NemoClaw compatibility: detect and sync from OpenShell sandboxed OpenClaw #233
Description
Context
NVIDIA launched NemoClaw at GTC 2026 (March 16) — an enterprise security wrapper around OpenClaw that runs agents inside sandboxed containers (OpenShell). NemoClaw does not change the OpenClaw session format or workspace structure. It adds sandboxing, network policy, filesystem isolation, and inference routing.
The ClawMetry cloud dashboard should be agent-platform agnostic. It should work with OpenClaw, NemoClaw, or any future fork/wrapper. The only component that needs NemoClaw awareness is the sync daemon (clawmetry CLI), which needs to find and read session files regardless of where they live.
Principle
ClawMetry cloud is platform-agnostic. The sync daemon adapts to the environment.
The cloud dashboard, ingest API, and browser UI should never contain NemoClaw-specific logic. All platform-specific detection belongs in the sync daemon (sync.py + cli.py).
Architecture Overview
HOST
├── nemoclaw CLI
├── OpenShell Gateway (inference routing, network policy)
├── ClawMetry sync daemon ← this is what needs to adapt
└── SANDBOX (Docker + Landlock + seccomp)
└── OpenClaw Agent (standard install)
├── sessions/*.jsonl ← same format
├── workspace/ ← same structure
└── /sandbox + /tmp ← writable paths
What Already Works
- Session JSONL parsing (identical format inside sandbox)
- Event structure (tool calls, messages, brain activity)
- Memory file sync (MEMORY.md, SOUL.md, etc.)
- E2E encryption
- Cloud dashboard + all UI features
- Ingest API (format-agnostic, accepts any encrypted blob)
Sync Daemon Changes (4 items)
1. Filesystem Discovery — Find session files inside sandbox containers
Problem: Sessions live at /sandbox/.openclaw/agents/main/sessions/ inside the OpenShell container. The standard ~/.openclaw/ path does not exist on the host.
Required:
- Query
nemoclaw <name> statusoropenshell sandbox listto discover sandbox container - Read session files via Docker volume mounts or
docker exec/docker cp - Add NemoClaw-specific path candidates to
detect_paths() - Support
NEMOCLAW_SANDBOXenv var for explicit sandbox name
2. Docker Detection — Container name/image patterns
Problem: _detect_docker_openclaw() searches for "openclaw" or "clawd" in container name/image. NemoClaw uses ghcr.io/nvidia/openshell-community/sandboxes/openclaw images.
Required:
- Add "openshell", "nemoclaw", "nvidia" to Docker detection patterns
- Parse OpenShell sandbox mounts to find session directories
- Support
openshell sandbox listas alternative discovery method
3. Network Egress — Document deployment options
Problem: If sync daemon runs inside the sandbox, NemoClaw network policy blocks ingest.clawmetry.com.
Required:
- Document recommended deployment: sync daemon on HOST (not inside sandbox)
- Provide NemoClaw policy snippet for in-sandbox deployment:
network: egress: - host: ingest.clawmetry.com port: 443 protocol: https
- Add
clawmetry doctorcheck that detects NemoClaw and warns about network policy - Update install.sh to detect NemoClaw and suggest host-side installation
4. System Snapshot Enrichment — Optional NemoClaw metadata
Problem: When NemoClaw is detected, the system snapshot should include sandbox-specific context. This is sync daemon logic only — the cloud stores it as generic key-value metadata.
Required:
- Detect NemoClaw presence (
which nemoclaw, OpenShell process) - Run
nemoclaw <name> statusto collect sandbox health - Add optional fields to system snapshot payload:
sandbox.name,sandbox.status,sandbox.type(nemoclaw/docker/bare)inference.provider,inference.modelsecurity.sandbox_enabled,security.network_policy
- Cloud dashboard renders these generically (not NemoClaw-specific UI)
Non-Goals
- No NemoClaw-specific logic in cloud dashboard
- No NemoClaw-specific ingest API endpoints
- No NemoClaw branding in the UI (it just shows sandbox/security metadata generically)
Estimated Effort
- Sync daemon changes: 2-3 days
- Documentation: 0.5 day