Getting Started

ClawWatch gives you real-time observability and policy control over NVIDIA NemoClaw AI agent sandboxes. This guide walks you from zero to your first live event stream in under 5 minutes.

Prerequisites

  • Node.js 18+ installed
  • A running NVIDIA NemoClaw deployment
  • A ClawWatch account (free trial at clawwatch.app/sign-up)

1. Install the CLI

The ClawWatch CLI is published on npm as an open-source package.

bash
Copy
npm install -g clawwatch

2. Generate an API token

In the ClawWatch dashboard, navigate to Settings → API Keys and create a new token. Copy it — you'll use it in the next step.

Tokens are shown only once. Store yours in a secure secrets manager.

3. Connect your sandbox

bash
Copy
clawwatch connect my-sandbox-name --token cw_YOUR_TOKEN_HERE

The CLI will verify the connection and begin streaming events. You should see the sandbox appear in your Overview within a few seconds.

4. Explore the dashboard

Once events start flowing, explore the Live Feed for real-time event streaming, the Audit Log for full history, and the Policy Studio to deploy your first guardrail.

Policy Studio

The Policy Studio lets you write, validate, version, and deploy YAML policies that intercept agent actions in real time. Policies are evaluated in-process — enforcement latency is under 100ms.

Policy structure

yaml
Copy
version: "1.0"
sandbox: my-sandbox

rules:
  - name: block_shell_execution
    match:
      type: TOOL_CALL
      action: "bash.*"
    action: BLOCK
    alert: true

  - name: restrict_file_access
    match:
      type: FILE_ACCESS
      paths:
        - "/etc/**"
        - "/proc/**"
    action: BLOCK

cost_controls:
  daily_limit_usd: 5.00
  alert_at_usd: 4.00

Pulling a policy

Select a sandbox in the Policy Studio dropdown to load its active policy into the editor. You can also pull via CLI:

bash
Copy
clawwatch policy pull my-sandbox --token cw_…

Pushing a policy

Click Deploy in the editor, or push from CLI:

bash
Copy
clawwatch policy push my-sandbox --file policy.yaml --token cw_…

Every policy deployment creates a version snapshot. Roll back to any previous version from the Version History drawer in the studio.

Rule actions

ActionEffectAlert sent?
BLOCKRejects the action immediatelyYes (if alert: true)
WARNLogs the action with warning level, allows throughYes
THROTTLERate-limits matching actionsWhen limit exceeded
ALLOWExplicit allow (useful in deny-default configs)No

CLI Reference

The clawwatch CLI is the bridge between your NemoClaw deployment and the ClawWatch dashboard. All commands require a valid API token.

clawwatch connect <name>

Register a sandbox and start streaming events to ClawWatch. The name becomes the sandbox identifier in the dashboard.

Flags

--token <cw_…> Required. Your ClawWatch API token.
--host <url> Optional. Ingest endpoint (default: https://clawwatch.app/api/ingest).
bash
Copy
clawwatch connect prod-agent-01 --token cw_abc123

clawwatch demo

Send synthetic demo events to verify your setup without a real NemoClaw deployment.

Flags

--token <cw_…> Required. Your ClawWatch API token.
--count <n> Number of demo events to send (default: 50).
bash
Copy
clawwatch demo --token cw_abc123 --count 100

clawwatch policy pull <sandbox>

Download the active policy for a sandbox to a local YAML file.

Flags

--token <cw_…> Required.
--out <file> Output file path (default: policy.yaml).
bash
Copy
clawwatch policy pull prod-agent-01 --token cw_abc123 --out my-policy.yaml

clawwatch policy push <sandbox>

Upload and deploy a YAML policy for a sandbox.

Flags

--token <cw_…> Required.
--file <path> Path to the YAML policy file.
bash
Copy
clawwatch policy push prod-agent-01 --file my-policy.yaml --token cw_abc123

Audit Log & Export

The Audit Log is an immutable, append-only record of every event across all your sandboxes. It supports advanced filtering and compliance-grade CSV export.

Filtering

Open the Filters panel on the Audit Log page to filter by:

  • Date range (from / to)
  • Sandbox (multi-select)
  • Event type (network, inference, filesystem, process)
  • Outcome (allowed, blocked, warned)
  • Cost range (min / max USD)
  • Free-text search on action, host, or path

CSV export formats

ModeExtra columnsUse case
StandardInternal reporting
SOC 2sandbox_id, metadata_json, record_typeSOC 2 Type II evidence
GDPRdata_subject, processing_basis, retention_policyGDPR Article 30 records

All timestamps in exported files are ISO 8601 format (UTC).

FAQ

How does ClawWatch intercept NemoClaw events?

The ClawWatch CLI acts as an event collector that hooks into the NemoClaw event emission API. It forwards events to our ingestion endpoint over HTTPS without modifying any model behavior.

What happens when a policy blocks an action?

The BLOCK action causes the CLI to return an error to the NemoClaw runtime, preventing the action from executing. The event is logged with outcome=blocked and an optional alert is triggered.

Can I run ClawWatch on-premise?

Enterprise plan customers can self-host the ingestion endpoint and database. Contact us for an architecture review.

How do I rotate an API token?

Go to Settings → API Keys, generate a new token, update your CLI config, then revoke the old token. There is no downtime during rotation.

ClawWatch — NemoClaw Observability & Policy Control