nemoclaw policy-add ships with 11 built-in preset names (brave, discord, telegram, claude_code, clawhub, npm_registry, nvidia, openclaw_api, openclaw_docs, statsig, sentry). There is no flag, path argument, or config surface that accepts a user-authored preset YAML.
If an operator has a custom egress target, for example a self-hosted SearXNG at http://192.168.1.105:8080, the supported NemoClaw commands offer nowhere to land it. The next step is to drop one layer down to openshell policy set my-assistant --policy merged.yaml, which the NemoClaw quickstart warnings call out as not recommended on NemoClaw-managed sandboxes.
This means non-default deployments (enterprise metasearch, internal APIs, private registries, custom inference targets) need to bypass the NemoClaw surface for egress policy.
Environment
- NemoClaw v0.0.17, OpenShell v0.0.26
- Sandbox:
my-assistant on DietPi2 (x86_64, 64GB, MicroK8s)
- Use case: allow the agent to reach an internal SearXNG instance for the
web-search skill
Steps to reproduce
# What the operator wants:
nemoclaw my-assistant policy-add --preset-file ./presets/websearch.yaml
# → no such flag
nemoclaw my-assistant policy-add websearch
# → Error: unknown preset "websearch"
nemoclaw my-assistant policy-add --help
# → shows only the 11 built-in names; no file input; no --dry-run for custom YAML
# What actually works (workaround):
openshell policy get my-assistant --full > /tmp/current.yaml
# hand-strip the 5-line banner ("Version:", "Hash:", etc.) from the top of the file
sed -n "/^version: 1/,$p" /tmp/current.yaml > /tmp/clean.yaml
cat my-websearch-block.yaml >> /tmp/clean.yaml
openshell policy set my-assistant --policy /tmp/clean.yamlThis does work (SearXNG became reachable from the sandbox), but it has three concerns:
openshell policy get --full emits a 5-line status banner that is not valid YAML; callers have to know to strip it.- There is no round-trip primitive: no
get --yaml-only, no patch, no append.
openshell policy set is the only lever, and the docs recommend using the NemoClaw CLI where possible.
Expected behaviour
nemoclaw policy-add should accept a path to a user-authored preset file:
nemoclaw my-assistant policy-add --from-file ./websearch.yaml [--dry-run]
Validation would catch malformed YAML, bad hostnames, missing binaries, and colliding preset names.
Actual behaviour
The only path to a custom preset is a multi-step hand-roll through openshell policy get --full | strip banner | append | openshell policy set, using a CLI the docs recommend against for NemoClaw sandboxes.
Impact
- Operators with a private egress target (internal APIs, self-hosted services, LAN-only resources) need to go below the supported surface.
- The
--dry-run capability that makes policy edits safe is not available for custom presets.
- Automation and Infrastructure-as-Code of NemoClaw sandboxes has no first-class path for non-default egress shapes.
- Conflicts with the project's own recommendation to use the NemoClaw CLI instead of
openshell directly.
Companion issue
A separate filing covers the lack of non-interactive flags on the built-in presets (nemoclaw policy-add is interactive-only). This issue is the orthogonal gap: even if policy-add were fully scriptable, it would only cover the 11 built-ins. A single change, accepting --from-file <yaml>, would address both axes.
Suggested fix
- Add
--from-file <path> to nemoclaw policy-add, accepting the same YAML shape as an entry in network_policies, with an optional preset: header matching the existing community convention in docs.
- Validate: unique name, well-formed hostnames, known binaries, endpoint schema.
- Support
--dry-run (already present for built-ins) and print the diff.
- Optionally accept
--from-dir <path> to land multiple presets atomically.
Notes
Discovered on 2026-04-16 while restoring the my-assistant sandbox and re-wiring SearXNG egress after a full sandbox rebuild. About 30 minutes were spent on the NemoClaw CLI surface before confirming there was no first-class path. The workaround (openshell policy set with a hand-merged policy) was applied on 2026-04-17; this issue is filed so the next operator does not have to take the same detour.
nemoclaw policy-addships with 11 built-in preset names (brave, discord, telegram, claude_code, clawhub, npm_registry, nvidia, openclaw_api, openclaw_docs, statsig, sentry). There is no flag, path argument, or config surface that accepts a user-authored preset YAML.If an operator has a custom egress target, for example a self-hosted SearXNG at
http://192.168.1.105:8080, the supported NemoClaw commands offer nowhere to land it. The next step is to drop one layer down toopenshell policy set my-assistant --policy merged.yaml, which the NemoClaw quickstart warnings call out as not recommended on NemoClaw-managed sandboxes.This means non-default deployments (enterprise metasearch, internal APIs, private registries, custom inference targets) need to bypass the NemoClaw surface for egress policy.
Environment
my-assistanton DietPi2 (x86_64, 64GB, MicroK8s)web-searchskillSteps to reproduce
This does work (SearXNG became reachable from the sandbox), but it has three concerns:
openshell policy get --fullemits a 5-line status banner that is not valid YAML; callers have to know to strip it.get --yaml-only, nopatch, noappend.openshell policy setis the only lever, and the docs recommend using the NemoClaw CLI where possible.Expected behaviour
nemoclaw policy-addshould accept a path to a user-authored preset file:Validation would catch malformed YAML, bad hostnames, missing binaries, and colliding preset names.
Actual behaviour
The only path to a custom preset is a multi-step hand-roll through
openshell policy get --full | strip banner | append | openshell policy set, using a CLI the docs recommend against for NemoClaw sandboxes.Impact
--dry-runcapability that makes policy edits safe is not available for custom presets.openshelldirectly.Companion issue
A separate filing covers the lack of non-interactive flags on the built-in presets (
nemoclaw policy-add is interactive-only). This issue is the orthogonal gap: even ifpolicy-addwere fully scriptable, it would only cover the 11 built-ins. A single change, accepting--from-file <yaml>, would address both axes.Suggested fix
--from-file <path>tonemoclaw policy-add, accepting the same YAML shape as an entry innetwork_policies, with an optionalpreset:header matching the existing community convention in docs.--dry-run(already present for built-ins) and print the diff.--from-dir <path>to land multiple presets atomically.Notes
Discovered on 2026-04-16 while restoring the
my-assistantsandbox and re-wiring SearXNG egress after a full sandbox rebuild. About 30 minutes were spent on the NemoClaw CLI surface before confirming there was no first-class path. The workaround (openshell policy setwith a hand-merged policy) was applied on 2026-04-17; this issue is filed so the next operator does not have to take the same detour.