Description
[Description]
setup-spark.sh installation prompt is not match document
[Environment]
Device: spark
Node.js: v22.22.2
npm: 10.9.7
Docker: 29.1.3, build f52814d
OpenShell CLI: 0.0.16
NemoClaw: v0.0.1 (commit 3630013 (HEAD, tag: v0.0.1, tag: latest))
FastOS: 1.120.38
[Steps to Reproduce]
local-carolinex@p4242-0084:~/caroline$ git clone --branch v0.0.1 https://github.com/NVIDIA/NemoClaw.git
Cloning into 'NemoClaw'...
remote: Enumerating objects: 9745, done.
remote: Counting objects: 100% (188/188), done.
remote: Compressing objects: 100% (74/74), done.
remote: Total 9745 (delta 143), reused 119 (delta 114), pack-reused 9557 (from 2)
Receiving objects: 100% (9745/9745), 6.26 MiB | 19.42 MiB/s, done.
Resolving deltas: 100% (6611/6611), done.
Note: switching to '36300135a9d240126c1755effd212dad451fa861'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
local-carolinex@p4242-0084:~/caroline$ git log
fatal: not a git repository (or any of the parent directories): .git
local-carolinex@p4242-0084:~/caroline$ cd NemoClaw/
local-carolinex@p4242-0084:~/caroline/NemoClaw$ git log
commit 36300135a9d240126c1755effd212dad451fa861 (HEAD, tag: v0.0.1, tag: latest)
Author: Aaron Erickson
Date: Mon Mar 30 17:51:56 2026 -0700
fix(security): download installers to file before execution (#696)
## Summary
Replace all `curl | bash` / `curl | sudo bash` patterns with
download-to-tempfile-then-execute across the codebase.
Closes #574, #576, #577, #583.
| File | What changed |
|------|-------------|
| `install.sh` | Ollama installer (2 locations) |
| `scripts/install.sh` | NodeSource `setup_22.x` |
| `scripts/brev-setup.sh` | NodeSource `setup_22.x` |
| `bin/nemoclaw.js` | Remote uninstall fallback |
Each location now uses `mktemp -d`, downloads the script to a file,
executes from the file, and cleans up. SHA-256 pinning isn't practical
for rolling-release upstream URLs, but download-then-execute prevents
partial-download execution and allows inspection.
## Test plan
- [x] 4 regression tests verify no `curl | sh/bash/sudo` patterns in any
of the affected files
- [x] All existing tests pass
- [ ] Manual: `nemoclaw onboard` with Ollama provider installs correctly
- [ ] Manual: `nemoclaw uninstall` falls back to remote script correctly
local-carolinex@p4242-0084:~/caroline/NemoClaw$
local-carolinex@p4242-0084:~/caroline/NemoClaw$ cd ..
local-carolinex@p4242-0084:~/caroline$ curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
openshell: resolving latest version...
openshell: downloading openshell v0.0.16 (aarch64-unknown-linux-musl)...
openshell: verifying checksum...
openshell: extracting...
openshell: installed openshell 0.0.16 to /localhome/local-carolinex/.local/bin/openshell
local-carolinex@p4242-0084:~/caroline$ cd NemoClaw/
local-carolinex@p4242-0084:~/caroline/NemoClaw$ sudo ./scripts/setup-spark.sh
>>> User 'local-carolinex' already in docker group
>>> Docker daemon already configured for cgroupns=host
>>> DGX Spark Docker configuration complete.
>>>
>>> Next step: run 'nemoclaw onboard' to set up your sandbox.
>>> nemoclaw onboard
From above prompt, we need to run nemoclaw onboad command, but the guide suggest to run ./install.sh
[Expected Result]
The installer prompt should be match guidance
[Actual Result]
local-carolinex@p4242-0084:~/caroline/NemoClaw$ sudo ./scripts/setup-spark.sh
>>> User 'local-carolinex' already in docker group
>>> Docker daemon already configured for cgroupns=host
>>> DGX Spark Docker configuration complete.
