Most of what NetClaw does, it does through APIs — gNMI, REST, NETCONF, GraphQL. That’s the right way to automate a network: structured, auditable, repeatable. But real networks are messy, and not everything worth touching has a clean API behind it. Some of the most useful information lives behind a login screen in a vendor’s web dashboard. Some of it lives in an old desktop application that has never had an API at all. So over two features, I gave NetClaw a way to reach both.
Part 1: Teaching NetClaw to Drive a Browser
SDN controllers, in particular, have a habit of putting real operational data — bridge domain status, tenant health, a specific alarm — behind a GUI-only report that the REST API simply doesn’t expose. You can see it in the dashboard. You can’t query it. That’s the gap Chrome DevTools MCP closes.
I integrated the official chrome-devtools-mcp server (built by the Chrome DevTools team) and wrote a skill, browser-gui-inspect, with one non-negotiable rule: read, confirm, and search only — never submit a configuration change. If a task needs to actually change something, that belongs to NetClaw’s proper API-based skills, with their observe → baseline → modify → verify workflow and ITSM change-request gating. The browser is for reading what the API won’t show you, not for sneaking a config push around the guardrails.
The part I actually wanted, though, was Watch Mode. By default the browser runs headless — no visible window, just NetClaw reading the page. But say the word, and NetClaw spins up a real, visible Chrome window instead — wherever NetClaw happens to be running. Ask it over Slack to log into a demo NetBox instance and create a new site, and you can watch it happen, live, click by click. It’s the difference between trusting a report and watching the work.
Getting there took a real bug fix, too — running this live, NetClaw hit a wall because Chrome wasn’t installed in the path the tool expected. Rather than patch around it once, I built Chrome provisioning directly into the installer, so it self-heals on any machine — Linux, WSL2, or Mac — without anyone needing to know where Chrome “should” live.
Part 2: Teaching NetClaw to Drive an Entire Desktop
Browser control solves the web-GUI gap. But some of the oldest, most stubborn tooling in networking and security has no web GUI and no API — just a native desktop application. A legacy Java-based NMS client. A vendor’s Windows-only configuration utility. A terminal emulator with no scriptable interface at all. Browser automation can’t touch any of that, because there’s no browser involved.
That’s where Computer Use comes in — OpenClaw’s own full-desktop automation capability. Instead of a browser, NetClaw now gets a real virtual desktop: Xvfb and XFCE running headlessly on the NetClaw host, driven by xdotool for real mouse movement, clicks, drags, keyboard input, and screenshots. Seventeen actions in total. It’s the same idea as browser control, one layer down the stack — instead of controlling one application (Chrome), NetClaw controls the whole screen.
I wrapped this in a new skill, desktop-gui-inspect, with the exact same golden rule as its browser sibling: reading and confirming state only, never a side door around the real change-management workflow. And it gets the same Watch Mode, too — a VNC/noVNC live-viewing service so an operator can watch NetClaw operate the virtual desktop in real time, or take over the mouse and keyboard themselves if a step needs a human (an interactive first-run license dialog, say).
Building this one live surfaced two real bugs before they ever shipped. First: the virtual desktop’s live-viewing service, by default, listens on every network interface — not just localhost. That’s full desktop control exposed to anyone who can reach the port. I caught it with a plain ss -tlnp check during testing, and the installer now locks it to loopback-only automatically, verifying the fix on every install rather than just hoping it stuck. Second: the installed skill’s own action scripts weren’t executable out of the box — every single click or keystroke failed with a permission error until that got fixed too. Neither of these is a hypothetical “best practice” — they’re bugs a live desktop, with a real terminal window and a real typed command, exposed in the first ten minutes of testing.
The Pattern
Two features, one shape: give NetClaw a controlled way to see something the APIs can’t reach, make sure it can never use that access to make an unaudited change, and always give the human a window to watch — or take the wheel. Browser control and desktop control aren’t a replacement for API-driven automation; they’re the fallback for when a legitimate answer only exists on a screen, wherever that screen happens to live.


