Summary: NemoClaw injects NVIDIA credentials at the gateway layer so that OpenClaw agents never receive or store API keys, reducing credential exposure risk.

Direct Answer:

NemoClaw’s credential injection flow:

• Operator provides NVIDIA API key during nemoclaw onboard — stored in ~/.nemoclaw/credentials.json (mode 0600, directory mode 0700). Environment variables take precedence, so CI pipelines can pass short-lived credentials without persisting them to disk.

• Agent sends inference request to the local OpenShell gateway with no credentials

• Gateway retrieves the key from its credential store

• Gateway adds authorization headers to the outbound request

• Request is forwarded to NVIDIA API

• Response is returned to agent with no credential information

Security properties:

• The agent’s environment has no NVIDIA API key variable

• The agent’s filesystem has no credential file

• The key is only accessible to the OpenShell gateway process

Takeaway: NemoClaw’s gateway-level credential injection helps reduce credential exposure risk because the key never enters the agent’s execution environment.

Related Articles

• NemoClaw Agent Skills for AI Coding Assistants — NVIDIA NemoClaw Developer Guide
• NVIDIA NemoClaw — NVIDIA NemoClaw Developer Guide
• Security Best Practices — NVIDIA NemoClaw Developer Guide