Nemoclaw Setup
Install NVIDIA NemoClaw with Docker, k3s/OpenShell sandboxes, optional Cloudflare Tunnel, and GPU-backed Nemotron so you can run isolated agents on your own Linux box.
Overview
nemoclaw-setup is an agent skill for the Build phase that installs and configures NVIDIA NemoClaw with Docker sandboxes, GPU options, and optional Cloudflare remote access on Linux.
Install
npx skills add https://github.com/jezweb/claude-skills --skill nemoclaw-setupWhat is this skill?
- End-to-end NemoClaw install on Ubuntu 22.04+ with pre-flight checks for Docker, Node 22, and optional `nvidia-smi`
- Sandboxed OpenClaw agents with Landlock, seccomp, and network-namespace isolation via k3s/OpenShell
- Cloudflared tunnel workflow for remote web UI access with documented bug workarounds
- Docker cgroup and permission fixes called out for common Linux failure modes
- NVIDIA API key path for cloud Nemotron plus optional local GPU inference
- Prerequisites table with 5 requirement rows
- Multi-step workflow from pre-flight through tunnel setup
Adoption & trust: 558 installs on skills.sh; 841 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You want OpenClaw-style agents on your own hardware but the NemoClaw install path mixes Docker, k3s, tunnels, and GPU keys with brittle Linux-specific pitfalls.
Who is it for?
Developers on Ubuntu/Linux with Docker access who are deploying NemoClaw on NVIDIA Spark, DGX, or a dedicated GPU server.
Skip if: macOS or Windows-only workflows, or teams that only need a hosted SaaS agent with no self-hosted sandbox requirements.
When should I use this skill?
User mentions installing NemoClaw, setting up OpenClaw, configuring NVIDIA Spark or DGX for sandboxed agents, or NemoClaw deployment troubleshooting.
What do I get? / Deliverables
You finish with a running NemoClaw instance, configured sandboxes and network policies, and optional secure remote UI access instead of a half-broken manual install.
- Running NemoClaw install with configured sandboxes and optional Cloudflare Tunnel endpoint
Recommended Skills
Journey fit
NemoClaw setup is agent infrastructure you stand up while building an agent-capable product or homelab, before you rely on it in production operations. It configures the agent runtime platform—sandboxes, models, tunnels—not application feature code or marketing.
How it compares
An install-and-troubleshoot runbook for NemoClaw—not a generic Docker tutorial or MCP server catalog entry.
Common Questions / FAQ
Who is nemoclaw-setup for?
Solo builders and small teams self-hosting sandboxed AI agents on Linux with NVIDIA NemoClaw who need guided install, tunneling, and known bug workarounds.
When should I use nemoclaw-setup?
Use it in Build’s agent-tooling step when installing NemoClaw, configuring OpenClaw on NVIDIA hardware, or debugging Cloudflare Tunnel and Docker cgroup issues during deployment.
Is nemoclaw-setup safe to install?
It requires elevated host access, Docker, and network tunnels; review the Security Audits panel on this page and treat API keys and tunnel credentials as secrets.
SKILL.md
READMESKILL.md - Nemoclaw Setup
# NemoClaw Setup Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell). ## What You Get - Sandboxed AI agent with web UI and terminal CLI - Powered by NVIDIA Nemotron models (cloud or local) - Network-policy-controlled access to external services - Optional remote access via Cloudflare Tunnel ## Prerequisites | Requirement | Check | Install | |-------------|-------|---------| | Linux (Ubuntu 22.04+) | `uname -a` | — | | Docker | `docker ps` | `sudo apt install docker.io` | | Node.js 20+ (22 recommended) | `node --version` | `nvm install 22` | | NVIDIA GPU (optional but recommended) | `nvidia-smi` | — | | NVIDIA API key | — | https://build.nvidia.com/settings/api-keys | ## Workflow ### Step 1: Pre-flight Checks ```bash # Check Docker docker ps 2>/dev/null || echo "Docker not running or no access" # Check Node.js node --version # Check if already installed which nemoclaw && nemoclaw --version which openshell && openshell --version ``` If `nemoclaw` is already installed, skip to Step 4. ### Step 2: Install NemoClaw ```bash curl -fsSL https://nvidia.com/nemoclaw.sh | bash ``` This installs NemoClaw and OpenClaw via npm globally (to `~/.npm-global/bin/`). **If the installer can't find Node.js**, install it first: ```bash curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - sudo apt install -y nodejs ``` ### Step 3: Install OpenShell ```bash curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh ``` Installs to `~/.local/bin/openshell`. ### Step 4: Fix Docker Permissions and cgroup **Docker group** — the user must be in the `docker` group: ```bash sudo usermod -aG docker $USER newgrp docker # or log out and back in ``` **cgroup v2 fix** — required for k3s inside Docker: ```bash # Check if needed grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed" # Apply fix (needs sudo) sudo $HOME/.npm-global/bin/nemoclaw setup-spark ``` This adds `"default-cgroupns-mode": "host"` to `/etc/docker/daemon.json` and restarts Docker. **IMPORTANT**: The `nemoclaw setup-spark` command also asks for an NVIDIA API key. Have it ready (starts with `nvapi-`). Get one at https://build.nvidia.com/settings/api-keys. ### Step 5: Run Onboarding ```bash PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard ``` The interactive wizard will: 1. Check Docker and OpenShell 2. Start the OpenShell gateway (k3s in Docker) 3. Ask for a sandbox name — use `claw` or any name 4. Configure the NVIDIA API key 5. Set up inference (Nemotron 3 Super 120B via cloud API) 6. Launch OpenClaw inside the sandbox 7. Apply network policy presets — select the ones you need **Common port conflict**: If port 8080 is in use, find and kill the process: ```bash fuser -k 8080/tcp ``` ### Step 6: Verify ```bash # Check sandbox is running PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status # Connect via terminal PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect ``` ### Step 7: Set Up Web UI Access The web UI runs inside the sandbox and needs a port forward: ```bash PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw ``` Then open: `http://127.0.0.1:18789/` **Known bug (OpenClaw ≤ v2026.3.11)**: "device identity required" error. Workaround — append the gateway token to the URL: ```bash # Get the token ssh -F /tmp/nemoclaw-ssh-config openshe