
},
};Pattern: Production Strict Sandbox
模式:生产环境严格沙箱
typescript
const config: SandboxConfig = {
name: 'prod-assistant',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: {
allowedEgressHosts: ['build.nvidia.com'],
blockUnlisted: true,
},
filesystem: {
allowedPaths: ['/sandbox', '/tmp'],
readOnly: false,
},
},
};typescript
const config: SandboxConfig = {
name: 'prod-assistant',
model: 'nvidia/nemotron-3-super-120b-a12b',
policy: {
network: {
allowedEgressHosts: ['build.nvidia.com'],
blockUnlisted: true,
},
filesystem: {
allowedPaths: ['/sandbox', '/tmp'],
readOnly: false,
},
},
};Pattern: Deploy to Remote GPU (Brev)
模式:部署到远程GPU(Brev)
bash
nemoclaw deploy my-gpu-instance --sandbox my-assistanttypescript
await client.deploy({
instance: 'my-gpu-instance',
sandboxName: 'my-assistant',
provider: 'brev',
});bash
nemoclaw deploy my-gpu-instance --sandbox my-assistanttypescript
await client.deploy({
instance: 'my-gpu-instance',
sandboxName: 'my-assistant',
provider: 'brev',
});Troubleshooting
故障排除
Error: Sandbox not found
错误:沙箱未找到
Error: Sandbox 'my-assistant' not foundFix: Check at the OpenShell layer — NemoClaw errors and OpenShell errors are separate:
bash
openshell sandbox list
nemoclaw my-assistant statusError: Sandbox 'my-assistant' not found解决方法: 在OpenShell层面检查 — NemoClaw错误与OpenShell错误是相互独立的:
bash
openshell sandbox list
nemoclaw my-assistant statusError: NVIDIA API key missing or invalid
错误:NVIDIA API密钥缺失或无效
Error: Inference provider authentication failedFix:
bash
export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
nemoclaw onboard # re-run to reconfigureError: Inference provider authentication failed解决方法:
bash
export NVIDIA_API_KEY="nvapi-xxxxxxxxxxxx"
nemoclaw onboard # 重新运行向导以重新配置Error: Docker not running
错误:Docker未运行
Error: Cannot connect to Docker daemonFix:
bash
sudo systemctl start docker
sudo usermod -aG docker $USER # add current user to docker group
newgrp dockerError: Cannot connect to Docker daemon解决方法:
bash
sudo systemctl start docker
sudo usermod -aG docker $USER # 将当前用户添加到docker用户组
newgrp dockerError: OpenShell not installed
错误:OpenShell未安装
Error: 'openshell' command not foundFix: Install NVIDIA OpenShell first, then re-run the NemoClaw installer.
Error: 'openshell' command not found解决方法: 先安装NVIDIA OpenShell,然后重新运行NemoClaw安装脚本。
Agent blocked on outbound request
Agent出站请求被阻止
When you see a blocked request notification in the TUI:
bash
openshell term # open TUI to approve/deny the request当您在TUI中看到请求被阻止的通知时:
bash
openshell term # 打开TUI以批准/拒绝请求OR update policy to allow the host:
或者更新策略允许该主机:
nemoclaw my-assistant policy update --allow-host api.example.com
undefinednemoclaw my-assistant policy update --allow-host api.example.com
undefinedView Full Debug Logs
查看完整调试日志
bash
nemoclaw my-assistant logs --followbash
nemoclaw my-assistant logs --followor with verbose flag
或使用 verbose 标志
nemoclaw my-assistant logs --follow --level debug
---nemoclaw my-assistant logs --follow --level debug
---