Skip to content

[Bug]: SecretRef keys are re-materialized as plaintext in ~/.openclaw/agents/*/agent/models.json after runtime load #28359

Closed
Closed
[Bug]: SecretRef keys are re-materialized as plaintext in ~/.openclaw/agents/*/agent/models.json after runtime load#28359
Labels
bugSomething isn't working
@tunanet

Description

@tunanet
tunanet
opened on Feb 27, 2026

Summary

Even after migrating provider API keys to SecretRef (openclaw secrets configure/apply) and confirming openclaw.json contains references (not plaintext), OpenClaw runtime writes resolved plaintext API keys into per-agent runtime file:

~/.openclaw/agents//agent/models.json

This appears to defeat the purpose of SecretRef at-rest protection.

Environment

• OpenClaw: 2026.2.26 (stable)
• OS: Ubuntu Linux
• Node: 24.14.0
• Deployment: systemd user service (openclaw-gateway.service)
• Providers affected: bailian, minimax-cn, kimi-coding

Steps to reproduce

  1. Configure providers in openclaw.json to use SecretRef for apiKey (no plaintext in config).
  2. Run:

• openclaw secrets configure
• openclaw secrets apply
• openclaw secrets reload

  1. Verify references:

• openclaw config get models.providers.
• openclaw secrets audit (plaintext may show 0 in config layer)

  1. Start/Restart gateway and trigger model usage.
  2. Inspect:

• ~/.openclaw/agents/main/agent/models.json
• ~/.openclaw/agents//agent/models.json

Expected behavior

Secret values should never be persisted in plaintext runtime artifacts.
models.json should store either:

• a redacted placeholder, or
• SecretRef metadata only, or
• no key field at all.

Actual behavior

models.json contains resolved plaintext API keys (e.g., sk-...) for configured providers.

OpenClaw version

2026.2.26

Operating system

Ubuntu 24.04

Install method

npm global

Logs, screenshots, and evidence



Impact and severity


• Secret leakage to disk in runtime files despite SecretRef configuration.

• Expanded exposure surface in:

• backups,

• diagnostics,

• logs,

• accidental Git commits.


Additional information


• This is reproducible across multiple agents.

• We observed SecretRef correctness in openclaw.json while runtime artifacts still contain plaintext.

• openclaw secrets audit currently does not always highlight this runtime-file leakage path clearly enough for operators.


Suggested Fix


    

  1. Prevent plaintext key persistence in agents/*/agent/models.json.
    2. 

  2. Redact or omit provider apiKey when serializing runtime model snapshots.
    3. 

  3. Extend openclaw secrets audit to explicitly detect and flag plaintext in runtime-derived files.
    4. 

  4. Provide a one-shot sanitization/migration command for existing deployments.
    5. 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions