<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
<!-- SPDX-License-Identifier: Apache-2.0 -->
Manage Sandbox Lifecycle
Use this guide after you finish the OpenClaw quickstart (use the
nemoclaw-user-get-started
skill).
It covers day-two sandbox operations such as listing sandboxes, checking health, managing ports, rebuilding safely, upgrading, and uninstalling.
When a workflow uses the lower-level OpenShell CLI, see CLI Selection Guide (use the
skill) for the boundary between
and
.
List Sandboxes
List every sandbox registered on this host:
The list shows each sandbox's model, provider, policy presets, active SSH session indicator, and dashboard URL when a dashboard port is recorded.
Use JSON output for scripts:
Check Sandbox Health
Check a specific sandbox's health, inference route, active connections, live policy, update status, and messaging-channel overlap warnings:
console
$ nemoclaw my-assistant status
Use the host-level status command when you want the sandbox inventory plus host auxiliary service state, such as cloudflared:
Inspect Logs
View recent sandbox logs:
console
$ nemoclaw my-assistant logs
Stream logs while you reproduce a problem:
console
$ nemoclaw my-assistant logs --follow
The log command reads both OpenClaw gateway output and OpenShell audit events, so policy denials appear beside gateway logs.
Collect Diagnostics
Collect diagnostics for bug reports or support handoff:
console
$ nemoclaw debug --sandbox my-assistant --output nemoclaw-debug.tar.gz
Use
for a smaller local summary:
console
$ nemoclaw debug --quick --sandbox my-assistant
The debug command gathers system information, Docker state, gateway logs, and sandbox status.
Manage Dashboard Ports
If the forward stopped, or the installer reported that no active forward was found and the URL does not load, restart it manually with the port from the install summary.
console
$ openshell forward start --background <dashboard-port> my-gpt-claw
To list active forwards across all sandboxes, run the following command.
Run Multiple Sandboxes
Each sandbox needs its own dashboard port, since
refuses to bind a port that another sandbox is already using.
When the default port is already held by another sandbox,
scans ports
through
and uses the next free port.
console
$ nemoclaw onboard # first sandbox uses 18789
$ nemoclaw onboard # second sandbox uses the next free port, such as 18790
To choose a specific port, pass
:
console
$ nemoclaw onboard --control-ui-port 19000
You can also set
or
before onboarding:
console
$ CHAT_UI_URL=http://127.0.0.1:19000 nemoclaw onboard
$ NEMOCLAW_DASHBOARD_PORT=19000 nemoclaw onboard
For full details on port conflicts and overrides, refer to Port already in use (use the
skill).
Reconfigure or Recover
Recover from a misconfigured sandbox without re-running the full onboard wizard or destroying workspace state.
Change Inference Model or API
Change the active model or provider at runtime without rebuilding the sandbox:
console
$ nemoclaw inference set --model <model> --provider <provider>
Refer to Switch Inference Providers (use the
nemoclaw-user-configure-inference
skill) for provider-specific model IDs and API compatibility notes.
Restart the Gateway and Port Forward
If
reports the sandbox is alive but the gateway is not running, run the recover command instead of opening a shell.
console
$ nemoclaw <sandbox-name> recover
The command restarts the in-sandbox gateway and re-establishes the dashboard port-forward in one step.
It is idempotent and safe to script.
Refer to
(use the
skill) for details.
Reset a Stored Credential
If a provider credential was entered incorrectly during onboarding, clear the gateway-registered value and re-enter it on the next onboard run:
console
$ nemoclaw credentials list # see which providers are registered
$ nemoclaw credentials reset <PROVIDER> # clear a single provider, for example nvidia-prod
$ nemoclaw onboard # re-run to re-enter the cleared provider
The credentials command is documented in full at
nemoclaw credentials reset <PROVIDER>
(use the
skill).
Rebuild a Sandbox While Preserving Workspace State
If you changed the underlying Dockerfile, upgraded OpenClaw, or want to pick up a new base image without losing your sandbox's workspace files, use
instead of destroying and recreating:
console
$ nemoclaw <sandbox-name> rebuild
Rebuild preserves the mounted workspace and registered policies while recreating the container.
If NemoClaw cannot archive any requested state path, it reports the backup failure and stops before deleting the original sandbox.
Refer to
(use the
skill) for flag details.
Add a Network Preset After Onboarding
Apply an additional preset, such as Telegram or GitHub, to a running sandbox without re-onboarding:
console
$ nemoclaw <sandbox-name> policy-add
Refer to
nemoclaw <name> policy-add
(use the
skill) for usage details and flags.
Non-interactive re-onboards in the default
policy mode preserve presets added this way.
To make a re-onboard authoritative, set
NEMOCLAW_POLICY_MODE=custom
and provide
with the exact list to apply; onboarding removes anything else.
See
(use the
skill) for the full table.
Update to the Latest Version
When a new NemoClaw release becomes available, update the
CLI on your host and check existing sandboxes for stale agent/runtime versions.
Update the NemoClaw CLI
Re-run the installer.
Before it onboards anything, the installer calls
(use the
skill) automatically, storing a snapshot of each running sandbox in
~/.nemoclaw/rebuild-backups/
as a safety net.
If your existing gateway is from OpenShell earlier than
, the installer prompts before it runs the new automatic gateway upgrade path.
