Test Files Use Realistic-Looking API Key Values — Risk of Log/CI Credential Leakage - IssueFinder - SN 16

[dinuduke]

Description

Repository

• https://github.com/NVIDIA/NemoClaw
• Branch: main

Description

Multiple test files set process.env with API key values that closely resemble real credential formats. While these are test values, they follow the exact prefix patterns of real keys (nvapi-, sk-, sk-ant-), making them indistinguishable from real credentials to:

• Secret scanning tools (GitHub secret scanning, GitGuardian, TruffleHog)
• CI/CD log monitors
• Automated security scanners

Affected locations in test/onboard.test.js:

• Line 505: process.env.NVIDIA_API_KEY = "nvapi-secret-value"
• Line 744: process.env.OPENAI_API_KEY = "sk-bad"
• Line 816: process.env.ANTHROPIC_API_KEY = "sk-ant-secret-value"
• Line 898: similar patterns
• Line 963: similar patterns

Impact

1. False positive noise: Secret scanners flag these, causing alert fatigue
2. Accidental real key insertion: Developers may copy-paste test patterns and accidentally insert real keys
3. CI log leakage: If test output includes env vars, these look like real credential exposures
4. Compliance: Security auditors flagging realistic-looking keys in source code

Affected Area

• Module(s): Test suite
• File(s): test/onboard.test.js (lines 505, 744, 816, 898, 963)

Fix Direction

Replace all test credential values with clearly-prefixed test markers:

process.env.NVIDIA_API_KEY = "nvapi-test-00000000-0000-0000-0000-000000000000";
process.env.OPENAI_API_KEY = "sk-test-not-real-key-for-testing-only";
process.env.ANTHROPIC_API_KEY = "sk-ant-test-not-real-key-for-testing-only";

Notes

This is hygiene issue, but it reduces secret scanning noise and prevents accidental credential exposure through copy-paste patterns.

Reproduction Steps

Steps to Reproduce

1. Run any secret scanner against the repository
2. Observe false positives on test credential values
3. grep -rn "nvapi-\|sk-\|sk-ant-" test/

Expected Behavior

Test credentials should use clearly-fake prefixes that won't trigger secret scanners, e.g.:

• nvapi-test-00000000-0000-0000-0000-000000000000
• sk-test-not-a-real-key
• sk-ant-test-not-a-real-key

Actual Behavior

Test credentials use realistic-looking values that trigger secret scanning tools.

Evidence

// test/onboard.test.js line 505
process.env.NVIDIA_API_KEY = "nvapi-secret-value";

// test/onboard.test.js line 744
process.env.OPENAI_API_KEY = "sk-bad";

Environment

• OS: Any
• NemoClaw Version / Commit: main branch HEAD
• Branch: main

Debug Output

$ grep -rn "nvapi-\|sk-\|sk-ant-" test/
test/onboard.test.js:505:process.env.NVIDIA_API_KEY = "nvapi-secret-value"
test/onboard.test.js:744:process.env.OPENAI_API_KEY = "sk-bad"
test/onboard.test.js:816:process.env.ANTHROPIC_API_KEY = "sk-ant-secret-value"

Logs

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[dinuduke]

Recommended Fix

// test/credentials.test.js line 57:
expect(credentials.normalizeCredentialValue("  nvapi-test-00000000\r\n")).toBe("nvapi-test-00000000");

// test/onboard.test.js:
process.env.NVIDIA_API_KEY = "nvapi-test-00000000-not-real";
process.env.OPENAI_API_KEY = "sk-test-00000000-not-real";
process.env.ANTHROPIC_API_KEY = "sk-ant-test-00000000-not-real";

[latenighthackathon]

The values flagged here (nvapi-good, sk-good) are intentional test fixtures in test/onboard-selection.test.js. At line 1550, nvapi-good is assigned inside a mock ensureApiKey function. At lines 1813-1816, it appears inside a fake curl shell script that pattern-matches to return canned JSON responses without making real API calls. These are test doubles that never leave the test runner and would not be flagged by secret scanners since they do not match real credential patterns.

That said, your suggestion to use more obviously-fake values like nvapi-test-00000000-not-real is a reasonable style improvement that would make the intent even clearer.