Feature Request: Masked Secrets - Prevent Agent from Accessing Raw API Keys

[jmkritt]

Summary

Add a "masked secrets" system that allows agents to use API keys without being able to see them. This prevents accidental leaks and protects against prompt injection attacks designed to extract credentials.

Problem

Currently, secrets stored in ~/.openclaw/.env are fully accessible to agents:

1. Agent can run cat ~/.openclaw/.env and read plaintext keys
2. Agent can run echo $API_KEY to print environment variables
3. Secrets can appear in command outputs and chat history
4. Prompt injection attacks could trick an agent into revealing secrets

Proposed Solution

1. Secret Reference Syntax

curl -H "Authorization: Bearer {{secret:MY_API_KEY}}" https://api.example.com

2. Runtime Substitution — Gateway substitutes the real value before execution

3. Output Redaction — Any leaked secret replaced with [REDACTED]

4. Blocked Commands — Prevent echo $VAR, env, cat .env

5. Config:

secrets:
  mask:
    - MY_API_KEY
    - ANOTHER_SECRET

Willingness to Contribute

Happy to implement this if the approach looks good!

This proposal was developed with AI assistance (Claude/OpenClaw).

[jmkritt]

Workaround available: While waiting for native support, I've published a guide for securing API keys using Linux user isolation.

How it works:

• Create a separate Linux user that owns your secrets
• Wrapper scripts make API calls using those secrets internally
• Agent gets limited sudo to run only those scripts
• Result: Agent can USE your APIs but cannot SEE your credentials

This is prompt-injection proof — Linux permissions are enforced by the kernel, not agent discipline.

Repo: https://github.com/jmkritt/openclaw-secrets-hardening

Includes full setup guide and script templates. Would still love to see this built into OpenClaw natively, but this works today.

[HenryLoenwind]

It's also worth mentioning that .env is in itself a bad solution. Setting the environment variables with a systemd override (like so) is more secure. It isn't foolproof, the env can still be read, but it is better.

[jmkritt]

Good point — .env files aren't ideal. But our solution goes beyond just hiding the file.

With user isolation, the agent never has the keys in its environment at all. The keys only exist inside the wrapper script's execution context (running as a separate user). The agent can't read the file, can't access the other user's /proc/[pid]/environ, and can't run arbitrary commands as that user.

Systemd EnvironmentFile is better than .env, but separate user + wrapper scripts closes more attack vectors.

[HenryLoenwind]

Sure, I'm not saying that adding more security is bad, but your solution is limited to commands the agent executes. It won't work for API keys openclaw itself needs.

[jmkritt]

You're right. This solution is for keys the agent calls via external APIs, not keys OpenClaw itself needs.

Here's how I got here: I'm a real estate broker, not a security engineer. My agent leaked my API keys in chat twice while debugging an auth issue. I asked in Discord how to fix it and was told "just know Linux." That wasn't helpful.

So I built a workaround for what I could control: the keys MY agent uses to call external services like my CRM. User isolation solved that layer.

But you're right that OpenClaw's own keys (LLM providers, channel tokens) need a different fix. That's why I filed this feature request. The platform itself needs to handle that layer.

I love this project and want to see it succeed. Security is one area where improvement would make a big difference. If anyone wants to collaborate on a PR for masked secrets or the prompt context fix (#11202), I'd love to see it happen.

What would it take to get this prioritized?

[HenryLoenwind]

If anyone wants to collaborate on a PR for masked secrets

There's already (at least) one: #9271

Edit: And no, I don't know how to get anything even seen by the maintainers. They seem to be completely overwhelmed by the flood of PRs and tickets---recent commits even show them implementing fixes and features that already have good PRs...

[yaront1111]

Related: #22170 proposes Cordum which solves this at the architecture level.

When tool calls route through Cordum's API gateway, the agent never touches raw credentials — Cordum holds the keys and injects them at dispatch time. The agent submits a job referencing a capability ("use-search-api"), and the scheduler resolves which pool and credentials to use. The agent's API key is scoped to specific capabilities and tenants, so even a compromised agent can't access credentials outside its assigned scope.

This is fundamentally different from the file-permission approach discussed here — instead of trying to hide keys on the same filesystem the agent can read, the keys live in a separate service the agent talks to over HTTP/gRPC.