[Feature]: Add config option to disable external CLI credential sync

[mmto-io]

Problem

When using environment variables for API keys (e.g., ${ANTHROPIC_API_KEY} in config),
clawdbot still auto-syncs credentials from Claude Code CLI to auth-profiles.json on
every startup.

For users implementing "zero secrets at rest" (all credentials in external secret
managers like 1Password, HashiCorp Vault, etc.), this creates an unwanted copy of
credentials on disk that cannot be disabled.

Current Behavior

syncExternalCliCredentials() runs unconditionally in store.js:158-163:

const synced = syncExternalCliCredentials(asStore);
if (synced) {
    saveJsonFile(authPath, asStore);
}

Requested Feature

Add a config option to disable external CLI sync:

{
  "auth": {
    "syncExternalCli": false
  }
}

When false:

• Skip syncExternalCliCredentials() entirely
• Do not read from ~/.claude/.credentials.json or Keychain
• Users who want this behavior can still use env vars or direct API keys

Use Case

Security-conscious deployments where:

• All secrets managed externally (1Password, Vault, etc.)
• Secrets injected as env vars at runtime
• No plaintext credentials should exist on disk
• Defense in depth: even if file perms are 0600, prefer no secrets at all

[mmto-io]

Workaround: Environment Variable Patch

While waiting for the auth.syncExternalCli config option, here's a working workaround using an environment variable check.

Patch

In dist/agents/auth-profiles/external-cli-sync.js, modify syncExternalCliCredentials():

export function syncExternalCliCredentials(store, options) {
    let mutated = false;
    const now = Date.now();
    // PATCH: Skip Claude CLI sync if env var is set
    const skipClaudeSync = process.env.CLAWDBOT_SKIP_CLAUDE_CLI_SYNC === "1";
    // Sync from Claude Code CLI
    const existingClaude = store.profiles[CLAUDE_CLI_PROFILE_ID];
    const shouldSyncClaude = \!skipClaudeSync && (\!existingClaude ||
        existingClaude.provider \!== "anthropic" ||
        existingClaude.type === "token" ||
        \!isExternalProfileFresh(existingClaude, now));
    // ... rest unchanged

Usage

Add to your startup script:

export CLAWDBOT_SKIP_CLAUDE_CLI_SYNC="1"

Use Case

Running Claude Code (personal) and Clawdbot (separate agent) on the same machine, each with their own Claude account. The sync was causing Clawdbot to hijack the Claude Code OAuth credentials instead of using its own API key from ${ANTHROPIC_API_KEY}.

This patch disables the sync, allowing each to maintain separate auth.

---

Would be happy to submit a PR if this approach (env var or config option) is acceptable.

[sgrimee]

In addition to credentials being stored, this also automatically activates the illegal use of the oauth token, which Anthropic is now actively chasing and banning. I did not find a way to switch to antoropic api completely because of this, the oauth provider anthropic/claude-cli keeps coming back, which encourages and almost enforces the wrong behaviour.

[sebslight]

OpenClaw Maintainer Triage // Issue Closure

Hi — this is a joint maintainer effort to keep the repo moving. We’re currently seeing ~30 new issues per hour, and we can’t review every future request without slowing down critical stabilization work. This issue is unlikely to be considered in the near term, so we’re closing it to keep the pipeline moving while we focus on stability.

We’re very sorry this is happening, but we won’t be able to look at the comments on this issue.

Want to make your request stand out? Submit a PR and report to #pr-thunderdome-dangerzone on Discord — READ THE TOPIC. Give us a clear briefing: what it fixes, who it helps, and why it’s worth shipping.

Thanks for understanding and for contributing.