Skip to content

[SECURITY] Inference results are not cryptographically signed — no tamper-proof verification #798

Open
Open
[SECURITY] Inference results are not cryptographically signed — no tamper-proof verification#798
Assignees
migurel
Labels
enhancement: featureUse this label to identify requests for new capabilities in NemoClaw.priority: mediumIssue that should be addressed in upcoming releasessecuritySomething isn't securewontfixThis will not be worked on
@h-network

Description

@h-network
h-network
opened on Mar 24, 2026

Problem Statement

NemoClaw routes inference requests through OpenShell to NVIDIA NIM endpoints or local models. The results are returned over TLS, but there is no application-level cryptographic verification that:

  1. The result came from the intended model
  2. The result was not modified in transit (beyond TLS)
  3. The result was not replayed from a previous request

Impact

In a multi-agent or multi-hop architecture:

  • A compromised proxy could modify inference results before they reach the agent
  • Results could be replayed to cause repeated actions
  • There is no cryptographic proof that a specific model produced a specific output

Proposed Design

Implement HMAC-SHA256 signing on inference results:

import hmac, hashlib, json, time

def sign_result(result: dict, secret: bytes) -> dict:
    result["timestamp"] = time.time()
    payload = json.dumps(result, sort_keys=True).encode()
    result["hmac"] = hmac.new(secret, payload, hashlib.sha256).hexdigest()
    return result

def verify_result(result: dict, secret: bytes) -> bool:
    received_hmac = result.pop("hmac")
    payload = json.dumps(result, sort_keys=True).encode()
    expected = hmac.new(secret, payload, hashlib.sha256).hexdigest()
    return hmac.compare_digest(received_hmac, expected)

This provides:

  • Origin verification (only holders of the secret can sign)
  • Tamper detection (any modification invalidates the signature)
  • Replay protection (timestamp + nonce)

References

  • Standard practice in API security (AWS Signature V4, Stripe webhooks)
  • Particularly important for agentic systems where results trigger real-world actions

Alternatives Considered

No response

Category

enhancement: feature

Checklist

  • I searched existing issues and this is not a duplicate
  • This is a design proposal, not a "please build this" request

Metadata

Metadata

Assignees

Labels

enhancement: featureUse this label to identify requests for new capabilities in NemoClaw.priority: mediumIssue that should be addressed in upcoming releasessecuritySomething isn't securewontfixThis will not be worked on

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions