Back to Learn

NetClaw — AI network engineering agent

NetClaw is a CCIE-level AI network engineering coworker built on the OpenClaw runtime and Anthropic Claude. It operates from Slack / WebEx / WebChat, wires Claude to ~70+ MCP servers (pyATS, NetBox/Nautobot, ServiceNow, Grafana, AWS/GCP, Meraki, gNMI, CML/ContainerLab and more) and 100+ skills, with safety rails: ITSM-gated changes, source-of-truth reconciliation, and an immutable Git audit trail.

OpenClaw
Anthropic Claude
MCP
Slack / WebEx
ITSM-gated
GAIT audit
Agent on OpenClaw, driven by Anthropic Claude
~70+ MCP servers expose network tooling to the model
100+ skills encode CCIE-level operating procedures
ITSM gating, SoT reconciliation, immutable GAIT trail

Setup, key commands & run examples

Step 0 — prerequisites & install
Setup

You need Docker, Python 3, an Anthropic Claude API key, and (for chat ops) a Slack or WebEx workspace. Clone the repo and run the installer — it sets up OpenClaw, the MCP servers and the daemon service.

Step 0 — prerequisites & install
bash
git clone https://github.com/automateyournetwork/netclaw.git
cd netclaw

# Phase 1: install OpenClaw + MCP servers + daemon
./scripts/install.sh
# (optional) answer 'y' to enable DefenseClaw + OpenShell sandbox
Step 1 — configure OpenClaw
AI provider & channel

Point OpenClaw at Claude and wire up your chat channel. This is where the Anthropic API key, gateway and Slack/WebEx connection are set.

Step 1 — configure OpenClaw
bash
openclaw configure
# - AI provider: Anthropic Claude (paste your API key)
# - Gateway:     accept defaults for local use
# - Channels:    connect Slack (or WebEx) workspace + channel
Step 2 — setup credentials & identity
Platform credentials

Run the setup script to edit testbed.yaml (your devices) and supply platform credentials only for the integrations you use. Personalize USER.md and TOOLS.md so the agent knows your role, timezone, device IPs and channels.

Step 2 — setup credentials & identity
bash
./scripts/setup.sh
# - testbed.yaml : device hosts + credentials (start with a lab box)
# - integrations : NetBox/Nautobot, ServiceNow, Grafana, etc. (only what you use)
# - USER.md      : your name, role, timezone
# - TOOLS.md     : device IPs, SSH hosts, Slack channels, site info
Step 3 — run & first query
Run

Start the gateway and the TUI in two terminals, then ask NetClaw a read-only question from Slack/WebEx (or the TUI). Begin with health/inventory before any change.

Step 3 — run & first query
bash
# terminal 1
openclaw gateway

# terminal 2
openclaw tui

# then, from Slack / WebEx / TUI:
#   "run a health check on the lab fleet"
#   "show me the BGP neighbors on r1 and reconcile against NetBox"

Best practices

  • Only edit USER.md and TOOLS.md

    These personalize the agent. SOUL.md, AGENTS.md and IDENTITY.md define NetClaw's behavior and expertise — leave them unless you intend to change how it operates.

  • Start read-only in a lab

    Bring up one lab device in testbed.yaml first. Validate health, routing and reconciliation flows before granting write access or production credentials.

  • Gate every change behind ServiceNow

    NetClaw's config workflows expect an ITSM change request (create → approve → apply → verify → close). Keep that gate on so no change happens without an approved CR.

  • Keep the GAIT audit trail on

    The Git-based audit trail records what the agent did and why, per session. It is your answer to 'what did the AI change?' — never disable it in shared environments.

  • Add integrations incrementally

    Each MCP server needs credentials and widens the blast radius. Enable them one at a time as you actually need NetBox, Grafana, AWS, Meraki, etc.

Project owner & credits

NetClaw is an independent, open-source project. This tutorial is an educational walkthrough hosted on NAPT — it is not the official documentation and we are not affiliated with the project's authors.

