Description
Version note: last confirmed on NemoClaw v0.0.36 (bundled OpenClaw). The fetch logic lives in OpenClaw, which is versioned separately, so it's possible a newer bundle has changed this — flagging in case it's already addressed.
On every gateway start, OpenClaw's model-pricing subsystem fetches reference pricing from LiteLLM and OpenRouter. In a NemoClaw sandbox running a default-strict egress policy, neither host is whitelisted, so both fetches fail with TypeError: fetch failed and OpenClaw logs the failures at WARN on every startup.
The downstream consequence is more impactful than the noise: with no pricing data loaded, every message record in the session JSONL has usage.cost = 0 even though usage.input / usage.output token counts are populated correctly. Tools reading the session log to display per-turn cost (audit dashboards, compliance review surfaces — exactly the use cases the sandbox envelope is sold on) see all-zeros and have to either give up on the cost column or compute it externally.
Why this is the wrong default for the sandbox use case
NemoClaw's positioning is "agents inside a kernel-bounded sandbox with reviewed egress." Reviewers are encouraged to keep egress narrow. But the default OpenClaw configuration assumes wide egress and reaches out to non-domain-specific pricing APIs on every startup. The mismatch produces:
- Per-startup warnings the operator has to learn to ignore (training operators to ignore warnings is generally bad).
- A silent feature degradation (cost column = 0) that downstream consumers can't distinguish from "the agent ran for free" without reading the gateway log to discover the fetch failed.
Suggested options
In rough order of how easy I'd guess each is to land:
- Add
*.litellm.ai and openrouter.ai to the standard built-in egress preset. Most reviewers will accept "outbound to a pricing reference API" if it's surfaced explicitly. Lowest-effort fix that addresses the silent-degradation problem.
- Add a config flag
gateway.modelPricing.enabled (default true, settable false). Operators in restricted environments can disable the fetch entirely. The WARN goes away, usage.cost stays 0 but the operator knows why.
- Allow pinning a static pricing table at image build time (
/sandbox/.openclaw/pricing.json or similar). Sidesteps egress entirely for self-hosted / per-jurisdiction sandboxes that have known model costs ahead of time. Better fit for the "reviewed, narrow egress" posture this product targets.
- At minimum, document the failure mode — short note in the egress/network docs explaining that pricing reference fetch fails silently in narrow-egress sandboxes and the
cost field will be zero.
(1) and (4) together would land the discoverability fix today. (2) and (3) are more substantive and better long-term.
Reproduction Steps
- Bring up a sandbox with the default (or any restrictive) egress policy.
nemoclaw <name> logs --tail 50- Observe
[gateway/model-pricing] ... pricing fetch failed entries on startup.
- Send any agent prompt that produces a tool call.
- Cat the session jsonl and grep for
"cost": — every entry shows {"input": 0, "output": 0, ...} while the token counts are real.
Environment
- OS: Windows 11 + WSL2 (Ubuntu 22.04), Docker Desktop with WSL2 backend
- NemoClaw: v0.0.36, OpenClaw runtime as bundled
- Egress policy: default presets (
npm, pypi, huggingface, brew, brave, slack, discord, telegram, jira, outlook) plus a custom playwright-setup preset. Neither LiteLLM nor OpenRouter is in the active set.
Logs
[gateway/model-pricing] LiteLLM pricing fetch failed: TypeError: fetch failed
[gateway/model-pricing] OpenRouter pricing fetch failed: TypeError: fetch failed
Both at WARN. Visible in /tmp/gateway.log and the structured /tmp/openclaw-998/openclaw-<date>.log, and surfaces through nemoclaw <name> logs.
Description
On every gateway start, OpenClaw's
model-pricingsubsystem fetches reference pricing from LiteLLM and OpenRouter. In a NemoClaw sandbox running a default-strict egress policy, neither host is whitelisted, so both fetches fail withTypeError: fetch failedand OpenClaw logs the failures atWARNon every startup.The downstream consequence is more impactful than the noise: with no pricing data loaded, every
messagerecord in the session JSONL hasusage.cost = 0even thoughusage.input/usage.outputtoken counts are populated correctly. Tools reading the session log to display per-turn cost (audit dashboards, compliance review surfaces — exactly the use cases the sandbox envelope is sold on) see all-zeros and have to either give up on the cost column or compute it externally.Why this is the wrong default for the sandbox use case
NemoClaw's positioning is "agents inside a kernel-bounded sandbox with reviewed egress." Reviewers are encouraged to keep egress narrow. But the default OpenClaw configuration assumes wide egress and reaches out to non-domain-specific pricing APIs on every startup. The mismatch produces:
Suggested options
In rough order of how easy I'd guess each is to land:
*.litellm.aiandopenrouter.aito the standard built-in egress preset. Most reviewers will accept "outbound to a pricing reference API" if it's surfaced explicitly. Lowest-effort fix that addresses the silent-degradation problem.gateway.modelPricing.enabled(defaulttrue, settablefalse). Operators in restricted environments can disable the fetch entirely. The WARN goes away,usage.coststays 0 but the operator knows why./sandbox/.openclaw/pricing.jsonor similar). Sidesteps egress entirely for self-hosted / per-jurisdiction sandboxes that have known model costs ahead of time. Better fit for the "reviewed, narrow egress" posture this product targets.costfield will be zero.(1) and (4) together would land the discoverability fix today. (2) and (3) are more substantive and better long-term.
Reproduction Steps
nemoclaw <name> logs --tail 50[gateway/model-pricing] ... pricing fetch failedentries on startup."cost":— every entry shows{"input": 0, "output": 0, ...}while the token counts are real.Environment
npm,pypi,huggingface,brew,brave,slack,discord,telegram,jira,outlook) plus a customplaywright-setuppreset. Neither LiteLLM nor OpenRouter is in the active set.Logs
Both at
WARN. Visible in/tmp/gateway.logand the structured/tmp/openclaw-998/openclaw-<date>.log, and surfaces throughnemoclaw <name> logs.