Description
During a default (OpenClaw) onboard, the [8/8] Policy presets selector — and nemoclaw <sandbox> policy-add — list the Hermes-only Nous Portal presets (nous-audio, nous-browser, nous-code, nous-image, nous-web) as selectable options. These belong to the Hermes (NemoHermes) agent: they whitelist the Hermes binary and route to the Hermes/Nous Portal tool-gateway broker, neither of which exists in an OpenClaw sandbox. They are not checked by default, but an operator can manually enable and apply them on an OpenClaw sandbox, adding egress rules meaningless for OpenClaw (an unnecessary policy/attack surface and a misleading UX). The preset catalog shown to the selector is not filtered by agent type.
Environment
Device: Brev VM brev-hv34p39z2 (g6.xlarge), NVIDIA L4, 4 vCPU, 15 GiB RAM
OS: Ubuntu 22.04.5 LTS
Architecture: x86_64
Node.js: v22.22.3
npm: 10.9.8
Docker: 29.5.2
OpenShell CLI: 0.0.44
NemoClaw: v0.0.59
OpenClaw: 2026.5.27 (27ae826)
Agent-type logic issue, not platform-specific; reproduced on the platform above.
Steps to Reproduce
- Run a default onboard (OpenClaw agent — no
nemohermes specified): nemoclaw onboard --fresh --name brev-ollama
- Proceed to
[8/8] Policy presets and observe the preset list (any tier). Or, on an existing OpenClaw sandbox: nemoclaw brev-ollama policy-add
- Inspect the offered presets.
Expected Result
For an OpenClaw (non-Hermes) sandbox, the selector should NOT offer Hermes-only tool-gateway presets (nous-audio / nous-browser / nous-code / nous-image / nous-web).
Actual Result
nemoclaw brev-ollama policy-add on the OpenClaw sandbox (● applied / ○ not applied):
9) ○ nous-audio — Nous Portal managed audio generation and transcription gateway
10) ○ nous-browser — Nous Portal managed browser automation gateway
11) ○ nous-code — Nous Portal managed sandboxed code execution gateway
12) ○ nous-image — Nous Portal managed image generation gateway
13) ○ nous-web — Nous Portal managed web search and crawl gateway
The five nous-* (Hermes) presets are listed and selectable on an OpenClaw sandbox. The same appears in the onboard [8/8] preset TUI (shown as unchecked [ ] nous-*).
Logs
nous-* preset content (nemoclaw-blueprint/policies/presets/nous-*.yaml) confirms they are Hermes/Nous-specific:
description: "Nous Portal managed ... gateway"
endpoints: host.openshell.internal:11436 (Nous Portal broker)
binaries: /usr/local/bin/hermes, /opt/hermes/.venv/bin/python
Root cause (source, NemoClaw v0.0.59):
- nemoclaw/src/lib/policy/index.ts:257 setupPolicyPresetSupported only filters `brave`
(web search); it does NOT filter by agent type.
- nemoclaw/src/lib/policy/index.ts:271 listSetupPolicyPresets returns the full preset
catalog (all YAML, including nous-*) regardless of agent.
- nemoclaw/src/lib/onboard/policy-selection.ts:294 builds the selectable list with no agent argument.
- nemoclaw/src/lib/onboard/hermes-managed-tools.ts:24-55 defines nous-* as
HERMES_TOOL_GATEWAY_PRESET_NAMES; elsewhere (policy-selection.ts:180-182) they are only
added to the default selection when hermesToolGateways is set (Hermes) — so the intended
scope is Hermes-only, but the catalog/visibility path does not honor it.
Suggested fix: filter the selectable catalog by active agent — exclude HERMES_TOOL_GATEWAY_PRESET_NAMES when agent != "hermes".
Default behavior is unaffected (nous-* are listed but unchecked on OpenClaw); the defect is that they are visible/selectable at all. Found while testing DevTest T5999672.
NVB#6272264
Description
During a default (OpenClaw) onboard, the
[8/8]Policy presets selector — andnemoclaw <sandbox> policy-add— list the Hermes-only Nous Portal presets (nous-audio,nous-browser,nous-code,nous-image,nous-web) as selectable options. These belong to the Hermes (NemoHermes) agent: they whitelist the Hermes binary and route to the Hermes/Nous Portal tool-gateway broker, neither of which exists in an OpenClaw sandbox. They are not checked by default, but an operator can manually enable and apply them on an OpenClaw sandbox, adding egress rules meaningless for OpenClaw (an unnecessary policy/attack surface and a misleading UX). The preset catalog shown to the selector is not filtered by agent type.Environment
Agent-type logic issue, not platform-specific; reproduced on the platform above.
Steps to Reproduce
nemohermesspecified):nemoclaw onboard --fresh --name brev-ollama[8/8]Policy presets and observe the preset list (any tier). Or, on an existing OpenClaw sandbox:nemoclaw brev-ollama policy-addExpected Result
For an OpenClaw (non-Hermes) sandbox, the selector should NOT offer Hermes-only tool-gateway presets (
nous-audio/nous-browser/nous-code/nous-image/nous-web).Actual Result
nemoclaw brev-ollama policy-addon the OpenClaw sandbox (● applied / ○ not applied):The five
nous-*(Hermes) presets are listed and selectable on an OpenClaw sandbox. The same appears in the onboard[8/8]preset TUI (shown as unchecked[ ] nous-*).Logs
Suggested fix: filter the selectable catalog by active agent — exclude
HERMES_TOOL_GATEWAY_PRESET_NAMESwhenagent != "hermes".Default behavior is unaffected (
nous-*are listed but unchecked on OpenClaw); the defect is that they are visible/selectable at all. Found while testing DevTest T5999672.NVB#6272264