Created & maintained by

  • Author: John Capobianco & the Automate Your Network community.
  • Repository: github.com/automateyournetwork/netclaw
  • Built on the OpenClaw runtime and Anthropic Claude. All product names, logos and trademarks belong to their respective owners.

Disclaimer

  • Provided for educational purposes only. Always review the upstream README and license before deploying.
  • NetClaw can execute changes against live infrastructure — you are solely responsible for testing in a lab and gating production use.
  • Anthropic Claude usage is metered and billed to your own API key; costs are your responsibility.
  • NAPT provides no warranty and accepts no liability for outcomes from following this guide.

License, terms & what you can reuse

NetClaw itself is governed by the license published in its upstream repository — always read the LICENSE file before using, modifying or redistributing the software. The tutorial text on this page is separate and provided by NAPT for learning.

You may reuse

  • The setup commands, config snippets and CLI examples shown here — they reflect the project's own public documentation.
  • Your own notes, checklist results and audit scores generated on this page (stored locally in your browser).
  • The NetClaw source under the terms of its upstream license, keeping all required copyright and license notices intact.

Please don't

  • Strip attribution or relicense NetClaw in a way its upstream license does not permit.
  • Present this tutorial as official NetClaw documentation or imply endorsement by its authors, Anthropic or OpenClaw.
  • Reuse third-party trademarks, logos or brand names beyond nominative, descriptive references.

When upstream license terms and this page conflict, the upstream license governs the software.

Review & audit

An honest assessment of NetClaw before you adopt it — what it does well, where the risks are, how it keeps changes safe, and who it suits best.

Strengths

  • Exceptional breadth — 70+ MCP integrations and 100+ skills cover most NetOps tooling out of the box.
  • Safety-first design: ITSM-gated changes, source-of-truth reconciliation and an immutable GAIT audit trail.
  • Open-source and self-hosted — full control, no vendor lock-in, runs on your own Claude key.
  • Multi-channel operations from Slack, WebEx and a local TUI suit real team workflows.

Considerations & risks

  • Large attack surface — 70+ MCP servers each need credentials and widen the blast radius.
  • Operational complexity: Docker, multiple runtimes and per-integration setup to maintain.
  • Requires metered Anthropic Claude spend that scales with usage.
  • Self-hosted means you own the security, patching and isolation; MCP maturity varies per server.

Security posture

  • Optional DefenseClaw + OpenShell sandbox isolates command execution.
  • Read-only-first model — validate health and inventory before any write.
  • Human-in-the-loop: destructive actions are gated behind approved ServiceNow change requests.
  • GAIT records every session (prompt, response, artifacts) for accountability.

Best fit

  • NetOps teams that already run a source of truth (NetBox/Nautobot) and ITSM (ServiceNow).
  • Organizations wanting an AI operations layer with auditable, gated change control.
  • Ideal for a lab or controlled rollout before granting production write access.

Readiness scoring rubric

Tick each safeguard you have in place. The weighted score and readiness band update live to show how production-ready your NetClaw deployment is.

0 / 18

0 of 8 safeguards checked

Not ready

Curated videos & guides

Checklist — pitfalls, gotchas & verification

Common pitfalls

  • Pasting production credentials into testbed.yaml before validating in a lab.
  • Enabling all 70+ MCP servers at once — huge attack surface and noisy config.
  • Disabling ServiceNow gating or GAIT to 'move faster' on changes.

Gotchas to watch

  • Requires an Anthropic Claude API key — usage is metered and billed to you.
  • Some MCP servers run via Docker/uvx/npx; missing runtimes cause silent tool failures.
  • Workspace markdown files are capped at 20,000 characters each.

Verify it works

  • Confirm 'openclaw gateway' is running before using the TUI or chat channel.
  • Run a read-only health check and confirm device output before any write.
  • Check the GAIT session log shows the turn (prompt, response, artifacts).

NetClaw is self-hosted, open-source and powered by your own Anthropic Claude key. Start read-only in a lab, enable the GAIT audit trail, and gate every write behind ServiceNow before pointing it at production.