Behavry Integration — NVIDIA NemoClaw

Behavry proxies all NemoClaw tool calls for identity verification, policy enforcement, and audit logging. Self-modifying actions (writes to skill/tool/memory paths) are escalated for human approval by default.

Endpoints

Endpoint	Format	Pipeline
`POST /api/v1/nemoclaw/mcp`	Standard MCP	Full enforcement (DLP, OPA, blast radius, audit)
`POST /api/v1/nemoclaw/tools`	NeMo Toolkit native	Audit + forward

Prerequisites

Behavry stack running (make dev or docker compose up)
A Behavry agent with appropriate permissions
A running NemoClaw instance

Configuration

export BEHAVRY_NEMOCLAW_URL=http://localhost:9100  # default

Auth: Authorization: Bearer <behavry-jwt> on all requests.

Example Request

curl -X POST http://localhost:8000/api/v1/nemoclaw/mcp \
  -H "Authorization: Bearer $BEHAVRY_JWT" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {"name": "execute_skill", "arguments": {"skill": "summarize"}}, "id": 1}'

Self-Modification Policy

nemoclaw_policy.rego escalates writes to skills/, tools/, memory/, and .agent/ paths. Approve or create exceptions in the dashboard.

OpenShell Routing

Route OpenShell sandbox creation through Behavry:

openshell sandbox create --remote spark \
  --env BEHAVRY_PROXY_URL=http://localhost:8000

See the OpenShell integration for details.

Verify

Make a tool call through the NemoClaw MCP endpoint
Check http://localhost:5173 → Live Activity
Events show mcp_server: nemoclaw-proxy

Endpoints​

Prerequisites​

Configuration​

Example Request​

Self-Modification Policy​

OpenShell Routing​

Verify​