NVIDIA · caco26i · Mar 30, 2026 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/bin/lib/credentials.js b/bin/lib/credentials.js
@@ -214,11 +214,22 @@ function prompt(question, opts = {}) {
   });
 }
 
+const SUPPORTED_API_KEYS = [
+  "NVIDIA_API_KEY",
+  "OPENAI_API_KEY",
+  "ANTHROPIC_API_KEY",
+  "GEMINI_API_KEY",
+  "COMPATIBLE_API_KEY",
+  "COMPATIBLE_ANTHROPIC_API_KEY",
+];
+
 async function ensureApiKey() {
-  let key = getCredential("NVIDIA_API_KEY");
-  if (key) {
-    process.env.NVIDIA_API_KEY = key;
-    return;
+  for (const envKey of SUPPORTED_API_KEYS) {
+    const val = getCredential(envKey);
+    if (val) {
+      process.env[envKey] = val;
+      return;
+    }
   }
 
   console.log("");
@@ -232,6 +243,7 @@ async function ensureApiKey() {
   console.log("  └─────────────────────────────────────────────────────────────────┘");
   console.log("");
 
+  let key;
   while (true) {
     key = normalizeCredentialValue(await prompt("  NVIDIA API Key: ", { secret: true }));
 
@@ -311,6 +323,7 @@ async function ensureGithubToken() {
 }
 
 const exports_ = {
+  SUPPORTED_API_KEYS,
   loadCredentials,
   normalizeCredentialValue,
   saveCredential,

diff --git a/bin/lib/onboard.js b/bin/lib/onboard.js
@@ -2157,6 +2157,7 @@ async function createSandbox(
   // See: crates/openshell-sandbox/src/proxy.rs (header stripping),
   //      crates/openshell-router/src/backend.rs (server-side auth injection).
   const envArgs = [formatEnvAssignment("CHAT_UI_URL", chatUiUrl)];
+
   const sandboxEnv = { ...process.env };
   delete sandboxEnv.NVIDIA_API_KEY;
   const discordToken = getCredential("DISCORD_BOT_TOKEN") || process.env.DISCORD_BOT_TOKEN;
@@ -2167,6 +2168,10 @@ async function createSandbox(
   if (slackToken) {
     sandboxEnv.SLACK_BOT_TOKEN = slackToken;
   }
+  const slackAppToken = getCredential("SLACK_APP_TOKEN") || process.env.SLACK_APP_TOKEN;
+  if (slackAppToken) {
+    sandboxEnv.SLACK_APP_TOKEN = slackAppToken;
+  }
   // Run without piping through awk — the pipe masked non-zero exit codes
   // from openshell because bash returns the status of the last pipeline
   // command (awk, always 0) unless pipefail is set. Removing the pipe

diff --git a/bin/nemoclaw.js b/bin/nemoclaw.js
@@ -37,6 +37,7 @@ const {
   ensureGithubToken,
   getCredential,
   isRepoPrivate,
+  SUPPORTED_API_KEYS,
 } = require("./lib/credentials");
 const registry = require("./lib/registry");
 const nim = require("./lib/nim");
@@ -710,7 +711,17 @@ async function deploy(instanceName) {
     `rsync -az --delete --exclude node_modules --exclude .git --exclude src -e "ssh -o StrictHostKeyChecking=no -o LogLevel=ERROR" "${ROOT}/scripts" "${ROOT}/Dockerfile" "${ROOT}/nemoclaw" "${ROOT}/nemoclaw-blueprint" "${ROOT}/bin" "${ROOT}/package.json" ${qname}:/home/ubuntu/nemoclaw/`,
   );
 
-  const envLines = [`NVIDIA_API_KEY=${shellQuote(process.env.NVIDIA_API_KEY || "")}`];
+  const envLines = [];
+  let hasKey = false;
+  for (const k of SUPPORTED_API_KEYS) {
+    const val = process.env[k] || getCredential(k);
+    if (val) {
+      envLines.push(`${k}=${shellQuote(val)}`);
+      hasKey = true;
+    }
+  }
+  if (hasKey) envLines.push("NEMOCLAW_HAS_API_KEY=1");
+
   const ghToken = process.env.GITHUB_TOKEN;
   if (ghToken) envLines.push(`GITHUB_TOKEN=${shellQuote(ghToken)}`);
   const tgToken = getCredential("TELEGRAM_BOT_TOKEN");
@@ -763,6 +774,15 @@ async function deploy(instanceName) {
 }
 
 async function start() {
+  const creds = require("./lib/credentials").loadCredentials();
+  for (const [k, v] of Object.entries(creds)) {
+    if (!process.env[k]) process.env[k] = v;
+  }
+
+  if (SUPPORTED_API_KEYS.some((k) => process.env[k])) {
+    process.env.NEMOCLAW_HAS_API_KEY = "1";
+  }
+
   const { defaultSandbox } = registry.listSandboxes();
   const safeName =
     defaultSandbox && /^[a-zA-Z0-9._-]+$/.test(defaultSandbox) ? defaultSandbox : null;
@@ -771,7 +791,11 @@ async function start() {
 }
 
 function stop() {
-  run(`bash "${SCRIPTS}/start-services.sh" --stop`);
+  const { defaultSandbox } = registry.listSandboxes();
+  const safeName =
+    defaultSandbox && /^[a-zA-Z0-9._-]+$/.test(defaultSandbox) ? defaultSandbox : null;
+  const sandboxEnv = safeName ? `SANDBOX_NAME=${shellQuote(safeName)}` : "";
+  run(`${sandboxEnv} bash "${SCRIPTS}/start-services.sh" --stop`);
 }
 
 function debug(args) {
@@ -829,6 +853,10 @@ function uninstall(args) {
 }
 
 function showStatus() {
+  if (SUPPORTED_API_KEYS.some((k) => process.env[k] || getCredential(k))) {
+    process.env.NEMOCLAW_HAS_API_KEY = "1";
+  }
+
   // Show sandbox registry
   const { sandboxes, defaultSandbox } = registry.listSandboxes();
   if (sandboxes.length > 0) {
@@ -846,7 +874,10 @@ function showStatus() {
   }
 
   // Show service status
-  run(`bash "${SCRIPTS}/start-services.sh" --status`);
+  const { defaultSandbox: ds2 } = registry.listSandboxes();
+  const sn2 = ds2 && /^[a-zA-Z0-9._-]+$/.test(ds2) ? ds2 : null;
+  const se2 = sn2 ? `SANDBOX_NAME=${shellQuote(sn2)}` : "";
+  run(`${se2} bash "${SCRIPTS}/start-services.sh" --status`);
 }
 
 async function listSandboxes() {