[Feature]: security audit --fix: offer to extract hardcoded secrets to .env

[spanishflu-est1918]

Problem

When running clawdbot security audit, the command detects hardcoded secrets in config but --fix doesn't help migrate them. Users must manually:

1. Identify all secret fields
2. Create .env file
3. Update config to use ${ENV_VAR} syntax
4. Set proper permissions on .env

This is error-prone and tedious, especially for configs with many tokens (Discord bots, Telegram accounts, API keys).

Proposed Solution

Add a --fix-secrets flag (or include in --fix) that:

1. Scans config for known secret patterns:

   • *.token, *.botToken, *.apiKey, *.authToken
   • Provider-specific fields in models.providers.*.apiKey
   • Skill API keys in skills.entries.*.apiKey
   • Sandbox env vars containing secrets

2. Generates .env file with extracted values:

   # Generated by clawdbot security audit --fix-secrets
   DISCORD_HERMES_TOKEN=MTQ2NDcw...
   TELEGRAM_HERMES_TOKEN=8139723...
   ZAI_API_KEY=122c9b68...

3. Updates config to reference env vars:

   "token": "${DISCORD_HERMES_TOKEN}"

4. Sets proper permissions (chmod 600 .env)

5. Prints reminder to add .env to .gitignore

Example Output

$ clawdbot security audit --fix-secrets

Found 12 hardcoded secrets:
  - channels.discord.accounts.hermes.token
  - channels.telegram.accounts.default.botToken
  - models.providers.zai.apiKey
  ...

Created: ~/.clawdbot/.env (chmod 600)
Updated: ~/.clawdbot/clawdbot.json

⚠️  Add .env to your backup exclusions
⚠️  Restart gateway to apply changes

Related

• Feature: Keychain / secrets-manager support for sensitive credentials #2065 (Keychain support) - complementary; .env is a simpler first step

[sebslight]

OpenClaw Maintainer Triage // Issue Closure

Hi — this is a joint maintainer effort to keep the repo moving. We’re currently seeing ~30 new issues per hour, and we can’t review every future request without slowing down critical stabilization work. This issue is unlikely to be considered in the near term, so we’re closing it to keep the pipeline moving while we focus on stability.

We’re very sorry this is happening, but we won’t be able to look at the comments on this issue.

Want to make your request stand out? Submit a PR and report to #pr-thunderdome-dangerzone on Discord — READ THE TOPIC. Give us a clear briefing: what it fixes, who it helps, and why it’s worth shipping.

Thanks for understanding and for contributing.