nemoclaw-setup
This Claude Code skill automates installation and configuration of NVIDIA NemoClaw, a sandboxed AI agent platform running on Linux with Docker and k3s. Use it when users need to install NemoClaw, set up OpenClaw, configure sandboxed agents on NVIDIA hardware, or troubleshoot deployment issues including Docker permissions, cgroup fixes, and Cloudflare Tunnel remote access.
git clone --depth 1 https://github.com/jezweb/claude-skills /tmp/nemoclaw-setup && cp -r /tmp/nemoclaw-setup/plugins/integrations/skills/nemoclaw-setup ~/.claude/skills/nemoclaw-setupSKILL.md
# NemoClaw Setup
Install NVIDIA NemoClaw — a sandboxed AI agent platform built on OpenClaw with Landlock + seccomp + network namespace isolation. Runs inside Docker via k3s (OpenShell).
## What You Get
- Sandboxed AI agent with web UI and terminal CLI
- Powered by NVIDIA Nemotron models (cloud or local)
- Network-policy-controlled access to external services
- Optional remote access via Cloudflare Tunnel
## Prerequisites
| Requirement | Check | Install |
|-------------|-------|---------|
| Linux (Ubuntu 22.04+) | `uname -a` | — |
| Docker | `docker ps` | `sudo apt install docker.io` |
| Node.js 20+ (22 recommended) | `node --version` | `nvm install 22` |
| NVIDIA GPU (optional but recommended) | `nvidia-smi` | — |
| NVIDIA API key | — | https://build.nvidia.com/settings/api-keys |
## Workflow
### Step 1: Pre-flight Checks
```bash
# Check Docker
docker ps 2>/dev/null || echo "Docker not running or no access"
# Check Node.js
node --version
# Check if already installed
which nemoclaw && nemoclaw --version
which openshell && openshell --version
```
If `nemoclaw` is already installed, skip to Step 4.
### Step 2: Install NemoClaw
```bash
curl -fsSL https://nvidia.com/nemoclaw.sh | bash
```
This installs NemoClaw and OpenClaw via npm globally (to `~/.npm-global/bin/`).
**If the installer can't find Node.js**, install it first:
```bash
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
```
### Step 3: Install OpenShell
```bash
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
```
Installs to `~/.local/bin/openshell`.
### Step 4: Fix Docker Permissions and cgroup
**Docker group** — the user must be in the `docker` group:
```bash
sudo usermod -aG docker $USER
newgrp docker
# or log out and back in
```
**cgroup v2 fix** — required for k3s inside Docker:
```bash
# Check if needed
grep cgroup2 /proc/filesystems && echo "cgroup v2 detected — fix needed"
# Apply fix (needs sudo)
sudo $HOME/.npm-global/bin/nemoclaw setup-spark
```
This adds `"default-cgroupns-mode": "host"` to `/etc/docker/daemon.json` and restarts Docker.
**IMPORTANT**: The `nemoclaw setup-spark` command also asks for an NVIDIA API key. Have it ready (starts with `nvapi-`). Get one at https://build.nvidia.com/settings/api-keys.
### Step 5: Run Onboarding
```bash
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw onboard
```
The interactive wizard will:
1. Check Docker and OpenShell
2. Start the OpenShell gateway (k3s in Docker)
3. Ask for a sandbox name — use `claw` or any name
4. Configure the NVIDIA API key
5. Set up inference (Nemotron 3 Super 120B via cloud API)
6. Launch OpenClaw inside the sandbox
7. Apply network policy presets — select the ones you need
**Common port conflict**: If port 8080 is in use, find and kill the process:
```bash
fuser -k 8080/tcp
```
### Step 6: Verify
```bash
# Check sandbox is running
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw status
# Connect via terminal
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH nemoclaw claw connect
```
### Step 7: Set Up Web UI Access
The web UI runs inside the sandbox and needs a port forward:
```bash
PATH=$HOME/.npm-global/bin:$HOME/.local/bin:$PATH openshell forward start 18789 claw
```
Then open: `http://127.0.0.1:18789/`
**Known bug (OpenClaw ≤ v2026.3.11)**: "device identity required" error. Workaround — append the gateway token to the URL:
```bash
# Get the token
ssh -F /tmp/nemoclaw-ssh-config openshell-claw \
"python3 -c \"import json; print(json.load(open('/sandbox/.openclaw/openclaw.json'))['gateway']['auth']['token'])\""
```
Then visit: `http://127.0.0.1:18789/#token=<gateway-token>`
**Fix**: Update to OpenClaw v2026.3.12+ (see Updating section below).
### Step 8: Make the Port Forward Persistent
Create a health-checked keepalive script:
```bash
cat > ~/.local/bin/nemoclaw-keepalive.sh << 'KEEPALIVE'
#!/bin/bash
export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"
cleanup() { kill %1 2>/dev/null; exit 0; }
trap cleanup SIGTERM SIGINT
while true; do
fuser -k 18789/tcp 2>/dev/null; sleep 1
openshell forward start 18789 claw &
FORWARD_PID=$!; sleep 3
while kill -0 $FORWARD_PID 2>/dev/null; do
if ! curl -sf -o /dev/null --connect-timeout 3 http://127.0.0.1:18789/ 2>/dev/null; then
echo "$(date): Health check failed, restarting..."
