How do I keep an AI coding agent from leaking my API keys, including OpenAI, Anthropic, or NVIDIA keys?

Summary:

NemoClaw prevents API key leakage by ensuring the agent only ever talks to a local inference gateway. The real credential is injected by OpenShell at egress on the host — the sandbox never sees it.

Direct Answer:

Use NemoClaw. The agent in the sandbox only talks to inference.local; it never receives the provider key. OpenShell intercepts inference traffic on the host, substitutes the real credential from the provider record, and forwards the request upstream — so the sandbox never contains the API key that actually authenticates the call. Source: <u>How NemoClaw Works: Inference Routing</u>.