Ready-to-run application examples for your NemoClaw sandbox — policy, prompt, and personalization for each workflow
This playbook is a companion to the NemoClaw on DGX Spark install playbook. It walks through four ready-to-run applications you can stand up on top of an existing NemoClaw sandbox — a personal morning news digest, a software development agent, a doc and deck red-team, and a calendar negotiation chief-of-staff.
Each application is presented as a self-contained tab with the same three sections:
All applications run inside the OpenShell sandbox that NemoClaw created during onboarding, so the agent's filesystem, network, process, and inference access stays bounded by the policy you grant.
You will run four practical NemoClaw workflows on your DGX Spark:
develop-and-review.md you can read before merging. No outbound network beyond the local inference endpoint.A separate NemoClaw Policy Setup tab covers the one-time Telegram channel wiring that two of the applications (News Digest and Calendar Negotiator) require and the other two (Software Development Agent and Deck Reviewer) can optionally use for "ready for review" notifications. The Troubleshooting tab collects symptom/cause/fix entries specific to these workflows.
For each application you will be able to read the live policy YAML (openshell policy get --full), apply or remove maintained presets with nemoclaw policy-add / policy-remove (no rebuild required for network changes), and bind host directories into the sandbox with nemoclaw share mount (hot — no rebuild required for mounts either). Tightening filesystem_policy itself, when you want a kernel-enforced write boundary inside the sandbox, is the only step that still requires nemoclaw rebuild (workspace state is preserved automatically).
my-assistant).Hardware and access:
nemoclaw list shows at least one sandbox).Software:
nemoclaw tunnel start) for any Telegram-driven application.Verify the sandbox is healthy before you start:
nemoclaw list
nemoclaw my-assistant status
Expected: your sandbox appears in the list and status reports the sandbox as Running with the inference provider pointing at your local Ollama model.
| Item | Where to get it | Used by |
|---|---|---|
Sandbox name from NemoClaw onboard (e.g. my-assistant) | nemoclaw list | All applications |
| Telegram bot token and numeric user ID | @BotFather (/newbot), @userinfobot on Telegram for your user ID | Policy Setup, News Digest, Calendar Negotiator; optional for Software Development Agent and Deck Reviewer |
Allowlist of news source hostnames to add under network_policies | Pick the sites you trust | News Digest |
| A host directory containing the project you want built and reviewed | A copy/clone of the project, e.g. ~/nemoclaw-projects/my-app/ | Software Development Agent |
A queue folder, a canonical corpus folder, and a profile.yaml for red-team rules | Curate from prior decks, brand guide, and canonical metric files, e.g. ~/nemoclaw-redteam/ | Deck Reviewer |
A calendar.ics export and a profile.yaml with working hours, focus blocks, and timezone | Export from your real calendar (Google: Settings → Import & export) into ~/nemoclaw-calendar/ | Calendar Negotiator |
All policy snippets and example prompts in this playbook are inline in the application tabs — there are no external assets to clone. The bundled sandbox policy is shipped with NemoClaw and OpenShell; the application tabs only modify it.
chmod on read-only source data backed by share mount's SSHFS permission passthrough, scoped sandbox directories so the agent only sees one mounted tree at a time, explicit egress allowlists via nemoclaw policy-add presets, and in-prompt safety rules that survive single-message overrides) but is not eliminated. Do not point these recipes at sensitive data, production accounts, or personal files without reviewing the policy first.nemoclaw uninstall to remove everything.