03 · Command Map — OpenClaw → NemoClaw

The rule: most OpenClaw commands still work unchanged, you just have to run them inside the sandbox. The things that don't — install, daemon, model selection, channel tokens, network reach — moved out of OpenClaw and into NemoClaw onboarding or OpenShell policy.

Getting into the right place first

In a NemoClaw deployment, "the host" and "the sandbox" are two different terminals.

# Host terminal — manage the stack, approve traffic, tail logs
nemoclaw list
nemoclaw my-assistant status
nemoclaw my-assistant logs --follow
openshell term

# Sandbox terminal — actually talk to OpenClaw
nemoclaw my-assistant connect       # drops you into the sandbox shell
sandbox$ openclaw tui                # the interactive OpenClaw UI
sandbox$ openclaw agent --agent main --local -m "hello" --session-id test

Mnemonic: nemoclaw ... on the host, openclaw ... inside the sandbox. The /nemoclaw slash command only works inside the sandbox chat (the plugin registered it there).

Direct translation table

I used to run (standalone OpenClaw)	Now (NemoClaw)
`npm i -g openclaw@latest`	`curl -fsSL https://www.nvidia.com/nemoclaw.sh \| bash` (once), then `nemoclaw onboard`
`openclaw onboard --install-daemon`	`nemoclaw onboard` (guided) — replaces both OpenClaw onboarding and the daemon install
`openclaw gateway --port 18789`	Don't. The Gateway starts automatically inside the sandbox. Port 18789 is forwarded via `components.sandbox.forward_ports`.
`openclaw doctor`	`nemoclaw my-assistant status` (host‑side) or `openclaw doctor` inside the sandbox
`openclaw agent --message "..."`	`nemoclaw my-assistant connect` then `openclaw agent --agent main --local -m "..." --session-id test`
`openclaw message send --to ...`	Same command, but run it inside the sandbox after `connect`
`openclaw pairing approve <channel> <code>`	Same, inside the sandbox
Edit `~/.openclaw/openclaw.json` on the host	Don't — rerun `nemoclaw onboard`. Host OpenClaw config is only referenced for migration snapshots.
Set `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` in your shell	Give them to `nemoclaw onboard` once. They become OpenShell providers in `~/.nemoclaw/credentials.json`.
Set `TELEGRAM_BOT_TOKEN` in your shell before starting Gateway	Same — set it before `nemoclaw onboard`; the wizard picks it up and registers an OpenShell provider.
`/model <name>` inside a chat	Still works. Sets per‑session model. But the physical endpoint that model resolves to is pinned by `openshell inference set`.
`/elevated on` (per‑session exec elevation)	Still works. Elevated still means "exec tool may call host commands" — except "the host" is now the sandbox container, running as `run_as_user: sandbox`, with no `gcc`/`make`/`nc`.
Upgrade: `openclaw update --channel stable`	Don't. Bump the blueprint digest (or wait for the NemoClaw release), then rerun `nemoclaw onboard`. OpenClaw's own updater is bypassed because the image is pinned.
"I want my agent to reach `api.foo.com`"	Add it to the base policy or a preset in `nemoclaw-blueprint/policies/`, then `nemoclaw onboard`; or let the agent try once and approve it in `openshell term` for the session. See doc 04.
"I want to switch to Anthropic instead of NVIDIA"	`nemoclaw onboard` again and pick Anthropic — or `openshell inference set --provider anthropic --model claude-...` for a hot swap (inference layer is hot‑reloadable).
Tail logs	`nemoclaw my-assistant logs --follow` (blueprint + sandbox) · `openshell logs my-assistant --tail` (raw sandbox)
Remote access to the Gateway	Still Tailscale Serve/Funnel or SSH — but pointed at the host, which then port‑forwards 18789 from the sandbox.

Lifecycle cheat‑sheet

# Install, once
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash

# Create a sandbox (or recreate after policy/config changes)
nemoclaw onboard
nemoclaw onboard --resume                  # pick up a half‑finished wizard
nemoclaw onboard --from path/to/Dockerfile # custom image
nemoclaw onboard --non-interactive --yes-i-accept-third-party-software

# Day‑to‑day
nemoclaw list                              # all sandboxes
nemoclaw my-assistant status               # health + inference config
nemoclaw my-assistant logs --follow
nemoclaw my-assistant connect              # jump in and use OpenClaw
nemoclaw my-assistant policy-list          # which presets are applied
nemoclaw my-assistant policy-add           # add a preset (prompts before applying)
nemoclaw my-assistant policy-add --dry-run # preview first

# Credentials
nemoclaw credentials list
nemoclaw credentials reset NVIDIA_API_KEY

# Diagnostics
nemoclaw debug --quick --sandbox my-assistant --output /tmp/diag.tgz

# Teardown
nemoclaw my-assistant destroy              # ⚠ wipes workspace files (SOUL.md, USER.md, IDENTITY.md,
                                           #   AGENTS.md, MEMORY.md, memory/). Back up first — see doc 10.
nemoclaw uninstall --keep-openshell

`/nemoclaw` slash commands (inside the sandbox chat)

Slash	What it does
`/nemoclaw`	Help + pointers back to the host CLI
`/nemoclaw status`	Sandbox + inference state
`/nemoclaw onboard`	Reconfiguration guidance (you still run the real onboard on the host)
`/nemoclaw eject`	Prints rollback instructions back to a host install

Commands that do not have a NemoClaw equivalent (by design)

Anything that touches the host directly from OpenClaw. Node mode system.run inside the sandbox runs in a containerized view of "the host". If you want a real host operation, you have to do it from a host device node that you paired to the Gateway (iOS/Android/macOS node mode) — the device actions will still run on the device, and the exec path will still run inside the sandbox.
openclaw update. Version is pinned by the blueprint digest. There is no safe "just update OpenClaw" inside a NemoClaw sandbox.
Gateway binding tweaks (gateway.bind, Tailscale config) — the sandbox is loopback‑bound and NemoClaw forwards 18789 out. Remote access is a host responsibility now.

One concrete mental checklist

When you want to do anything in a NemoClaw deployment, ask yourself, in order:

Is this an OpenClaw product feature (a chat, a session setting, a tool call)? → Run the command inside the sandbox (nemoclaw <name> connect first).
Is this about what the agent can reach (a URL, a host, a method)? → Network policy (doc 04). Either edit the YAML + rerun onboard, or approve in openshell term.
Is this about which model/provider answers? → openshell inference set (hot) or nemoclaw onboard (persistent).
Is this about which credential is used? → OpenShell provider. Either nemoclaw credentials reset + nemoclaw onboard, or openshell provider create.
Is this about filesystem, processes, or image contents? → Edit the blueprint / policy and nemoclaw onboard to recreate. Static layers don't hot‑reload.
Is this a whole‑host concern (the container runtime, Docker, the gateway itself)? → openshell commands, but run nemoclaw onboard afterwards to put things back on the known‑good state.

Next: 04-policies-and-guardrails.md — what the YAML actually says.