NVIDIA NemoClaw Docker Build Leaked Sensitive Web Search Configuration, API Key Placeholders

A security vulnerability in NVIDIA's NemoClaw project exposed sensitive web search configuration data, including API key placeholders, during the Docker image build process. The flaw allowed the `NEMOCLAW_WEB_CONFIG_B64` argument to be leaked in `docker build` logs, image metadata, and Docker history, creating a potential vector for credential exposure and system compromise.

The issue, tracked as #1741 in the project's GitHub repository, stemmed from the use of build-time `ARG` injection for configuration. A recent pull request has remediated the exposure by completely removing the `ARG NEMOCLAW_WEB_CONFIG_B64` and its associated `ENV` declaration from the `Dockerfile`. The fix migrates configuration from a build-time process to a runtime environment resolution system using OpenShell. The Python configuration script has been refactored to hardcode the `web.search` block with a safe `openshell:resolve:env:BRAVE_API_KEY` placeholder, and the `src/lib/onboard.ts` file has been updated to remove the build-time Dockerfile modification.

This remediation closes a significant security gap that could have allowed unauthorized access to the internal configuration structure of the AI application. The shift to runtime resolution ensures that no sensitive-looking strings or configuration blocks are embedded in the final container image's build history, aligning with security best practices for containerized deployments. The fix highlights ongoing scrutiny of supply chain security within AI development tooling, particularly for projects associated with major hardware and software vendors like NVIDIA.