Skip to content

[Bug]: [Security]: Session status message leaks partial API token to end users #32970

Closed
#33262
Closed
[Bug]: [Security]: Session status message leaks partial API token to end users#32970
#33262
Labels
bugSomething isn't workingbug:behaviorIncorrect behavior without a crashsecuritySecurity documentation
@NeverRetireWithJoe

Description

@NeverRetireWithJoe
NeverRetireWithJoe
opened on Mar 3, 2026

Bug type

Behavior bug (incorrect output/state without crash)

Summary

Describe the bug

When a new session starts, OpenClaw sends a user-visible message that includes a partial API token:
✅ New session started · model: anthropic/claude-opus-4-6 · 🔑 token sk-ant…KsFwAA (anthropic:default)
The authSuffix in the session start message exposes the token prefix and last 5 characters. This message is delivered directly to end users on messaging surfaces (Telegram, Discord, etc.), leaking credential fragments.

Location in source
const authSuffix = modelAuthLabel && modelAuthLabel !== "unknown" ? · 🔑 ${modelAuthLabel} : "";
payload: { text: ✅ New session started · model: ${modelLabel}${authSuffix} }

Files affected:

• dist/pi-embedded-DqgaE1xK.js
• dist/plugin-sdk/reply-CqKtVq5t.js
• dist/pi-embedded-CAmQsy9D.js
• dist/reply-B2UJINPw.js
• dist/subagent-registry-Bdm_X-N1.js

Why this is a security concern

  1. Token fragment exposure — Even partial tokens help narrow brute-force search space
  2. Delivered to end users — On Telegram/Discord, this message is visible to anyone in the chat
  3. Provider identification — Reveals exact provider and auth method to external parties
  4. No opt-out — There is no config option to suppress the token label

Suggested fix
const authSuffix = ""; // Never expose token fragments to end users
Or add a config gate:
const authSuffix = cfg.sessionStatus?.showAuth && modelAuthLabel && modelAuthLabel !== "unknown"
? · 🔑 ${modelAuthLabel} : "";

Steps to reproduce

When a new session starts, OpenClaw sends a user-visible message that includes a partial API token:
✅ New session started · model: anthropic/claude-opus-4-6 · 🔑 token sk-ant…KsFwAA (anthropic:default)
The authSuffix in the session start message exposes the token prefix and last 5 characters. This message is delivered directly to end users on messaging surfaces (Telegram, Discord, etc.), leaking credential fragments.

Expected behavior

Expected behavior

Session start message should NOT include any token fragment:
✅ New session started · model: anthropic/claude-opus-4-6
Or provide a config option like sessionStatus.showAuth: false to suppress it.

Actual behavior

  1. Token fragment exposure — Even partial tokens help narrow brute-force search space
  2. Delivered to end users — On Telegram/Discord, this message is visible to anyone in the chat
  3. Provider identification — Reveals exact provider and auth method to external parties
  4. No opt-out — There is no config option to suppress the token label

OpenClaw version

OpenClaw version: 2026.2.21-2 (also confirmed in 2026.3.1 source)

Operating system

OS: Linux Channel: Telegram

Install method

No response

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingbug:behaviorIncorrect behavior without a crashsecuritySecurity documentation
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions