Secrets: expand SecretRef scope to channel credentials (botToken, webhookSecret)

[xrom2863]

Feature Request

The new External Secrets Management (#26155) is excellent — thanks @joshavant for landing this.

Currently, in-scope fields for SecretRef are limited to:

• models.providers.<provider>.apiKey
• skills.entries.<skillKey>.apiKey
• channels.googlechat.serviceAccount / serviceAccountRef
• auth-profiles.json entries

Request: Expand SecretRef support to channel credentials, specifically:

• channels.telegram.botToken
• channels.discord.botToken
• channels.slack.botToken / appToken
• channels.whatsapp.accessToken
• Other channel auth fields

Why

Channel bot tokens are arguably the most sensitive credentials in openclaw.json. A malicious process reading the config file gets full control of the bot. Being able to store these as SecretRefs (resolved at runtime via env, file, or exec provider) would close the biggest plaintext exposure.

Use Case

On macOS, a companion app stores bot tokens in Keychain and could provide an exec resolver to fetch them at runtime — keeping openclaw.json free of plaintext secrets entirely. On Linux, users could use pass, secret-tool, or Docker secrets. The exec provider makes this cross-platform without any OS-specific code in OpenClaw.

Scope

This is purely expanding the list of fields that accept SecretRef objects — the resolution infrastructure is already in place.

[lockhartheavyindustries]

Ran into this today on 2026.2.26 (macOS arm64). Tried using SecretRef for both channels.telegram.botToken and gateway.auth.password — neither worked. Gateway failed to come back up after restart, had to revert to plaintext values in openclaw.json to restore service.

Both fields are core to any OpenClaw setup so this affects basically everyone who wants to keep their config clean. Would be great to see both covered in the next iteration of the secrets scope.

[MatthewEngman]

+1 on this. Running a 10-agent fleet on macOS with Slack integration. The botToken and appToken sitting in plaintext in openclaw.json is our biggest remaining security gap after hardening exec-approvals and denyCommands.

We attempted to use { "$ref": "env:SLACK_BOT_TOKEN" } in channels.slack.botToken on v2026.3.1 and the config validator rejected it (expected string, received object). Had to revert.

Our mitigation for now is chmod 600 on the config file + exec-approvals allowlists that block agents from reading the config. But this doesn't protect against skill supply-chain attacks or compromised sessions.

Slack channel tokens are arguably the highest-blast-radius secrets in the config — they grant full bot impersonation. Would love to see this land.

[joshavant]

Hi, OpenClaw maintainer here!

#29580 landed yesterday with support for 58 additional credentials, including the requested botToken and appToken credentials.

See the updated coverage surface area (and currently unsupported credentials) here: https://docs.openclaw.ai/reference/secretref-credential-surface

If you have any problems or issues related to it, please open an issue!

[lockhartheavyindustries]

Thanks!!!