The automatic path is offered only when the existing
CLI supports
; older installs must preserve sandbox state manually before retiring the gateway.
For unattended installs, set
NEMOCLAW_ACCEPT_EXPERIMENTAL_OPENSHELL_UPGRADE=1
, or manually run
and
openshell gateway destroy -g nemoclaw || openshell gateway destroy
before rerunning the installer as
curl -fsSL https://www.nvidia.com/nemoclaw.sh | NEMOCLAW_OPENSHELL_UPGRADE_PREPARED=1 bash
.
console
$ curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
Upgrade Sandboxes with Stale Agent and Runtime Versions
The installer checks registered sandboxes after onboarding succeeds and runs
nemoclaw upgrade-sandboxes --auto
for stale running sandboxes.
Use
directly to verify the result, rebuild when you skipped the installer or onboarding step, or handle sandboxes that were stopped or could not be version-checked.
The upgrade flow is non-destructive by default because NemoClaw preserves manifest-defined workspace state, but a manual snapshot before any major upgrade gives you a state restore point.
console
$ nemoclaw <sandbox-name> snapshot create --name pre-upgrade # optional, recommended
$ nemoclaw update --yes # updates CLI through the maintained installer flow
$ nemoclaw upgrade-sandboxes --check # verify or list remaining stale/unknown sandboxes
$ nemoclaw upgrade-sandboxes # manually rebuild remaining stale running sandboxes
is the CLI wrapper around the same installer path as
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
.
Use
when you only want to inspect version state and see the maintained update command.
For scripted manual rebuilds, use
nemoclaw upgrade-sandboxes --auto
to skip the confirmation prompt.
If the upgraded sandbox needs its workspace state reverted, restore the pre-upgrade snapshot into the running sandbox.
This restores saved state directories only; it does not downgrade the sandbox image or agent/runtime:
console
$ nemoclaw <sandbox-name> snapshot restore pre-upgrade
What Changes During a Rebuild
Each rebuild destroys the existing container and creates a new one.
NemoClaw protects your data through the same backup-and-restore flow as
(use the
skill):
- NemoClaw preserves manifest-defined workspace state. Before deleting the old container, NemoClaw snapshots the state directories and durable state files defined in the agent manifest, typically
/sandbox/.openclaw/workspace/
~/.nemoclaw/credentials.json
- NemoClaw does not preserve runtime changes outside the workspace state directories. This includes packages installed inside the running container with or , files in non-workspace paths, and in-memory or process state. If you have customized the running container at runtime, capture that as changes for or a manual
openshell sandbox download
Aborts before the destroy step are non-destructive.
The flow refuses to proceed past preflight if a credential is missing or past backup if required manifest-defined state cannot be copied, so a failed run leaves the original sandbox intact and ready to retry.
When a backup command reports partial archive output, NemoClaw keeps the usable entries and reports only the manifest-defined paths that could not be archived.
See Backup and Restore (use the
nemoclaw-user-manage-sandboxes
skill) for the full list of state-preservation guarantees, snapshot retention, and instructions for manual backups when the auto-flow is not enough.
If the rebuild aborts with Missing credential: <KEY>
The rebuild preflight reads the provider credential recorded by your last
session.
If you have switched providers since onboarding, for example from a remote API to a local Ollama setup, the preflight may still reference the old key and fail before any destroy step runs.
To recover, re-run
and select your current provider.
This refreshes the session metadata.
Your existing container keeps serving traffic until the new image is ready.
Uninstall
To remove NemoClaw and all resources created during setup, run the CLI's built-in uninstall command:
| Flag | Effect |
|---|
| Skip the confirmation prompt. |
| Leave OpenShell binaries installed. |
| Also remove NemoClaw-pulled Ollama models. |
runs the version-pinned
that shipped with your installed CLI, so it does not fetch anything over the network at uninstall time.
If the
CLI is missing or broken, fall back to the hosted script:
bash
curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash
The same
,
, and
flags listed above also apply to the hosted script. Pass them after
.
bash
curl -fsSL https://raw.githubusercontent.com/NVIDIA/NemoClaw/refs/heads/main/uninstall.sh | bash -s -- --yes --delete-models
For a full comparison of the two forms, including what they fetch, what they trust, and when to prefer each, see
vs. the hosted
(use the
skill).
References
- references/runtime-controls.md — Single page that answers what can change at runtime versus what requires a rebuild for NemoClaw sandboxes.
- Load references/backup-restore.md when downloading workspace files from a sandbox, uploading restored files into a new sandbox, or preserving sandbox state across rebuilds. Backs up and restores OpenClaw workspace files before destructive operations such as sandbox rebuilds.
- Load references/messaging-channels.md when setting up messaging channels, chat interfaces, or integrations without relying on nemoclaw tunnel start for bridges. Explains how Telegram, Discord, Slack, and WhatsApp reach sandboxed OpenClaw and Hermes agents through OpenShell-managed processes and NemoClaw channel commands.
- Load references/workspace-files.md when users ask about , , , , or other workspace files, or when preparing to back up or restore workspace state. Explains what workspace personality and configuration files are, where they live, and how they persist across sandbox restarts.
Related Skills
nemoclaw-user-monitor-sandbox
nemoclaw-user-monitor-sandbox