| name | memantoclaw-manage-policy |
| description | Reviews and approve blocked agent network requests in the TUI. Also covers adds, remove, or modify allowed endpoints in the sandbox policy. Use when approve deny memantoclaw agent, customize memantoclaw network policy, customize memantoclaw sandbox network, memantoclaw, memantoclaw approve network requests, network policy, openclaw, openshell. |
Memantoclaw Manage Policy
Review and approve blocked agent network requests in the TUI.
Prerequisites
- A running MemantoClaw sandbox.
- The OpenShell CLI on your
PATH.
- A running MemantoClaw sandbox for dynamic changes, or the MemantoClaw source repository for static changes.
Review and act on network requests that the agent makes to endpoints not listed in the sandbox policy.
OpenShell intercepts these requests and presents them in the TUI for operator approval.
Step 1: Open the TUI
Start the OpenShell terminal UI to monitor sandbox activity:
$ openshell term
For a remote sandbox, pass the instance name:
$ ssh my-gpu-box 'cd /home/ubuntu/memantoclaw && . .env && openshell term'
The TUI displays the sandbox state, active inference provider, and a live feed of network activity.
Step 2: Trigger a Blocked Request
When the agent attempts to reach an endpoint that is not in the baseline policy, OpenShell blocks the connection and displays the request in the TUI.
The blocked request includes the following details:
- Host and port of the destination.
- Binary that initiated the request.
- HTTP method and path, if available.
Step 3: Approve or Deny the Request
The TUI presents an approval prompt for each blocked request.
- Approve the request to add the endpoint to the running policy for the current session.
- Deny the request to keep the endpoint blocked.
Approved endpoints remain in the running policy until the sandbox stops.
They are not persisted to the baseline policy file.
Step 4: Run the Walkthrough
To observe the approval flow in a guided session, run the walkthrough script:
$ ./scripts/walkthrough.sh
This script opens a split tmux session with the TUI on the left and the agent on the right.
The walkthrough requires tmux and the NVIDIA_API_KEY environment variable.
Add, remove, or modify the endpoints that the sandbox is allowed to reach.
The sandbox policy is defined in a declarative YAML file in the MemantoClaw repository and enforced at runtime by NVIDIA OpenShell.
MemantoClaw supports both static policy changes that persist across restarts and dynamic updates applied to a running sandbox through the OpenShell CLI.
Step 5: Static Changes
Static changes modify the baseline policy file and take effect after the next sandbox creation.
Edit the Policy File
Open memantoclaw-blueprint/policies/openclaw-sandbox.yaml and add or modify endpoint entries.
Each entry in the network section defines an endpoint group with the following fields:
endpoints
: Host and port pairs that the sandbox can reach.
binaries
: Executables allowed to use this endpoint.
rules
: HTTP methods and paths that are permitted.
Re-Run Onboard
Apply the updated policy by re-running the onboard wizard:
$ memantoclaw onboard
The wizard picks up the modified policy file and applies it to the sandbox.
Verify the Policy
Check that the sandbox is running with the updated policy:
$ memantoclaw <name> status
Step 6: Dynamic Changes
Dynamic changes apply a policy update to a running sandbox without restarting it.
Create a Policy File
Create a YAML file with the endpoints to add.
Follow the same format as the baseline policy in memantoclaw-blueprint/policies/openclaw-sandbox.yaml.
Apply the Policy
Use the OpenShell CLI to apply the policy update:
$ openshell policy set <policy-file>
The change takes effect immediately.
Scope of Dynamic Changes
Dynamic changes apply only to the current session.
When the sandbox stops, the running policy resets to the baseline defined in the policy file.
To make changes permanent, update the static policy file and re-run setup.
Step 7: Policy Presets
MemantoClaw ships preset policy files for common integrations in memantoclaw-blueprint/policies/presets/.
Apply a preset as-is or use it as a starting template for a custom policy.
Available presets:
| Preset | Endpoints |
|---|
discord | Discord webhook API |
docker | Docker Hub, NVIDIA container registry |
huggingface | Hugging Face model registry |
jira | Atlassian Jira API |
npm | npm and Yarn registries |
outlook | Microsoft 365 and Outlook |
pypi | Python Package Index |
slack | Slack API and webhooks |
telegram | Telegram Bot API |
To apply a preset to a running sandbox, pass it as a policy file:
$ openshell policy set memantoclaw-blueprint/policies/presets/pypi.yaml
To include a preset in the baseline, merge its entries into openclaw-sandbox.yaml and re-run memantoclaw onboard.
Related Skills
memantoclaw-reference — Network Policies for the full baseline policy reference
memantoclaw-monitor-sandbox — Monitor Sandbox Activity for general sandbox monitoring
- OpenShell Policy Schema for the full YAML policy schema reference.
- OpenShell Sandbox Policies for applying, iterating, and debugging policies at the OpenShell layer.