ReddRadar
Agent skill
nemoclaw-setup
Install and configure NVIDIA NemoClaw (sandboxed OpenClaw agent platform) on Linux. Handles cloudflared tunnels, Docker cgroup fixes, OpenShell, sandbox creation, remote access via Cloudflare Tunnel, and known bug workarounds. Triggers: "install nemoclaw", "setup nemoclaw", "nvidia nemoclaw", "openclaw setup", "nemoclaw on spark", "nemoclaw on dgx".
Install this agent skill to your Project
npx add-skill https://github.com/jezweb/claude-skills/tree/main/plugins/integrations/skills/nemoclaw-setup
SKILL.md
NemoClaw Setup
Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).
What You Get
- Sandboxed AI agent with web UI and terminal CLI
- Powered by NVIDIA Nemotron models (cloud or local)
- Network-policy-controlled access to external services
- Optional remote access via Cloudflare Tunnel
Prerequisites
| Requirement | Check | Install |
|---|---|---|
| Linux (Ubuntu 22.04+) | uname -a |
— |
| Docker | docker ps |
sudo apt install docker.io |
| Node.js 20+ (22 recommended) | node --version |
nvm install 22 |
| NVIDIA GPU (optional but recommended) | nvidia-smi |
— |
| NVIDIA API key | — | https://build.nvidia.com/settings/api-keys |
Workflow
Step 1: Pre-flight Checks
# Check Docker
docker ps 2>/dev/null || echo "Docker not running or no access"
# Check Node.js
node --version
# Check if already installed
which nemoclaw && nemoclaw --version
which openshell && openshell --version
If nemoclaw is already installed, skip to Step 4.
Step 2: Install NemoClaw
curl -fsSL https://nvidia.com/nemoclaw.sh | bash
This installs NemoClaw and OpenClaw via npm globally (to ~/.npm-global/bin/).
If the installer can't find Node.js, install it first:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
Step 3: Install OpenShell
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
Installs to ~/.local/bin/openshell.
Step 4: Fix Docker Permissions and cgroup
Docker group — the user must be in the docker group:
sudo usermod -aG docker $USER
newgrp docker
# or log out and back in
cgroup v2 fix — required for k3s inside Docker:
# Check if needed
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"
# Apply fix (needs sudo)
sudo $HOME/.npm-global/bin/nemoclaw setup-spark
This adds "default-cgroupns-mode": "host" to /etc/docker/daemon.json and restarts Docker.
IMPORTANT: The nemoclaw setup-spark command also asks for an NVIDIA API key. Have it ready (starts with nvapi-). Get one at https://build.nvidia.com/settings/api-keys.
Step 5: Run Onboarding
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard
The interactive wizard will:
- Check Docker and OpenShell
- Start the OpenShell gateway (k3s in Docker)
- Ask for a sandbox name — use
clawor any name - Configure the NVIDIA API key
- Set up inference (Nemotron 3 Super 120B via cloud API)
- Launch OpenClaw inside the sandbox
- Apply network policy presets — select the ones you need
Common port conflict: If port 8080 is in use, find and kill the process:
fuser -k 8080/tcp
Step 6: Verify
# Check sandbox is running
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status
# Connect via terminal
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect
Step 7: Set Up Web UI Access
The web UI runs inside the sandbox and needs a port forward:
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw
Then open: http://127.0.0.1:18789/
Known bug (OpenClaw ≤ v2026.3.11): "device identity required" error. Workaround — append the gateway token to the URL:
# Get the token
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
"python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""
Then visit: http://127.0.0.1:18789/#token=<gateway-token>
Fix: Update to OpenClaw v2026.3.12+ (see Updating section below).
Step 8: Make the Port Forward Persistent
Create a health-checked keepalive script:
cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
fuser -k 18789/tcp 2>/dev/null; sleep 1
openshell forward start 18789 claw &
FORWARD_PID=$!; sleep 3
while kill -0 $FORWARD_PID 2>/dev/null; do
if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
echo "$(date): Health check failed, restarting..."
kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
fi
sleep 10
done
echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh
Create the systemd service:
sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service
[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group
[Install]
WantedBy=multi-user.target
SERVICE
sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward
Step 9: Remote Access via Cloudflare Tunnel (Optional)
If you have a Cloudflare Tunnel already running, add NemoClaw to it.
Add DNS route:
cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>
Update tunnel config (/etc/cloudflared/config.yml):
- hostname: nemoclaw.<domain>
service: http://localhost:18789
originRequest:
httpHostHeader: "127.0.0.1:18789"
Restart tunnel:
sudo systemctl restart cloudflared
Update sandbox allowed origins — SSH into the sandbox and add your domain:
openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config
ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3 -c "
import json
with open(\"/sandbox/.openclaw/openclaw.json\") as f:
config = json.load(f)
config[\"gateway\"][\"controlUi\"][\"allowedOrigins\"].append(\"https://nemoclaw.<domain>\")
config[\"gateway\"][\"trustedProxies\"] = [\"127.0.0.1\", \"::1\", \"172.0.0.0/8\", \"10.0.0.0/8\"]
config[\"gateway\"][\"allowRealIpFallback\"] = True
with open(\"/sandbox/.openclaw/openclaw.json\", \"w\") as f:
json.dump(config, f, indent=2)
print(\"Done. Token:\", config[\"gateway\"][\"auth\"][\"token\"])
"'
Protect with Cloudflare Access — add the hostname to your Access application in the Zero Trust dashboard.
