security: comprehensive codebase audit — 4 CRITICAL, 25 HIGH findings

[gn00295120]

Summary

Comprehensive security audit of the full NemoClaw codebase (~9,600 LoC) conducted via 10 parallel scan scopes. Identified 67 unique actionable findings: 4 CRITICAL, 25 HIGH, 28 MEDIUM, 16 LOW.

Critical Findings

• C-1: createSnapshotBundle() copies all host credentials (auth-profiles.json with live API keys, GitHub PATs, npm tokens) verbatim into sandbox — fix exists in PR security: strip credentials from migration snapshots and enforce blueprint digest #156 but is unmerged
• C-2: CHAT_UI_URL Docker build-arg interpolated into RUN python3 -c "..." — Python code injection at image build time
• C-3: Telegram & Discord always-on in baseline sandbox policy with no binary restriction — unconditional data exfiltration channel from every sandbox
• C-4: restoreSnapshotToHost() uses manifest paths as write targets without validation — arbitrary host filesystem write

Deliverables

• SECURITY-AUDIT-2026-03-22.md — full audit report with all 67 findings, severity ratings, locations, and recommended fixes
• .gitignore — updated to prevent accidental disclosure commit
• Recommended 8-PR remediation sequence prioritized by severity

Audit Methodology

10 parallel security agents scanned: CLI entry & runner, credential handling, network policies, install scripts, migration & snapshot, inference & NIM, Telegram bridge, platform & registry, test coverage gaps, CI/CD & config.

Test plan

• Report is documentation-only — no code changes beyond .gitignore
• Verified DRAFT-intigriti-migration-cred.md is now gitignored
• All findings cross-referenced with file paths and line numbers

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Added security audit report with detailed findings and remediation recommendations.

• Chores

  • Updated project configuration.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 259fd59a-b011-4ac4-989d-eab4d40b56de

📥 Commits

Reviewing files that changed from the base of the PR and between f27f31a and 62ad20b.

📒 Files selected for processing (2)

• .gitignore
• SECURITY-AUDIT-2026-03-22.md

---

📝 Walkthrough

Walkthrough

Two changes were made: a new ignore rule was added to .gitignore for draft Markdown files, and a comprehensive security audit report documenting 87 findings (with 67 unique actionable items) across the NemoClaw codebase was added as documentation.

Changes

Cohort / File(s)	Summary
Configuration .gitignore	Added ignore pattern DRAFT-*.md to exclude draft Markdown files from version control.
Security Documentation SECURITY-AUDIT-2026-03-22.md	New security audit report documenting automated scan results: 3 CRITICAL, 25 HIGH, 28 MEDIUM, 16 LOW, and 14 INFO severity findings across 10 scan scopes, with detailed issue descriptions, locations, and recommended remediation sequence.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A audit trail was laid out clear,
With findings documented here!
Draft files hidden from the light,
Security improved tonight ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: a comprehensive security audit identifying critical findings, which is fully reflected in the PR content and objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds a comprehensive security audit report to the repository and updates .gitignore to prevent accidental commits of disclosure drafts.

Changes:

• Add SECURITY-AUDIT-2026-03-22.md documenting 67 actionable findings with locations and suggested remediation sequence.
• Update .gitignore to ignore DRAFT-*.md files.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
SECURITY-AUDIT-2026-03-22.md	New security audit report capturing findings, severity counts, and remediation plan.
.gitignore	Ignores DRAFT-*.md to reduce risk of accidentally committing disclosure drafts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This report includes a concrete exploit payload example (the crafted CHAT_UI_URL string) and detailed attack impact notes. If this repository is accessible to untrusted users, consider redacting PoC payloads and/or publishing the full report via a private channel (e.g., Security Advisories) to reduce the risk of turning the report into an attack guide.

Suggested change

	- **Description**: Docker build-arg `CHAT_UI_URL` interpolated directly into `RUN python3 -c "..."` string. A crafted URL like `http://x'; import subprocess; subprocess.run(['id'])#` injects arbitrary Python.
	- **Description**: Docker build-arg `CHAT_UI_URL` is interpolated directly into a `RUN python3 -c "..."` string, allowing a crafted URL that closes the string and appends arbitrary Python statements to inject code at build time.

[gn00295120]

Closing — audit report is for internal reference, not a code change.