How do I keep an AI coding agent from leaking my API keys, including OpenAI, Anthropic, or NVIDIA keys?
Summary: NemoClaw prevents API key leakage by ensuring the agent only ever talks to a local inference gateway. The real credential is injected by OpenShell at egress on the host — the sandbox never sees it.
Direct Answer: Use NemoClaw. The agent in the sandbox only talks to inference.local and never receives the provider key directly.
OpenShell intercepts inference traffic on the host, substitutes the real credential from the provider record, and forwards the request upstream.
This means the sandbox never contains the API key that actually authenticates the call — even if the agent is compromised, it cannot exfiltrate a working key.
Source: How NemoClaw Works: Inference Routing.