From integrations
Installs and configures NVIDIA NemoClaw sandboxed AI agent platform on Linux using Docker, OpenShell, cgroup fixes, Cloudflare tunnels, and NVIDIA API keys.
npx claudepluginhub jezweb/claude-skills --plugin integrationsThis skill uses the workspace's default tool permissions.
Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).
| Requirement | Check | Install |
|---|---|---|
| Linux (Ubuntu 22.04+) | uname -a | — |
| Docker | docker ps | sudo apt install docker.io |
| Node.js 20+ (22 recommended) | node --version | nvm install 22 |
| NVIDIA GPU (optional but recommended) | nvidia-smi | — |
| NVIDIA API key | — | https://build.nvidia.com/settings/api-keys |
# Check Docker
docker ps 2>/dev/null || echo "Docker not running or no access"
# Check Node.js
node --version
# Check if already installed
which nemoclaw && nemoclaw --version
which openshell && openshell --version
If nemoclaw is already installed, skip to Step 4.
curl -fsSL https://nvidia.com/nemoclaw.sh | bash
This installs NemoClaw and OpenClaw via npm globally (to ~/.npm-global/bin/).
If the installer can't find Node.js, install it first:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
Installs to ~/.local/bin/openshell.
Docker group — the user must be in the docker group:
sudo usermod -aG docker $USER
newgrp docker
# or log out and back in
cgroup v2 fix — required for k3s inside Docker:
# Check if needed
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"
# Apply fix (needs sudo)
sudo $HOME/.npm-global/bin/nemoclaw setup-spark
This adds "default-cgroupns-mode": "host" to /etc/docker/daemon.json and restarts Docker.
IMPORTANT: The nemoclaw setup-spark command also asks for an NVIDIA API key. Have it ready (starts with nvapi-). Get one at https://build.nvidia.com/settings/api-keys.
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard
The interactive wizard will:
claw or any nameCommon port conflict: If port 8080 is in use, find and kill the process:
fuser -k 8080/tcp
# Check sandbox is running
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status
# Connect via terminal
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect
The web UI runs inside the sandbox and needs a port forward:
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw
Then open: http://127.0.0.1:18789/
Known bug (OpenClaw ≤ v2026.3.11): "device identity required" error. Workaround — append the gateway token to the URL:
# Get the token
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
"python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""
Then visit: http://127.0.0.1:18789/#token=<gateway-token>
Fix: Update to OpenClaw v2026.3.12+ (see Updating section below).
Create a health-checked keepalive script:
cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
fuser -k 18789/tcp 2>/dev/null; sleep 1
openshell forward start 18789 claw &
FORWARD_PID=$!; sleep 3
while kill -0 $FORWARD_PID 2>/dev/null; do
if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
echo "$(date): Health check failed, restarting..."
kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
fi
sleep 10
done
echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh
Create the systemd service:
sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service
[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group
[Install]
WantedBy=multi-user.target
SERVICE
sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward
If you have a Cloudflare Tunnel already running, add NemoClaw to it.
Add DNS route:
cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>
Update tunnel config (/etc/cloudflared/config.yml):
- hostname: nemoclaw.<domain>
service: http://localhost:18789
originRequest:
httpHostHeader: "127.0.0.1:18789"
Restart tunnel:
sudo systemctl restart cloudflared
Update sandbox allowed origins — SSH into the sandbox and add your domain:
openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config
ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3 -c "
import json
with open(\"/sandbox/.openclaw/openclaw.json\") as f:
config = json.load(f)
config[\"gateway\"][\"controlUi\"][\"allowedOrigins\"].append(\"https://nemoclaw.<domain>\")
config[\"gateway\"][\"trustedProxies\"] = [\"127.0.0.1\", \"::1\", \"172.0.0.0/8\", \"10.0.0.0/8\"]
config[\"gateway\"][\"allowRealIpFallback\"] = True
with open(\"/sandbox/.openclaw/openclaw.json\", \"w\") as f:
json.dump(config, f, indent=2)
print(\"Done. Token:\", config[\"gateway\"][\"auth\"][\"token\"])
"'
Protect with Cloudflare Access — add the hostname to your Access application in the Zero Trust dashboard.
Access URL: https://nemoclaw.<domain>/#token=<gateway-token>
Skills are markdown files in /sandbox/.openclaw/skills/<name>/SKILL.md. SSH into the sandbox to create them:
ssh -F /tmp/nemoclaw-ssh-config openshell-claw
mkdir -p /sandbox/.openclaw/skills/my-skill
cat > /sandbox/.openclaw/skills/my-skill/SKILL.md << 'EOF'
---
name: my-skill
description: What this skill does.
tools: [exec, read, write]
---
# My Skill
Instructions for the agent...
EOF
Verify with: openclaw skills list
Update the workspace files so the agent knows who you are:
/sandbox/.openclaw/workspace/USER.md — your profile, preferences/sandbox/.openclaw/workspace/TOOLS.md — available tools and access/sandbox/.openclaw/workspace/SOUL.md — agent personality and behaviourThe sandbox bundles OpenClaw at install time. To update:
# 1. Update host-side packages
npm install -g openclaw@latest
# 2. Destroy and recreate sandbox
nemoclaw claw destroy
nemoclaw onboard
# 3. Reconfigure remote access (Step 9) and skills (Step 10)
Note: Sandbox network policies block npm/PyPI inside the sandbox. Updates must be done by rebuilding.
| Issue | Cause | Fix |
|---|---|---|
Docker is not running | Docker service stopped or user not in docker group | sudo systemctl start docker then newgrp docker |
cgroup v2 detected | Docker not configured for cgroupns=host | sudo nemoclaw setup-spark |
| Port 8080 in use | Another service on that port | fuser -k 8080/tcp |
nemoclaw: command not found | Not in PATH | PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH |
device identity required | Bug in OpenClaw ≤ v2026.3.11 | Append #token=<gateway-token> to URL, or update to v2026.3.12+ |
gateway token mismatch | Token changed after sandbox rebuild | Get new token from sandbox config |
too many failed auth attempts | Rate limited from old token attempts | Restart gateway: ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'pkill -f "openclaw gateway"; sleep 2; openclaw gateway &' |
origin not allowed | Domain not in allowedOrigins | Add to gateway.controlUi.allowedOrigins in sandbox config |
| Port 18789 not responding | SSH tunnel died | sudo systemctl restart nemoclaw-forward (auto-recovers within 13s) |
| npm 403 Forbidden inside sandbox | Network policy blocking TLS | Cannot install packages inside sandbox — rebuild instead |
Tunnel not found on DNS route | Wrong Cloudflare account/cert | Check cloudflared tunnel list matches your cert |
| Error 502 on Cloudflare | Tunnel connections dropped | sudo systemctl restart cloudflared |
| Assets 404 via Cloudflare | Browser not authenticated for sub-requests | Hard refresh (Ctrl+Shift+R) after Cloudflare Access login |
Docker (openshell-cluster-<name>)
└─ k3s cluster
├─ NVIDIA device plugin
└─ OpenShell sandbox
├─ OpenClaw agent
├─ NemoClaw plugin
├─ Gateway (WebSocket + REST)
└─ Workspace (SOUL.md, USER.md, TOOLS.md, skills/)
Port forward (systemd): localhost:18789 ←SSH tunnel→ sandbox:18789
Cloudflare Tunnel (optional): nemoclaw.domain → localhost:18789