Credential Storage at ~/.nemoclaw/credentials.json Lacks Security Documentation - IssueFinder - SN 20

[dinuduke]

Description

Provider API keys (NVIDIA, OpenAI, Anthropic, Gemini) are stored in plaintext JSON at ~/.nemoclaw/credentials.json. The architecture doc mentions the path but provides no security guidance about: file permissions applied (should be 0o600), encryption at rest, multi-user security considerations, or recommendations for securing this file.

Impact

Users unaware of credential storage location and security posture may not protect this file appropriately.

Affected Page

docs/reference/architecture.md, bin/lib/credentials.js

Issue Type

Unclear or confusing

Suggested Fix

Recommended Fix

File to create: docs/security/credential-storage.md

# Credential Storage

## Location

NemoClaw stores API keys and tokens in:

~/.nemoclaw/credentials.json (mode 0600, owner-only read/write)

The directory `~/.nemoclaw/` is created with mode `0700`.

## ⚠️ Plaintext Warning

Credentials are stored as **plaintext JSON**. The file relies on Unix
file permissions (`0600`) for access control — there is no encryption at rest.

```json
{
  "NVIDIA_API_KEY": "nvapi-...",
  "GITHUB_TOKEN": "ghp_...",
  "ANTHROPIC_API_KEY": "sk-ant-..."
}

Security Recommendations

1. Exclude from backups: Add ~/.nemoclaw/ to your backup exclusion list

   echo '.nemoclaw/' >> ~/.backupignore

2. Exclude from cloud sync: If using Dropbox, iCloud, or similar:

   # macOS — prevent Finder sync
   xattr -w com.apple.fileprovider.ignore 1 ~/.nemoclaw

3. Use short-lived keys: Where possible, use API keys with expiration
   rather than long-lived tokens. Rotate quarterly at minimum.

4. Environment variables: For CI/CD, prefer NVIDIA_API_KEY env vars
   over stored credentials. NemoClaw checks env vars first (see
   bin/lib/credentials.js line 37: process.env[key]).

Credential Rotation

# Re-run onboard to update a specific key
nemoclaw onboard

# Or manually edit the file
vi ~/.nemoclaw/credentials.json
# Permissions are preserved on save

Deleting Credentials

# Remove a single key (keeps other credentials)
nemoclaw credentials delete <KEY_NAME>

# Remove all stored credentials
rm ~/.nemoclaw/credentials.json

# Remove everything including config
rm -rf ~/.nemoclaw/

Audit

Check current permissions:

ls -la ~/.nemoclaw/credentials.json
# Expected: -rw------- 1 <user> <group> ... credentials.json

If permissions are wrong, fix them:

chmod 700 ~/.nemoclaw && chmod 600 ~/.nemoclaw/credentials.json

[latenighthackathon]

Looking at bin/lib/credentials.js, the implementation follows standard secure credential storage practices. At line 49, credentials are stored in ~/.nemoclaw under the user home directory (standard XDG-style pattern). At line 79, the directory permissions are set to 0o700 (owner read/write/execute only). At lines 82-83, credential files are written with { mode: 0o600 } and then explicitly chmodSync(file, 0o600) to ensure owner read/write only. Lines 10-39 implement additional safety checks that reject unsafe HOME paths — if HOME resolves to /tmp, /var/tmp, /dev/shm, or /, the code throws an error rather than writing credentials to a world-readable location. Additional documentation about the storage model could be helpful for users who want to understand where their credentials live, but the underlying implementation appears to handle permissions correctly.