Access URL: https://nemoclaw.<domain>/#token=<gateway-token>
Step 10: Install Custom Skills
Skills are markdown files in /sandbox/.openclaw/skills/<name>/SKILL.md. SSH into the sandbox to create them:
ssh -F /tmp/nemoclaw-ssh-config openshell-claw
mkdir -p /sandbox/.openclaw/skills/my-skill
cat > /sandbox/.openclaw/skills/my-skill/SKILL.md << 'EOF'
---
name: my-skill
description: What this skill does.
tools: [exec, read, write]
---
# My Skill
Instructions for the agent...
EOF
Verify with: openclaw skills list
Step 11: Configure the Workspace
Update the workspace files so the agent knows who you are:
/sandbox/.openclaw/workspace/USER.md— your profile, preferences/sandbox/.openclaw/workspace/TOOLS.md— available tools and access/sandbox/.openclaw/workspace/SOUL.md— agent personality and behaviour
Updating OpenClaw
The sandbox bundles OpenClaw at install time. To update:
# 1. Update host-side packages
npm install -g openclaw@latest
# 2. Destroy and recreate sandbox
nemoclaw claw destroy
nemoclaw onboard
# 3. Reconfigure remote access (Step 9) and skills (Step 10)
Note: Sandbox network policies block npm/PyPI inside the sandbox. Updates must be done by rebuilding.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
Docker is not running |
Docker service stopped or user not in docker group | sudo systemctl start docker then newgrp docker |
cgroup v2 detected |
Docker not configured for cgroupns=host | sudo nemoclaw setup-spark |
| Port 8080 in use | Another service on that port | fuser -k 8080/tcp |
nemoclaw: command not found |
Not in PATH | PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH |
device identity required |
Bug in OpenClaw ≤ v2026.3.11 | Append #token=<gateway-token> to URL, or update to v2026.3.12+ |
gateway token mismatch |
Token changed after sandbox rebuild | Get new token from sandbox config |
too many failed auth attempts |
Rate limited from old token attempts | Restart gateway: ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'pkill -f "openclaw gateway"; sleep 2; openclaw gateway &' |
origin not allowed |
Domain not in allowedOrigins | Add to gateway.controlUi.allowedOrigins in sandbox config |
| Port 18789 not responding | SSH tunnel died | sudo systemctl restart nemoclaw-forward (auto-recovers within 13s) |
| npm 403 Forbidden inside sandbox | Network policy blocking TLS | Cannot install packages inside sandbox — rebuild instead |
Tunnel not found on DNS route |
Wrong Cloudflare account/cert | Check cloudflared tunnel list matches your cert |
| Error 502 on Cloudflare | Tunnel connections dropped | sudo systemctl restart cloudflared |
| Assets 404 via Cloudflare | Browser not authenticated for sub-requests | Hard refresh (Ctrl+Shift+R) after Cloudflare Access login |
Architecture
Docker (openshell-cluster-<name>)
└─ k3s cluster
├─ NVIDIA device plugin
└─ OpenShell sandbox
├─ OpenClaw agent
├─ NemoClaw plugin
├─ Gateway (WebSocket + REST)
└─ Workspace (SOUL.md, USER.md, TOOLS.md, skills/)
Port forward (systemd): localhost:18789 ←SSH tunnel→ sandbox:18789
Cloudflare Tunnel (optional): nemoclaw.domain → localhost:18789
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
jezweb/claude-skills
shadcn-ui
Install and configure shadcn/ui components for React projects. Guides component selection, installation order, dependency management, customisation with semantic tokens, and common UI recipes (forms, data tables, navigation, modals). Use after tailwind-theme-builder has set up the theme infrastructure, when adding components, building forms, creating data tables, or setting up navigation.
jezweb/claude-skills
walkthrough-video
Generate professional walkthrough videos from app screenshots or live sites using Remotion. Smooth transitions, zoom effects, text overlays, and optional voiceover narration. Produces MP4 videos for demos, product showcases, or documentation. Triggers: 'walkthrough video', 'demo video', 'product video', 'create a video walkthrough', 'remotion video', 'screen recording', 'app demo', 'showcase video', 'generate video from screenshots'.
jezweb/claude-skills
product-showcase
Generate a comprehensive marketing website for a web app — multi-page with real screenshots, animated GIF walkthroughs, feature deep-dives, and workflow demonstrations. Browses the running app, captures screens and sequences, and produces a deployable site that actually teaches people what the product does. Especially useful for complex or agentic apps that are hard to explain. Triggers: 'showcase site', 'product page', 'show off the app', 'marketing site', 'demo site', 'product showcase', 'explain the app', 'how do I market this'.
jezweb/claude-skills
design-system
Extract a complete design system from an existing website or screenshot into a DESIGN.md file. Analyses colours, typography, component styles, spacing, and atmosphere through browser automation and HTML inspection. Produces a semantic design system document optimised for consistent page generation. Triggers: 'extract design system', 'design system', 'create DESIGN.md', 'analyse the design', 'what design does this site use', 'extract styles from', 'reverse engineer the design'.
jezweb/claude-skills
react-patterns
React 19 performance patterns and composition architecture for Vite + Cloudflare projects. 50+ rules ranked by impact — eliminating waterfalls, bundle optimisation, re-render prevention, composition over boolean props, server/client boundaries, and React 19 APIs. Use when writing, reviewing, or refactoring React components. Triggers: 'react patterns', 'react review', 'react performance', 'optimise components', 'react best practices', 'composition patterns', 'why is it slow', 'reduce re-renders', 'fix waterfall'.
jezweb/claude-skills
react-native
React Native and Expo patterns for building performant mobile apps. Covers list performance, animations with Reanimated, navigation, UI patterns, state management, platform-specific code, and Expo workflows. Use when building or reviewing React Native code. Triggers: 'react native', 'expo', 'mobile app', 'react native performance', 'flatlist', 'reanimated', 'expo router', 'mobile development', 'ios app', 'android app'.
Didn't find tool you were looking for?