Security Report

Environment

• OpenClaw version: 2026.3.2
• OS: macOS (arm64)

Description

The gateway resolves secret references (${ENV_VAR}, SecretRef with Vault/exec/file providers) at startup and writes the resolved plaintext values into agents/*/agent/models.json files on disk.

This means that regardless of the secrets management approach used (environment variables, .env files, Vault exec provider, file provider, etc.), all API keys end up stored as plaintext on disk in models.json under each agent directory.

Impact

Using Vault or any SecretRef provider becomes ineffective because:

1. Secrets are resolved at startup and persisted to disk in plaintext
2. Every agent gets its own copy of models.json with full API keys
3. The security benefits of centralized secret management (audit trail, rotation, access control) are undermined
4. File permissions on models.json are not restricted — observed 644 in some cases

Steps to Reproduce

1. Configure API keys using any secret source (${ENV_VAR}, SecretRef with exec/file provider, etc.)
2. Start the gateway
3. Inspect $OPENCLAW_STATE_DIR/agents/*/agent/models.json
4. Observe that all API keys are written in plaintext

Expected Behavior

• models.json should NOT contain resolved secret values
• Secrets should remain in-memory only after resolution
• If models.json must be written, secret fields should be redacted or replaced with references

Actual Behavior

Every models.json file under each agent directory contains fully resolved plaintext API keys (provider keys, bot tokens, etc.).