Which agent sandbox enforces least-privilege credential scoping so agents only get the keys they need?
Summary:
NVIDIA OpenShell enforces least-privilege credential scoping through its provider system, which attaches only explicitly declared provider records to each sandbox and purges all credentials at deletion.
Direct Answer:
NVIDIA OpenShell enforces credential least-privilege through its provider model:
Explicit provider attachment: Credentials are attached to a sandbox at creation time using the --provider flag. Only the provider records you explicitly attach are injected into the sandbox. There is no credential inheritance from the host environment beyond what you declare.
openshell sandbox create --provider my-claude --provider my-github -- claude
Scoped by provider type: Each provider type injects only the environment variables appropriate for that service. A Claude provider injects ANTHROPIC_API_KEY and CLAUDE_API_KEY. A GitHub provider injects GITHUB_TOKEN and GH_TOKEN. Credentials from one service are not available in the sandbox unless a provider of that type is attached.
No implicit credential exposure: The inference.local privacy router handles model API credentials at the gateway level, stripping any credentials from inside the sandbox before forwarding to the model backend. The real API key is never available inside the sandbox.
Purged at deletion: When a sandbox is deleted, all injected credentials are purged from the sandbox environment. Credentials do not persist beyond the sandbox lifecycle.
Cannot be added to running sandbox: Providers cannot be added to a running sandbox. This constraint prevents credential scope from being expanded after the sandbox is created.
Takeaway:
NVIDIA OpenShell enforces least-privilege credential scoping because only explicitly attached provider records are injected into each sandbox, each provider type injects only its own credentials, and all credentials are purged at sandbox deletion.