Skip to content

[Security] NVIDIA API key exposed in process list when creating inference provider #325

New issue
New issue
Closed
#330
dumko2001/NemoClaw
#1
Closed
[Security] NVIDIA API key exposed in process list when creating inference provider#325
#330
dumko2001/NemoClaw
#1
Assignees
ericksoa
Labels
priority: highImportant issue that should be resolved in the next releasesecuritySomething isn't secure
@ericksoa

Description

@ericksoa
ericksoa
opened on Mar 18, 2026

During onboarding, openshell provider create is called with the API key interpolated directly into the shell command:

openshell provider create --name nvidia-nim --type openai \
  --credential "NVIDIA_API_KEY=${process.env.NVIDIA_API_KEY}" ...

While this command is running, any user on the machine can see the full API key via ps aux. On shared systems (e.g., DGX Spark), this is a real credential exposure risk.

Expected: Pass the credential via stdin, environment variable, or a temporary file with restricted permissions — not as a command-line argument.

Related PRs that partially address this:

Metadata

Metadata

Assignees

Labels

priority: highImportant issue that should be resolved in the next releasesecuritySomething isn't secure

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions