Security Roadmap: Protecting API Keys from Agent Access

[jmkritt]

Summary

OpenClaw currently has multiple vectors where API keys can leak to the LLM or be exposed in chat. This roadmap proposes a layered approach to comprehensively protect secrets.

The Problem

1. LLM Provider Keys — Model catalog with resolved apiKey values is serialized into prompt context ([Security] Model catalog with resolved apiKey values injected into LLM prompt context on every turn #11202)
2. Agent-Accessible Keys — Agent can read .env files and accidentally display credentials in chat (Feature Request: Masked Secrets - Prevent Agent from Accessing Raw API Keys #10659)
3. Channel Tokens — Telegram, Discord, and other tokens are in openclaw.json, potentially accessible

These aren't edge cases. Real users have had keys exposed in chat while debugging.

Proposed Solution: Three Layers

Layer 1: Stop models.json Leak (Quick Fix)

Problem: models-config.ts writes apiKey to models.json, which gets serialized to prompt context.

Fix: Strip apiKey from models.json before writing. Store auth credentials separately for authentication only.

Files:

• src/agents/models-config.ts (~line 133)
• src/agents/models-config.providers.ts

Scope: ~100 lines
Timeline: Days
Impact: Stops LLM provider keys from leaking

---

Layer 2: Masked Secrets Architecture (#10659)

Problem: Agents can read any file they have permission to access, including .env files with secrets.

Fix: Implement proper secrets handling:

# Config uses placeholder
apiKey: "{{secret:ANTHROPIC_KEY}}"

# Agent sees placeholder, never real value
# Runtime substitutes when making API call
# Output is redacted if key appears accidentally

Components:

1. Secret placeholder syntax ({{secret:VAR}})
2. Runtime substitution layer
3. Output redaction filter
4. Secure secrets storage

Scope: Significant engineering
Timeline: Weeks
Impact: Protects ALL secrets (provider keys, channel tokens, external APIs)

---

Layer 3: Fix Upstream (pi-coding-agent)

Problem: The @mariozechner/pi-coding-agent package serializes model catalog (including apiKey) to prompt context.

Fix: That package should filter secret-looking fields before prompt serialization.

Scope: External dependency
Timeline: Depends on upstream maintainer
Impact: Fixes root cause for all users of that package

---

Workarounds Available Today

While waiting for platform fixes, users can protect agent-called APIs using Linux user isolation:

• Guide: https://github.com/jmkritt/openclaw-secrets-hardening
• Docs PR: docs(security): Add API key hardening guide #11622

This protects keys the agent calls (CRMs, external APIs) but doesn't address LLM provider keys or channel tokens.

---

Proposed Prioritization

1. Immediate: Layer 1 (quick fix, stops critical leak)
2. Short-term: Layer 2 (proper architecture)
3. Long-term: Layer 3 (upstream fix)

---

Related Issues

• Feature Request: Masked Secrets - Prevent Agent from Accessing Raw API Keys #10659 — Feature request for masked secrets
• [Security] Model catalog with resolved apiKey values injected into LLM prompt context on every turn #11202 — Model catalog apiKey leak to prompt context
• docs(security): Add API key hardening guide #11622 — Docs PR for user isolation workaround

---

Questions for Maintainers

1. Is this roadmap aligned with how you'd approach the problem?
2. Would Layer 1 be accepted as a PR while Layer 2 is designed?
3. Is there existing work on secrets handling we should know about?

Happy to help implement any of these layers.

[jmkritt]

Update: Comprehensive Solution Already Exists

Found PR #9271 — a zero-trust secure gateway that addresses this comprehensively:

• Gateway runs in Docker with NO access to secrets
• Host-side proxy holds all credentials
• Placeholders ({{CONFIG:...}}, {{OAUTH:...}}, {{ENV:...}}) replaced at network edge
• Even a fully compromised container cannot extract API keys

This is the proper Layer 2 solution, already built and tested.

Recommendation: Prioritize merging #9271. It solves the core problem.

Our user isolation workaround (github.com/jmkritt/openclaw-secrets-hardening) remains useful for users who can't run Docker or want protection today while waiting for #9271 to merge.

[aerouser]

Great initiative! We've been working on a similar problem with ClawShield - a security scanner for OpenClaw skills - and would love to share our approach.

Our experience:

1. Skill Validation - We scan skills before installation for:

   • Base64 obfuscation hiding malicious code
   • curl | bash patterns
   • Suspicious IP downloads
   • Hidden exfiltration endpoints
     → This has already blocked malware (see our case study on nanopdf malware detection)

2. Sandboxed Execution - Contain risky operations in isolated environments

3. API Key Isolation - Each skill gets its own credential scope

What we learned:

• Prevention > Detection - Catching malicious skills BEFORE install is critical
• Pattern matching - Most attacks use similar obfuscation techniques
• Community vigilance - Sharing threat intelligence across deployments

Possible collaboration:
Would you be interested in integrating ClawShield's validation into the OpenClaw security roadmap? We currently protect 100+ agent deployments and could provide:

• Skill security scanning API
• Threat intelligence sharing
• Best practices documentation

Happy to discuss further! 🔒

[secbear]

For Layer 2 reference — LND (Lightning Network Daemon) has a production implementation of this exact pattern called "remote signing": https://github.com/lightningnetwork/lnd/blob/master/docs/remote-signing.md

The wallet is split into a watch-only node (public-facing, handles all network operations, has no private keys) and a signer node (hardened, air-gapped except for one gRPC connection, holds all key material). The watch-only node delegates signing operations over RPC and never touches credentials. This is essentially what #12839's vault proxy does for API keys.

The part that's relevant to this roadmap: LND still had to strip private key material from the data structures the watch-only node works with, independent of the remote signer existing. That's the equivalent of Layer 1 here — even with a proxy/sidecar, the prompt-facing model catalog shouldn't contain credentials.

[qramo]

Just hit this in practice. While config.get correctly redacts secrets with OPENCLAW_REDACTED, the agent can trivially bypass this by reading the config file directly:

Redacted via API

gateway config.get → "apiKey": "OPENCLAW_REDACTED"

Not redacted via file read

exec: grep "apiKey" ~/.openclaw/openclaw.json → "apiKey": "BSA9asF7..." (real key exposed)

The read tool and exec (cat/grep/etc.) both have full access to ~/.openclaw/openclaw.json, so the redaction in config.get is effectively cosmetic.

Reproduction:

1. Configure any secret in openclaw.json (API key, bot token, etc.)
2. Ask the agent to retrieve it
3. config.get returns redacted values ✅
4. exec: cat ~/.openclaw/openclaw.json returns plaintext secrets ❌

Environment: OpenClaw 2026.2.15, macOS (arm64), anthropic/claude-opus-4-6

Suggestion: Until file-level isolation lands, maybe the exec/read tools could filter known config paths, or secrets could be stored in a separate keychain/credential store that the agent process can use but not read directly.

[lucamorettibuilds]

The three-layer approach makes a lot of sense. The recent comment about grep/exec bypassing config.get redaction highlights a fundamental tension: you can't protect secrets that live in files the agent has read access to, period. The agent WILL find a way around string redaction.

The proxy pattern from PR #9271 (host-side proxy holding credentials, container gets none) is the right direction. To add some nuance from working on this same problem:

Why placeholder substitution is necessary but not sufficient

The {{secret:VAR}} pattern works for config-time secrets (provider API keys, channel tokens). But it doesn't cover runtime credential acquisition — things like:

• OAuth tokens the agent needs for tool execution (GitHub API, Jira, etc.)
• Temporary credentials that need to be scoped and rotated
• Per-skill credentials that shouldn't be shared across all skills

For those, the agent shouldn't even know a {{secret:...}} placeholder exists. Instead, the credential should be injected at the network boundary by a separate service that the agent authenticates to, receives a scoped capability, and the actual secret never crosses the process boundary.

Practical architecture

Agent (sandboxed)                     Credential Proxy (trusted)
    │                                      │
    ├── "I need GitHub API access" ──────►│
    │                                      ├── Verify agent identity
    │                                      ├── Check policy (this agent can use github:read)
    │                                      ├── Inject real token into outbound request
    │◄── Returns API response ────────────┤
    │   (agent never sees the token)       │

This way, even a fully compromised agent process can't exfiltrate secrets because it never holds them. The proxy handles authentication, scoping, and rotation in a separate trust domain.

For Layer 2, I'd suggest separating the "what secrets exist" concern (config/placeholder layer) from the "how secrets are used at runtime" concern (proxy/gateway layer). The placeholder syntax is great for config serialization, but runtime API calls need the proxy pattern to be truly leak-proof.

Tools like janee implement this proxy pattern specifically for MCP-based agent architectures — might be useful as a reference for the runtime credential injection side of things.

[yaront1111]

Related: #22170 proposes Cordum which solves the "three layers" this roadmap identifies by moving credentials to a separate trust boundary.

The core issue @qramo highlighted — agents can bypass config.get redaction by reading files directly with grep/exec — disappears when credentials aren't on the agent's filesystem at all. Cordum holds credentials in its own Redis store, and agents interact via scoped API keys that only grant access to specific capabilities. The agent never sees provider keys, channel tokens, or other secrets.

This maps to Layer 3 in the roadmap (agent-inaccessible secrets), but implemented as an external service rather than in-process isolation — which is harder for the agent to bypass since there's no filesystem to cat.

[lucamorettibuilds]

@yaront1111 interesting pointer — Cordum looks like it covers the policy/orchestration layer (pre-dispatch evaluation, output scanning). That maps well to Layer 3 in the roadmap (runtime monitoring).

Worth noting these are complementary rather than competing concerns:

• Credential isolation (Layer 1) — keeping secrets off the agent filesystem entirely. This is what the proxy pattern from PR feat(security): Zero-trust secure gateway with secrets proxy #9271 solves, and what tools like Janee provide out of the box (host-side MCP server, agent gets zero credentials, requests go through the proxy which injects auth server-side).
• Policy enforcement (Layer 2–3) — deciding which requests to allow, scanning outputs, audit trails. Cordum seems focused here.

The grep/exec bypass @qramo demonstrated is a Layer 1 problem — no amount of policy evaluation helps if the secret is readable on disk. You need both layers, and they can be composed independently.