Sandbox does not inhereit updated config from Root [Linode:Ubuntu]

[drewesk]

Description

On Ubuntu 22.04 LTS VM running on linode, when trying to pass Brave Api key and enabling web fetch, the config in root updates but on gateway restart it is not inherited in sandbox (which is fine). But I am not able to, inside of the sandbox, manually update the live config with gateway restart from inside of the container.

So it seems like a catchUbuntu22 (joke) in being able to add config and getting container to inherit it post gateway restart. I've been troubleshooting for hours... also I was able to solve many of the other issues in this repo, but this one I'm not sure if it's my lack of understanding some instruction or if nemoclaw is intentionally hardened from running full bash and or passing in env vars... Throwing spaghetti at the wall.

Reproduction Steps

Install Zsh, oh-my-zsh, all docker deps, open network to prevent gateway proxy, direct install on ubuntu.
nemoclaw onboard
openclaw configure --section web

added Brave API Key

The Gateway Stop and restart commands both in root and in sandbox and also attempting to set config directly in live sandbox state and reloading the gateway. As well as passing it to system.d on linux to try and globalize it (bad security practice) to throw spaghetti at the wall.

The LLM confirmed no attempts made the tools or skills visible.

Environment

Environment

• OS: Ubuntu 22.04.5 LTS (Jammy Jellyfish)
• Kernel: Linux 5.15.0-131-generic (or newer, if you updated)
• NemoClaw version: 0.0.10 (installed via curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash)
• OpenClaw version (inside sandbox): 2026.3.11
• Docker version: 29.3.0 (Docker Engine, installed via official script)
• Node.js (host): v22.14.0 (from NodeSource)
• npm (host): 10.9.2
• Sandbox runtime: OpenShell 0.0.10 (k3s cluster inside Docker)

Configuration

• Host config file: /root/.openclaw/openclaw.json
  • Contains both tools.web.search.apiKey and skills.entries.brave-search.env with the Brave API key.
• Gateway started via systemd user service (no environment override needed; config mounted into sandbox)
• Sandbox created during onboarding (model openai/gpt-oss-120b selected)
• Brave key verified in host config and also visible inside sandbox at /sandbox/.openclaw/openclaw.json (mount confirmed)
• Issue: web_search tool still reports missing_brave_api_key when used in TUI or CLI.

Logs

2026-03-20T17:04:19.123Z [gateway] web_search tool failed: missing_brave_api_key
2026-03-20T17:04:19.124Z [gateway] error: 403 status code (no body)

⚠️ Agent failed before reply: missing_brave_api_key
Logs: openclaw logs --follow
etc..

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[drewesk]

@mafueee did that commit fix this??

[wscurran]

Checking in — a previous comment asked whether a fix resolved this, but we haven't heard back. Could you confirm whether you're still seeing the config inheritance issue on the latest version? It's worth noting that openclaw config set|unset is intentionally blocked inside the sandbox as of a recent change — config updates now need to go through the gateway before the sandbox rebuilds. If that doesn't address your use case, let us know and we're happy to discuss. If we don't hear back within 7 days, we'll post a reminder; items with no response at 14 days are closed to keep the queue healthy.

[wscurran]

Closing due to inactivity. It's been 14 days since we requested additional information and we haven't heard back. Feel free to reopen if you're able to follow up, or open a new issue with the requested details included. Thanks for contributing to NemoClaw.