[Security] Model catalog with resolved apiKey values injected into LLM prompt context on every turn

[rplakas]

Summary

The runtime model catalog (resolved from openclaw.json providers) is serialized into the LLM request payload as part of the system prompt context on every turn. Because environment variable references (${VAR}) are resolved to plaintext before serialization, all provider API keys are sent to whichever LLM provider handles the request.

This means every provider sees every other provider's keys on every single turn.

Important: This happens even when keys are NOT hardcoded in openclaw.json. Using the recommended ${ENV_VAR} syntax does not help — the variable references are resolved to plaintext at runtime, and the resolved values are what get serialized into the LLM context. Moving keys to environment variables, systemd EnvironmentFile=, or .env files does not mitigate this issue.

Reproduction

1. Configure multiple providers in openclaw.json with apiKey: "${ENV_VAR}" syntax
2. Enable request logging on any provider (e.g., OpenRouter, or use a local LLM proxy)
3. Send a message to any agent
4. Inspect the request payload — the full model catalog including resolved apiKey fields appears in the system context

Safe local reproduction: Point the main agent at a local LLM (e.g., Ollama) and inspect the incoming request payload. The resolved apiKey fields for all configured cloud providers will be visible in the system context. This confirms the bug without actually leaking keys to a third party.

Impact

• Cross-provider key leakage: OpenRouter sees your NVIDIA key, Anthropic sees your Google key, etc.
• Leakage scales linearly: Keys are sent on every turn, not just once
• Affects all users with multiple providers configured
• Keys persist in provider logs — even after rotation, historical logs retain old keys

Expected Behavior

apiKey fields (and any other secret fields) should be stripped from the model catalog before it is serialized into LLM prompt context. The agent does not need provider credentials to function — it only needs model names, capabilities, and cost info.

Environment

• openclaw v2026.2.3-1 (confirmed still present in v2026.2.6-3)
• Gateway mode, systemd service
• Multiple providers (Google, OpenRouter, NVIDIA, X.AI)

Related Issues

• CRITICAL: Config secrets exposed in JSON after update/doctor #9627 — Config secrets exposed after update/doctor (same root cause, different surface)
• [Security] Agent tools expose secrets to session transcripts via config.get and env commands #5995 — Agent tools expose secrets to session transcripts (similar pattern, different vector)
• Feature Request: Masked Secrets - Prevent Agent from Accessing Raw API Keys #10659 — Feature request for masked secrets

[rplakas]

Additional surface: /status command

The /status command also displays the active provider's API key (truncated but visible) in the CLI output:

🔑 api-key sk-ss-…adbfae (models.json)

This exposes the key to anyone viewing the terminal, session transcript, or any tool/integration that captures CLI output. Separate from the LLM prompt injection vector described above, but same root cause — resolved secrets not being redacted before display.

[jmkritt]

I traced the leak path and created a comprehensive security roadmap:

See: #11829 — Security Roadmap: Protecting API Keys from Agent Access

That issue covers:

• Layer 1: Quick fix for this models.json leak
• Layer 2: Full masked secrets architecture (Feature Request: Masked Secrets - Prevent Agent from Accessing Raw API Keys #10659)
• Layer 3: Upstream fix for pi-coding-agent

Happy to help implement.

[sfo2001]

With the vault proxy (PR #12839), the gateway's model catalog only contains placeholder API keys (e.g., dummy). Real credentials exist solely in the sidecar process on an isolated Docker network. Even if the catalog is serialized into the prompt, no real keys are leaked.