Getting Started

ClawWatch gives you real-time observability and policy control over NVIDIA NemoClaw AI agent sandboxes. This guide walks you from zero to your first live event stream in under 5 minutes.

Prerequisites

  • Node.js 18+ installed
  • A running NVIDIA NemoClaw sandbox (build.nvidia.com/nemoclaw)
  • A ClawWatch account (free trial at claw-watch.dev/sign-up)

1. Install the CLI

The ClawWatch CLI is published on npm as an open-source package.

bash
Copy
npm install -g clawwatch

2. Generate an API token

In the ClawWatch dashboard, navigate to Settings → API Keys and create a new token. Copy it — you'll use it in the next step.

Tokens are shown only once. Store yours in a secure secrets manager.

3. Watch your sandbox

The watch command spawns nemoclaw <name> logs --follow internally and streams every event to ClawWatch automatically. Make sure nemoclaw is installed and in your PATH.

bash
Copy
clawwatch watch my-sandbox-name --token cw_YOUR_TOKEN_HERE

Alternatively, pipe the log stream manually if you need custom log filtering:

bash
Copy
nemoclaw my-sandbox-name logs --follow | clawwatch connect my-sandbox-name --token cw_YOUR_TOKEN_HERE

Events will appear in your Overview within a few seconds.

4. Explore the dashboard

Once events start flowing, explore the Live Feed for real-time event streaming, the Audit Log for full history, and the Policy Studio to deploy your first guardrail.

Policy Studio

The Policy Studio lets you write, validate, version, and deploy YAML policies that intercept agent actions in real time. Policies are evaluated in-process — enforcement latency is under 100ms.

Policy structure

ClawWatch policies map directly to NemoClaw's openclaw-sandbox.yaml format. NemoClaw enforces a deny-by-default network posture — only hosts listed under endpoints are reachable.

yaml
Copy
# openclaw-sandbox.yaml — NemoClaw network policy
version: "1.0"
sandbox: my-sandbox

# Outbound network endpoints (deny-all by default)
endpoints:
  - host: integrate.api.nvidia.com
    port: 443
    protocol: tcp
    comment: "NVIDIA inference gateway (required)"
  - host: pypi.org
    port: 443
    protocol: tcp
  - host: registry.npmjs.org
    port: 443
    protocol: tcp

# Binaries allowed to make network calls
binaries:
  - node
  - python3
  - pip
  - npm

# Additional ClawWatch policy rules
rules:
  - name: block_metadata_endpoint
    match:
      host: "169.254.169.254"
    action: BLOCK
    alert: true

  - name: restrict_sensitive_paths
    match:
      type: FILE_ACCESS
      paths: ["/etc/**", "/proc/**", "/root/**"]
    action: BLOCK

cost_controls:
  daily_limit_usd: 5.00
  alert_at_usd: 4.00

Pulling a policy

Select a sandbox in the Policy Studio dropdown to load its active policy into the editor. You can also pull via CLI:

bash
Copy
clawwatch policy pull my-sandbox --token cw_…

Pushing a policy

Click Deploy in the editor, or push from CLI:

bash
Copy
clawwatch policy push my-sandbox --file policy.yaml --token cw_…

Every policy deployment creates a version snapshot. Roll back to any previous version from the Version History drawer in the studio.

Rule actions

ActionEffectAlert sent?
BLOCKRejects the action immediatelyYes (if alert: true)
WARNLogs the action with warning level, allows throughYes
THROTTLERate-limits matching actionsWhen limit exceeded
ALLOWExplicit allow (useful in deny-default configs)No

CLI Reference

The clawwatch CLI is the bridge between your NemoClaw deployment and the ClawWatch dashboard. All commands require a valid API token.

clawwatch watch <sandbox-name>

Primary integration. Spawns `nemoclaw <sandbox-name> logs --follow` as a child process, parses every log line, and streams structured events to ClawWatch. Requires nemoclaw in PATH.

Flags

--token <cw_…> Required. Your ClawWatch API token.
--url <url> Optional. ClawWatch API URL (default: https://claw-watch.dev).
--interval <ms> Batch flush interval in ms (default: 1000).
-v, --verbose Print raw log lines before parsing.
bash
Copy
clawwatch watch prod-agent-01 --token cw_abc123

clawwatch connect <sandbox-name>

Pipe mode. Accepts NDJSON events on stdin or from a file. Use this when you want to filter or transform logs before sending. Example: nemoclaw logs --follow | clawwatch connect …

Flags

--token <cw_…> Required. Your ClawWatch API token.
-f, --file <path> Read events from a log file (defaults to stdin).
--url <url> Optional. ClawWatch API URL (default: https://claw-watch.dev).
--interval <ms> Batch flush interval in ms (default: 1000).
bash
Copy
nemoclaw prod-agent-01 logs --follow | clawwatch connect prod-agent-01 --token cw_abc123

clawwatch demo

Generate realistic NemoClaw sandbox events for testing. Uses real NVIDIA model names, real network destinations, and real filesystem paths — no NemoClaw deployment needed.

Flags

--token <cw_…> Required. Your ClawWatch API token.
-s, --sandbox <name> Sandbox name (default: cycles through demo names).
--url <url> Optional. ClawWatch API URL.
--rate <n> Events per second, max 20 (default: 2).
bash
Copy
clawwatch demo --token cw_abc123 --rate 5

clawwatch format

Print the expected NDJSON event schema and exit. Useful for building custom integrations.

Flags

bash
Copy
clawwatch format

Audit Log & Export

The Audit Log is an immutable, append-only record of every event across all your sandboxes. It supports advanced filtering and compliance-grade CSV export.

Filtering

Open the Filters panel on the Audit Log page to filter by:

  • Date range (from / to)
  • Sandbox (multi-select)
  • Event type (network, inference, filesystem, process)
  • Outcome (allowed, blocked, warned)
  • Cost range (min / max USD)
  • Free-text search on action, host, or path

CSV export formats

ModeExtra columnsUse case
StandardInternal reporting
SOC 2sandbox_id, metadata_json, record_typeSOC 2 Type II evidence
GDPRdata_subject, processing_basis, retention_policyGDPR Article 30 records

All timestamps in exported files are ISO 8601 format (UTC).

FAQ

How does ClawWatch intercept NemoClaw events?

The ClawWatch CLI runs `nemoclaw <sandbox-name> logs --follow` as a child process (via `clawwatch watch`) or reads its output from stdin (via `clawwatch connect`). NemoClaw's log stream includes OpenShell network interception events ([BLOCKED]/[ALLOWED]), inference routing lines, Landlock filesystem denials, and OpenClaw tool call records. The CLI parses these with pattern matching and forwards structured JSON events to our ingestion endpoint over HTTPS. No SDK wrappers, no kernel modules — just log parsing.

What happens when a policy blocks an action?

The BLOCK action causes the CLI to return an error to the NemoClaw runtime, preventing the action from executing. The event is logged with outcome=blocked and an optional alert is triggered.

Can I run ClawWatch on-premise?

Enterprise plan customers can self-host the ingestion endpoint and database. Contact us for an architecture review.

How do I rotate an API token?

Go to Settings → API Keys, generate a new token, update your CLI config, then revoke the old token. There is no downtime during rotation.

ClawWatch — NemoClaw Observability & Policy Control