kill $FORWARD_PID 2>/dev/null; wait $FORWARD_PID 2>/dev/null; break
fi
sleep 10
done
echo "$(date): Forward died, restarting in 3s..."; sleep 3
done
KEEPALIVE
chmod +x ~/.local/bin/nemoclaw-keepalive.sh
```
Create the systemd service:
```bash
sudo tee /etc/systemd/system/nemoclaw-forward.service << 'SERVICE'
[Unit]
Description=NemoClaw Port Forward with Health Check
After=docker.service
Requires=docker.service
[Service]
Type=simple
User=$USER
Group=docker
Environment=PATH=/home/$USER/.npm-global/bin:/home/$USER/.local/bin:/usr/local/bin:/usr/bin:/bin
ExecStart=/home/$USER/.local/bin/nemoclaw-keepalive.sh
Restart=always
RestartSec=5
KillMode=control-group
[Install]
WantedBy=multi-user.target
SERVICE
sudo systemctl daemon-reload
sudo systemctl enable nemoclaw-forward
sudo systemctl start nemoclaw-forward
```
### Step 9: Remote Access via Cloudflare Tunnel (Optional)
If you have a Cloudflare Tunnel already running, add NemoClaw to it.
**Add DNS route:**
```bash
cloudflared tunnel route dns <tunnel-name> nemoclaw.<domain>
```
**Update tunnel config** (`/etc/cloudflared/config.yml`):
```yaml
- hostname: nemoclaw.<domain>
service: http://localhost:18789
originRequest:
httpHostHeader: "127.0.0.1:18789"
```
**Restart tunnel:**
```bash
sudo systemctl restart cloudflared
```
**Update sandbox allowed origins** — SSH into the sandbox and add your domain:
```bash
openshell sandbox ssh-config claw > /tmp/nemoclaw-ssh-config
ssh -F /tmp/nemoclaw-ssh-config openshell-claw 'python3Hit the Cloudflare REST API directly for operations that wrangler and MCP can't handle well. Bulk DNS, custom hostnames, email routing, cache purge, WAF rules, redirect rules, zone settings, Worker routes, D1 cross-database queries, R2 bulk operations, KV bulk read/write, Vectorize queries, Queues, and fleet-wide resource audits. Produces curl commands or scripts. Triggers: 'cloudflare api', 'bulk dns', 'custom hostname', 'email routing', 'cache purge', 'waf rule', 'd1 query', 'r2 bucket', 'kv bulk', 'vectorize query', 'audit resources', 'fleet operation'.
Scaffold and deploy Cloudflare Workers with Hono routing, Vite plugin, and Static Assets. Describe project, scaffold structure, configure bindings, deploy. Use whenever the user wants to create a Worker project, set up Hono on Cloudflare, configure D1 / R2 / KV / Queues bindings, or troubleshoot Worker export syntax, API route conflicts, HMR issues, or deployment failures.
Generate Drizzle ORM schemas for Cloudflare D1 databases with correct D1-specific patterns. Produces schema files, migration commands, type exports, and DATABASE_SCHEMA.md documentation. Handles D1 quirks: foreign keys always enforced, no native BOOLEAN/DATETIME types, 100 bound parameter limit, JSON stored as TEXT. Use when creating a new database, adding tables, or scaffolding a D1 data layer.
Cloudflare D1 migration workflow: generate with Drizzle, inspect SQL for gotchas, apply to local and remote, fix stuck migrations, handle partial failures. Use when running migrations, fixing migration errors, or setting up D1 schemas.
Generate database seed scripts with realistic sample data. Reads Drizzle schemas or SQL migrations, respects foreign key ordering, produces idempotent TypeScript or SQL seed files. Handles D1 batch limits, unique constraints, and domain-appropriate data. Use when populating dev/demo/test databases. Triggers: 'seed database', 'seed data', 'sample data', 'populate database', 'db seed', 'test data', 'demo data', 'generate fixtures'.
Scaffold Hono API routes for Cloudflare Workers. Produces route files, middleware, typed bindings, Zod validation, error handling, and API_ENDPOINTS.md documentation. Use after a project is set up with cloudflare-worker-builder or vite-flare-starter, when you need to add API routes, create endpoints, or generate API documentation.
Build a full-stack TanStack Start app on Cloudflare Workers from scratch — SSR, file-based routing, server functions, D1+Drizzle, better-auth, Tailwind v4+shadcn/ui. Use whenever the user mentions TanStack Start, asks to scaffold a full-stack Cloudflare app with SSR, wants an SSR dashboard, or asks for a React 19 + Cloudflare Workers app with file-based routing and server functions — even if they don't name TanStack Start specifically. No template repo — Claude generates every file fresh per project.
Scaffold a full-stack Cloudflare app from the vite-flare-starter template — React 19 + Hono + D1+Drizzle + better-auth + Tailwind v4+shadcn/ui + TanStack Query + R2 + Workers AI. Run setup.sh to clone, configure, and deploy. Use whenever the user wants a batteries-included Cloudflare full-stack app, vite-flare-starter scaffold, or a React + Cloudflare app with auth + database + Workers AI ready to go.