Secrets: expand SecretRef scope to channel credentials (botToken, webhookSecret) #28306
Description
Feature Request
The new External Secrets Management (#26155) is excellent — thanks @joshavant for landing this.
Currently, in-scope fields for SecretRef are limited to:
models.providers.<provider>.apiKeyskills.entries.<skillKey>.apiKeychannels.googlechat.serviceAccount/serviceAccountRefauth-profiles.jsonentries
Request: Expand SecretRef support to channel credentials, specifically:
channels.telegram.botTokenchannels.discord.botTokenchannels.slack.botToken/appTokenchannels.whatsapp.accessToken- Other channel auth fields
Why
Channel bot tokens are arguably the most sensitive credentials in openclaw.json. A malicious process reading the config file gets full control of the bot. Being able to store these as SecretRefs (resolved at runtime via env, file, or exec provider) would close the biggest plaintext exposure.
Use Case
On macOS, a companion app stores bot tokens in Keychain and could provide an exec resolver to fetch them at runtime — keeping openclaw.json free of plaintext secrets entirely. On Linux, users could use pass, secret-tool, or Docker secrets. The exec provider makes this cross-platform without any OS-specific code in OpenClaw.
Scope
This is purely expanding the list of fields that accept SecretRef objects — the resolution infrastructure is already in place.