Skip to main content

Monitor sandbox activity

NemoClaw provides several tools for inspecting sandbox health, tracing agent behavior, and diagnosing problems: the openclaw nemoclaw status command, the openclaw nemoclaw logs command, and the OpenShell terminal UI (openshell term).

Prerequisites

  • A running NemoClaw sandbox.
  • The OpenShell CLI on your PATH.

Check sandbox health

Run the status command to view the sandbox state, blueprint run information, and active inference configuration: 
openclaw nemoclaw status
For machine-readable output, add the --json flag: 
openclaw nemoclaw status --json
Key fields in the output:
FieldDescription
Sandbox stateWhether the sandbox is running, stopped, or in an error state
Blueprint run IDIdentifier for the most recent blueprint execution
Inference providerActive provider name, model ID, and endpoint URL
If you run openclaw nemoclaw status from inside the sandbox, the command detects the sandbox context and reports it. Host-level sandbox and inference details are not available from within the sandbox. Run openshell sandbox status on the host for full host-side details.

View logs

Stream the most recent log output from the blueprint runner and sandbox: 
openclaw nemoclaw logs
Tail the log output as new lines arrive:
openclaw nemoclaw logs -f

Monitor network activity in the TUI

Open the OpenShell terminal UI for a live view of network activity and egress approval prompts: 
openshell term
The TUI shows:
  • Active network connections from inside the sandbox
  • Blocked egress requests awaiting operator approval
  • Inference routing status
For a remote sandbox, SSH to the instance and run openshell term there: 
ssh my-gpu-box 'cd /home/ubuntu/nemoclaw && set -a && . .env && set +a && openshell term'
See Approve network requests for details on acting on blocked requests.

Test inference

Run a test inference request to verify that the provider is responding: 
nemoclaw my-assistant connect
openclaw agent --agent main --local -m "Test inference" --session-id debug
If the request fails:
  1. Run openclaw nemoclaw status to confirm the active provider and endpoint.
  2. Run openclaw nemoclaw logs -f to view error messages from the blueprint runner.
  3. Verify that the inference endpoint is reachable from the host.

Diagnose common issues

Re-run onboard to recreate the sandbox:
nemoclaw onboard
Verify the provider endpoint is reachable from the host. Check the active endpoint:
openclaw nemoclaw status
If the endpoint is unreachable, re-run onboard to select a different provider or confirm your NVIDIA_API_KEY is valid.
Open the TUI and approve the blocked egress request:
openshell term
To allow the endpoint permanently, add it to nemoclaw-blueprint/policies/openclaw-sandbox.yaml and re-run nemoclaw onboard. See Customize the network policy.
Retrieve the run ID from openclaw nemoclaw status, then view the error output for that run:
openclaw nemoclaw logs --run-id <id>
On Ubuntu 24.04, DGX Spark, or WSL2, Docker requires "default-cgroupns-mode": "host" in /etc/docker/daemon.json. Apply the fix and retry:
nemoclaw setup-spark
nemoclaw onboard
This is expected behavior. The status command cannot query host-level state from within the sandbox. Run openshell sandbox status on the host instead.

Approve network requests

Use the OpenShell TUI to allow or block agent egress requests.

Switch inference providers

Change the active model or provider without restarting the sandbox.

Customize the network policy

Permanently allow endpoints that the agent needs to reach.

Build docs developers (and LLMs) love

Get started for freeTalk to us