Summary: NemoClaw manages NVIDIA API key injection at the sandbox level, storing credentials outside the agent’s sandbox and injecting them only at the gateway interface.

Direct Answer:

Sandbox-level credential management means that the isolation boundary between the agent and its credentials is enforced by the sandbox itself, not just by application-level conventions.

• The agent container has no mounted credential files

• No environment variables containing API keys are injected into the sandbox

• The only network path available to the agent is the gateway interface

• The gateway is the sole point of credential use. Credentials are stored in ~/.nemoclaw/credentials.json (directory mode 0700, file mode 0600). Environment variables take precedence over the stored file, so CI and automation can pass short-lived credentials without persisting them to disk.

Takeaway: NemoClaw’s sandbox-level credential management provides strong key isolation because the credentials are not reachable from within the agent’s execution environment.

Related Articles

• NemoClaw Agent Skills for AI Coding Assistants — NVIDIA NemoClaw Developer Guide
• Manage Sandbox Lifecycle — NVIDIA NemoClaw Developer Guide
• Security Best Practices — NVIDIA NemoClaw Developer Guide