[NemoClaw] Predictable temp filenames in onboard probe functions allow symlink attacks #1093
Description
Description
Six functions in bin/lib/onboard.js create temporary files with predictable names using Date.now() and Math.random().toString(36):
probeOpenAiLikeEndpoint(line 666)probeAnthropicEndpoint(line 710)fetchNvidiaEndpointModels(line 856)fetchOpenAiLikeModels(line 910)fetchAnthropicModels(line 946)writeSandboxConfigSyncFile(line 527)
Math.random() is not cryptographically secure — its output is predictable from a known seed. Combined with Date.now() (millisecond precision), a local attacker can predict the filename and win a race to:
- Create a symlink at the predicted path before the probe runs
- Redirect curl output (which may contain API responses with model data) to an attacker-controlled location
- For
writeSandboxConfigSyncFile, inject a malicious script that gets piped intoopenshell sandbox connect
The same file already uses fs.mkdtempSync() securely in two other places (lines 1764 and 2680), making this an inconsistency rather than a missing capability.
Reproduction Steps
- Read
bin/lib/onboard.jsline 666 - Note the filename pattern:
nemoclaw-probe-${Date.now()}-${Math.random()...}.json - Both
Date.now()andMath.random()are predictable —Date.now()is millisecond-resolution wall clock,Math.random()uses xorshift128+ with a recoverable seed - An attacker on the same system can pre-create a symlink at the predicted path in
/tmp
Expected Behavior
Temp files should use fs.mkdtempSync() which creates a directory with a cryptographically random suffix (via the OS mkdtemp syscall), preventing filename prediction.
Actual Behavior
Temp files use predictable names constructed from Date.now() + Math.random().
Environment
- Code review — applies to current
mainbranch - File:
bin/lib/onboard.js
Debug Output
N/A — static analysis finding.
Logs
N/A
Checklist
- I confirmed this bug is reproducible
- I searched existing issues and this is not a duplicate