>>>
>>> Next step: run 'nemoclaw onboard' to set up your sandbox.
>>> nemoclaw onboard
Steps to reproduce
No steps provided.
[NVB# 6034685]
[NVB#6034685]
Description
[Description]
setup-spark.sh installation prompt is not match document
[Environment]
Device: spark
Node.js: v22.22.2
npm: 10.9.7
Docker: 29.1.3, build f52814d
OpenShell CLI: 0.0.16
NemoClaw: v0.0.1 (commit 3630013 (HEAD, tag: v0.0.1, tag: latest))
FastOS: 1.120.38
[Steps to Reproduce]
local-carolinex@p4242-0084:~/caroline$ git clone --branch v0.0.1 https://github.com/NVIDIA/NemoClaw.git Cloning into 'NemoClaw'... remote: Enumerating objects: 9745, done. remote: Counting objects: 100% (188/188), done. remote: Compressing objects: 100% (74/74), done. remote: Total 9745 (delta 143), reused 119 (delta 114), pack-reused 9557 (from 2) Receiving objects: 100% (9745/9745), 6.26 MiB | 19.42 MiB/s, done. Resolving deltas: 100% (6611/6611), done. Note: switching to '36300135a9d240126c1755effd212dad451fa861'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by switching back to a branch. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -c with the switch command. Example: git switch -c Or undo this operation with: git switch - Turn off this advice by setting config variable advice.detachedHead to false local-carolinex@p4242-0084:~/caroline$ git log fatal: not a git repository (or any of the parent directories): .git local-carolinex@p4242-0084:~/caroline$ cd NemoClaw/ local-carolinex@p4242-0084:~/caroline/NemoClaw$ git log commit 36300135a9d240126c1755effd212dad451fa861 (HEAD, tag: v0.0.1, tag: latest) Author: Aaron Erickson Date: Mon Mar 30 17:51:56 2026 -0700 fix(security): download installers to file before execution (#696) ## Summary Replace all `curl | bash` / `curl | sudo bash` patterns with download-to-tempfile-then-execute across the codebase. Closes #574, #576, #577, #583. | File | What changed | |------|-------------| | `install.sh` | Ollama installer (2 locations) | | `scripts/install.sh` | NodeSource `setup_22.x` | | `scripts/brev-setup.sh` | NodeSource `setup_22.x` | | `bin/nemoclaw.js` | Remote uninstall fallback | Each location now uses `mktemp -d`, downloads the script to a file, executes from the file, and cleans up. SHA-256 pinning isn't practical for rolling-release upstream URLs, but download-then-execute prevents partial-download execution and allows inspection. ## Test plan - [x] 4 regression tests verify no `curl | sh/bash/sudo` patterns in any of the affected files - [x] All existing tests pass - [ ] Manual: `nemoclaw onboard` with Ollama provider installs correctly - [ ] Manual: `nemoclaw uninstall` falls back to remote script correctly local-carolinex@p4242-0084:~/caroline/NemoClaw$ local-carolinex@p4242-0084:~/caroline/NemoClaw$ cd .. local-carolinex@p4242-0084:~/caroline$ curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh openshell: resolving latest version... openshell: downloading openshell v0.0.16 (aarch64-unknown-linux-musl)... openshell: verifying checksum... openshell: extracting... openshell: installed openshell 0.0.16 to /localhome/local-carolinex/.local/bin/openshell local-carolinex@p4242-0084:~/caroline$ cd NemoClaw/ local-carolinex@p4242-0084:~/caroline/NemoClaw$ sudo ./scripts/setup-spark.sh >>> User 'local-carolinex' already in docker group >>> Docker daemon already configured for cgroupns=host >>> DGX Spark Docker configuration complete. >>> >>> Next step: run 'nemoclaw onboard' to set up your sandbox. >>> nemoclaw onboardFrom above prompt, we need to run nemoclaw onboad command, but the guide suggest to run ./install.sh
[Expected Result]
The installer prompt should be match guidance
[Actual Result]
Steps to reproduce
No steps provided.
[NVB# 6034685]
[NVB#6034685]