fix: quote shell interpolations in CLI dispatch and deploy commands#102
Closed
WuKongAI-CMU wants to merge 1 commit intoNVIDIA:mainfrom
Closed
fix: quote shell interpolations in CLI dispatch and deploy commands#102WuKongAI-CMU wants to merge 1 commit intoNVIDIA:mainfrom
WuKongAI-CMU wants to merge 1 commit intoNVIDIA:mainfrom
Conversation
Sandbox names and deploy instance names were interpolated unquoted into shell commands throughout bin/nemoclaw.js. A name containing spaces or shell metacharacters would cause word splitting or injection. Also removes the redundant NVIDIA_API_KEY from the setup-spark command line — sudo -E already preserves the caller's environment, so the explicit assignment only served to leak the key in `ps` output. Signed-off-by: Peter Tam <nicholaslwk@gmail.com> Signed-off-by: peteryuqin <peter.yuqin@gmail.com>
Contributor
Author
|
Closing to reduce my open PR count below the repo policy limit and refocus on a smaller set of higher-signal changes. I can revive this branch later if it becomes the right path again. |
mafueee
pushed a commit
to mafueee/NemoClaw
that referenced
this pull request
Mar 28, 2026
…IDIA#102) Closes NVIDIA#101 Add pytest-xdist for parallel e2e test execution with configurable concurrency. Default to 5 workers; override via E2E_PARALLEL env var (accepts a number or 'auto' for CPU-count matching). Make session-scoped mock inference route fixtures worker-safe by incorporating the xdist worker_id into route names and routing hints. Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
${sandboxName}and${name}interpolations inbin/nemoclaw.jsshell commands (sandboxConnect,sandboxStatus,sandboxLogs,sandboxDestroy,deploy)NVIDIA_API_KEY=fromsetup-sparkcommand line —sudo -Ealready preserves the caller's environment, so the explicit assignment only leaked the key inpsoutputSame category as #90 (which fixed
onboard.jsandpolicies.js), this PR covers the remaining unquoted interpolations in the main CLI entry point.Related issues: #21, #46
Test plan
nemoclaw <name> connectstill works with hyphenated sandbox namesnemoclaw deploy <name>properly quotes the instance name in SSH/rsync/scp commandsps auxno longer shows NVIDIA_API_KEY when runningnemoclaw setup-spark