MemoryRouterNemoClaw
One-command persistent memory for NemoClaw sandboxed agents.
Give your NemoClaw sandboxed agent persistent memory — in one command. Handles the plugin install, API key configuration, and OpenShell egress policy automatically.
Quick Start
npx @memoryrouter/nemoclaw setup \
--sandbox my-assistant \
--api-key <your-memory-key>Get your free memory key (50M tokens included) at app.memoryrouter.ai.
You'll see:
memoryrouter-nemoclaw setup
────────────────────────────────────────
[0] Preflight checks...
✓ openshell found
✓ openclaw found
[1] Installing mr-memory plugin...
✓ Plugin installed
[2] Configuring MemoryRouter in ~/.openclaw/openclaw.json...
✓ API key configured
[3] Applying MemoryRouter egress policy to sandbox "my-assistant"...
✓ Policy applied to sandbox "my-assistant"
[4] Restarting OpenClaw gateway...
✓ Gateway restarted
────────────────────────────────────────
✓ Setup complete!Then optionally upload your existing conversation history:
openclaw mr uploadHow It Works
The sandbox problem
NemoClaw runs OpenClaw inside an OpenShell sandbox with deny-by-default network egress. Every outbound endpoint must be explicitly permitted in the sandbox policy.
The mr-memory plugin installs fine — the npm registry (registry.npmjs.org) is already in the default egress policy. But when the plugin tries to call api.memoryrouter.ai at runtime, OpenShell blocks the request. The plugin appears to install correctly but memory silently doesn't work.
What the setup command does
| Step | What | How |
|---|---|---|
| 0 | Preflight | Checks openshell and openclaw are on PATH |
| 1 | Install plugin | openclaw plugins install mr-memory |
| 2 | Configure key | Writes API key into ~/.openclaw/openclaw.json |
| 3 | Egress policy | Reads current sandbox policy → merges MemoryRouter block → openshell policy set |
| 4 | Restart | openclaw gateway restart |
The command is idempotent — running it again detects the existing policy and skips the merge.
Memory flow
Once set up, the mr-memory plugin hooks into the OpenClaw gateway lifecycle:
- before_agent_start — recalls relevant memories from past sessions and injects them into context
- agent_end — stores the conversation to your MemoryRouter vault
The sandbox doesn't interfere — it sees MemoryRouter calls as normal HTTPS egress to a permitted endpoint.
Egress Policy Details
The setup command adds this minimal block to your sandbox's network policy:
network_policies:
memoryrouter:
name: memoryrouter
endpoints:
- host: api.memoryrouter.ai
port: 443
protocol: rest
tls: terminate
enforcement: enforce
rules:
- allow: { method: GET, path: /** }
- allow: { method: POST, path: /** }
binaries:
- path: /usr/local/bin/openclaw
- path: /usr/local/bin/nodeOnly api.memoryrouter.ai:443 is added. No wildcard domains. No broad network access. Scoped to the OpenClaw and Node binaries only.
openshell policy set replaces the entire policy document. The setup command handles this automatically — it reads your current policy, merges the MemoryRouter block, and re-applies the full document. If you apply manually, export your current policy first so existing rules aren't lost.
CLI Reference
Setup command
npx @memoryrouter/nemoclaw setup [options]| Option | Description |
|---|---|
--sandbox <name> | NemoClaw sandbox name (required) |
--api-key <key> | MemoryRouter API key (required) |
--dry-run | Preview changes without applying |
--skip-policy | Skip the egress policy update |
--skip-plugin-install | Skip plugin installation |
After setup
Once installed, all standard openclaw mr commands work:
openclaw mr status # Vault stats
openclaw mr upload # Upload workspace + sessions to vault
openclaw mr off # Disable memory
openclaw mr delete # Clear vault
openclaw mr on # Re-enable memoryManual Setup
If you prefer to apply the steps yourself:
1. Install the plugin
openclaw plugins install mr-memory2. Add your memory key
openclaw mr <your-memory-key>3. Add the egress rule
Export your current sandbox policy, add the memoryrouter block from the Egress Policy Details section above to the network_policies section, then re-apply:
openshell policy set my-assistant --policy /path/to/updated-policy.yaml --wait4. Restart the gateway
openclaw gateway restartWhy Cloud Memory in a Sandbox?
NemoClaw's sandbox restricts filesystem writes to /sandbox/.openclaw-data and /tmp. Local vector databases won't survive sandbox rebuilds. Cloud memory persists through:
- Sandbox restarts
nemoclaw onboardcycles- Policy resets
- Compaction and session resets
Your memories live outside the sandbox, accessible from any session.
Troubleshooting
Plugin installs but memory doesn't work
The egress rule is missing. Run the setup command or add the policy block manually. Without the egress rule, all calls to api.memoryrouter.ai are silently blocked by OpenShell.
"openshell not found" error
You're not inside a NemoClaw sandbox. This package is specifically for NemoClaw environments. For regular OpenClaw, use the standard OpenClaw setup instead.
Policy already exists message
The setup command detected the MemoryRouter egress rule is already in your sandbox policy. This is fine — it skips the merge and continues.
Binary path changed after upgrade
The egress rule is scoped to specific binary paths (/usr/local/bin/openclaw, /usr/local/bin/node). If NemoClaw updates change these paths, the rule silently stops working. Re-run the setup command after major NemoClaw upgrades.
Pricing
| Plan | Price | Details |
|---|---|---|
| Free | $0 | 50M tokens included. No credit card required. |
| Pro | $0.10 / 1M tokens | Pay as you go. No subscription. |
Get started at app.memoryrouter.ai.