Skip to content

[Security]: Resolved secrets written as plaintext to agents/*/agent/models.json #37512

Closed
Closed
[Security]: Resolved secrets written as plaintext to agents/*/agent/models.json#37512
@mantisai-bot

Description

@mantisai-bot
mantisai-bot
opened on Mar 6, 2026

Security Report

Environment

  • OpenClaw version: 2026.3.2
  • OS: macOS (arm64)

Description

The gateway resolves secret references (${ENV_VAR}, SecretRef with Vault/exec/file providers) at startup and writes the resolved plaintext values into agents/*/agent/models.json files on disk.

This means that regardless of the secrets management approach used (environment variables, .env files, Vault exec provider, file provider, etc.), all API keys end up stored as plaintext on disk in models.json under each agent directory.

Impact

Using Vault or any SecretRef provider becomes ineffective because:

  1. Secrets are resolved at startup and persisted to disk in plaintext
  2. Every agent gets its own copy of models.json with full API keys
  3. The security benefits of centralized secret management (audit trail, rotation, access control) are undermined
  4. File permissions on models.json are not restricted — observed 644 in some cases

Steps to Reproduce

  1. Configure API keys using any secret source (${ENV_VAR}, SecretRef with exec/file provider, etc.)
  2. Start the gateway
  3. Inspect $OPENCLAW_STATE_DIR/agents/*/agent/models.json
  4. Observe that all API keys are written in plaintext

Expected Behavior

  • models.json should NOT contain resolved secret values
  • Secrets should remain in-memory only after resolution
  • If models.json must be written, secret fields should be redacted or replaced with references

Actual Behavior

Every models.json file under each agent directory contains fully resolved plaintext API keys (provider keys, bot tokens, etc.).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions