Ready-to-run application examples for your NemoClaw sandbox — policy, prompt, and personalization for each workflow
Tables below are grouped by tab so you can jump straight to the workflow you're debugging. Start with General sandbox & policy issues if the failure is at the nemoclaw / openshell command layer rather than inside a specific application.
| Symptom | Cause | Fix |
|---|---|---|
nemoclaw <sandbox> policy-add returns unknown sandbox | Sandbox name typo, or sandbox was deleted | Run nemoclaw list to see registered sandboxes; rerun the command with the exact name. If empty, re-run the NemoClaw installer to recreate the sandbox. |
openshell policy set fails with validation failed / exit code 1 | Malformed YAML or invalid policy fields | Common issues: paths must start with /, no .. traversal, run_as_user must not be root, network_policies entries need both host and port. Fix the YAML and retry. |
openshell policy get shows your new network rule but the sandbox still blocks the host | Hot-reload did not complete | Re-run with --wait so the CLI blocks until the update is confirmed: openshell policy set $SANDBOX_NAME --policy policy.yaml --wait. If still failing, restart the sandbox container via nemoclaw $SANDBOX_NAME restart (if available in your version) or recreate the sandbox. |
Cannot recreate sandbox: port 8080 is held by container... | A previous OpenShell gateway or sandbox container still owns port 8080 | openshell gateway destroy -g <old-gateway-name> (or docker stop <name> && docker rm <name>), then re-run nemoclaw onboard. |
policy-add does not list the preset I expected | Preset depends on NemoClaw version | List what your version supports: nemoclaw $SANDBOX_NAME policy-add --help or run policy-add interactively and read the menu. Newer presets may require updating NemoClaw. |
Web UI shows origin not allowed after policy changes | Accessing via localhost instead of 127.0.0.1 | Use http://127.0.0.1:18789/#token=<your-token>. The gateway origin check requires 127.0.0.1 exactly. |
| Symptom | Cause | Fix |
|---|---|---|
Telegram bot replies Error: Channel is unavailable: telegram | Telegram channel plugin was not wired into the sandbox at onboard | policy-add telegram alone is not enough. Re-run the NemoClaw installer (see the Download, verify, then execute snippet in NemoClaw Policy Setup) and select telegram at the Messaging channels prompt to recreate the sandbox with the channel plugin. |
nemoclaw tunnel start prints cloudflared not found — no public URL | cloudflared is not installed | Reinstall it: curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb && sudo dpkg -i cloudflared.deb, then nemoclaw tunnel stop && nemoclaw tunnel start. |
| Telegram bot receives messages but returns nothing for 60+ seconds | First response on a 120B model is slow (cold start), or Ollama not warm | Expected for the first reply after a restart. Verify the inference route with nemoclaw $SANDBOX_NAME status. If subsequent replies are also slow, pick a smaller model in the NemoClaw onboard wizard. |
| Symptom | Cause | Fix |
|---|---|---|
| Scheduled digest never fires | The agent did not persist a scheduled task | Ask in the web UI: "Show me all scheduled tasks." If empty, re-issue the prompt and explicitly say "Register this as a recurring scheduled task using your built-in scheduler." |
Digest fires but message says unable to fetch <url> | Host is not in network_policies | Add the host under network_policies in policy.yaml and re-run openshell policy set $SANDBOX_NAME --policy policy.yaml --wait. Outbound denials show up in nemoclaw $SANDBOX_NAME logs --follow and openshell term. |
| Agent skips the setup questions and dives straight into a generic digest | Profile from a prior run is still in memory | Send "Forget my profile and run the one-time setup again from scratch." and re-answer the six questions. |
| Symptom | Cause | Fix |
|---|---|---|
Agent writes develop-and-review.md but the host file is missing | Looking at the wrong host path | The sandbox path /workspace/project maps to the host_path you set in filesystem_policies.read_write. Open develop-and-review.md under that host directory (e.g. ~/nemoclaw-projects/my-app/develop-and-review.md), not inside /workspace/project on the host. |
Agent fails with read-only file system when writing develop-and-review.md | Project folder was mounted under read_only instead of read_write | Move the entry from filesystem_policies.read_only to filesystem_policies.read_write and recreate the sandbox. Filesystem policy is locked at creation; hot-reload does not apply. |
| Agent runs tests and reports "tests not run" even though the project has tests | Test runner not installed in the sandbox image | The default NemoClaw sandbox may not ship pytest, npm, cargo, or go test. Install whatever the project uses once after sandbox creation: nemoclaw $SANDBOX_NAME connect, then pip install --user pytest (or equivalent), then exit. |
| Agent modifies files outside the plan | Plan-approval checkpoint was disabled | In the profile, answer yes to "pause for approval" (Q5). The agent must then print PLAN READY — reply 'approve' and wait, never modifying source files until you reply approve. |
| Symptom | Cause | Fix |
|---|---|---|
| Agent reports "ingested 0 artifacts" | Queue directory is empty or files match ignore_paths | Confirm files exist with ls ~/nemoclaw-redteam/queue/ on the host. Check profile.yaml.ignore_paths for a glob that's catching your files (e.g. **/~$* excludes Office lock files). |
Agent reports "parser not available" for .pptx or .pdf | python-pptx / pdfplumber not installed in the sandbox | Install once: nemoclaw $SANDBOX_NAME connect, then pip install --user python-pptx python-docx pdfplumber markdown-it-py wcag-contrast-ratio, then exit. The agent falls back to plain-text extraction if a parser is missing — flag it explicitly if you'd rather not install Python packages. |
| Same finding keeps re-appearing after I dismissed it | Dismissal mode is None, or the rule + location pair did not match | Confirm profile Q4 is Sticky or Per-version. Check ~/nemoclaw-redteam/memory/dismissals.jsonl to verify the dismissal was written. If the location field differs by a single character (e.g. "Slide 1" vs "slide 1"), the agent treats them as different sites — ask the agent to dismiss again using the exact coordinates from the latest report. |
| CRITICAL findings disappear from the report | Auto-dismiss was attempted (should be impossible) | This is a regression — CRITICAL is hardcoded to require yes, dismiss critical re-confirmation per the prompt's DISMISSAL PROTOCOL. Re-paste the full prompt to restore the rule and re-run. |
| Symptom | Cause | Fix |
|---|---|---|
| Agent proposes slots inside my focus blocks | profile.yaml not being re-read each run, or approval threshold permits it | The agent is required to re-read calendar.ics and profile.yaml on every request (workflow step 2 LOAD). Verify the focus block is actually in profile.yaml and not just in your head. Tighten profile Q6 (approval threshold) to Always ask if the agent's Ask only if... carve-out is firing too often. |
Agent shares event titles or attendees from calendar.ics with the other party | Information disclosure profile (Q5) set to slots + reasons | Reset profile Q5 to slots only. The negotiation safety rules also forbid leaking event titles, attendees, or locations — if the agent did so under slots only, re-paste the full prompt to restore the rule. |
| Booking file overwrites a confirmed prior booking | Agent did not honor the "never overwrite" rule | Check ~/nemoclaw-calendar/bookings/ for a -v2.md file — the rule requires a new file with -v2 suffix when a meeting is moved. If overwritten, restore from your filesystem snapshot or last backup; re-paste the full prompt to restore the rule. |
Agent never DMs the other party even in proxy mode | Telegram channel not wired or other party's chat not opened | First, confirm Telegram works for you by sending the bot a hello. Then confirm the other party has actually opened a chat with the bot at least once (/start); Telegram bots cannot DM users who have not initiated contact. |
NOTE
For installer-level NemoClaw issues (Docker, Ollama, gateway, Telegram setup), see the Troubleshooting tab of the NemoClaw on DGX Spark playbook before debugging here — most reported issues come from the install layer rather than the application layer.
NOTE
DGX Spark uses a Unified Memory Architecture (UMA), which enables dynamic memory sharing between the GPU and CPU. With many applications still updating to take advantage of UMA, you may encounter memory issues even when within the memory capacity of DGX Spark. If that happens, manually flush the buffer cache with:
sudo sh -c 'sync; echo 3 > /proc/sys/vm/drop_caches'
For the latest known issues, please review the DGX Spark User Guide.