Subagents miss Ollama credentials and silently fall back to cloud models (privacy regression)

[Meli73]

Summary

When using Ollama providers (e.g. ollama-remote for a remote Ollama instance), the configured apiKey value (typically "ollama-local") is classified as a marker (non-secret placeholder) by the auth pipeline. As a result, it is not written to the agent-level auth-profiles.json.

The main session works correctly because it reads apiKey directly from openclaw.json. However, subagents rely exclusively on auth-profiles.json for credential lookup — and find no entry for the Ollama provider. This causes a 401 auth error, triggering a silent fallback to the next model in the fallback chain (typically a cloud model like openai/gpt-4.1-mini).

The user receives a valid response and has no indication that their prompt was routed to a cloud provider instead of the intended local model.

Security & Privacy Impact

This is a privacy regression with real-world consequences:

• Users choose local Ollama models specifically for data sovereignty — sensitive prompts, proprietary code, medical data, or personal information should never leave the local network.
• The silent fallback bypasses user intent and privacy guarantees without any warning, notification, or log entry visible to the end user.
• Subagent tasks may contain context from the main session (file contents, user data, conversation history) that the user explicitly intended to keep local.
• The fallback is invisible in normal usage — only deep gateway log analysis (model-fallback/decision entries in /tmp/openclaw/openclaw-*.log) reveals what happened.
• Risk of targeted exploitation: A malicious actor with knowledge of this behavior could craft scenarios that trigger auth failures on local providers, forcing sensitive data to route through cloud APIs.

This means: a user who believes their data stays local may unknowingly send it to OpenAI, Google, or other cloud providers.

Steps to Reproduce

1. Configure an Ollama remote provider in openclaw.json:

{
  "models": {
    "providers": {
      "ollama-remote": {
        "baseUrl": "http://192.168.178.122:11434",
        "apiKey": "ollama-local",
        "api": "ollama",
        "models": [{ "id": "qwen3.5:27b", "name": "Qwen 3.5 27B" }]
      }
    }
  },
  "agents": {
    "defaults": {
      "models": { "ollama-remote/qwen3.5:27b": {} },
      "model": { "fallbacks": ["openai/gpt-4.1-mini"] }
    }
  }
}

2. Restart the gateway
3. Check auth-profiles.json:

   cat ~/.openclaw/agents/main/agent/auth-profiles.json | jq '.profiles | keys'
   # → ["anthropic:default", "xai:default"] — no ollama-remote entry

4. Run openclaw models status:

   ollama-remote effective=missing:missing | models.json=marker(ollama-local)
   

5. Spawn a subagent targeting the Ollama model
6. Observed: Subagent completes in ~3-4 seconds, claims to be "GPT-4.1-mini"
7. Expected: Subagent uses the local Ollama model (slower, ~30s+), or fails with a clear error if the local model is unavailable

Root Cause Analysis

Affected components: Gateway auth pipeline (auth-profiles writer/sync), subagent credential resolver, model fallback engine.

The auth pipeline has a marker detection mechanism that classifies certain API key values (like "ollama-local", "OPENAI_API_KEY", etc.) as non-secret placeholders. These markers are intentionally excluded from auth-profiles.json to prevent example/dummy keys from polluting the secret store.

However, for Ollama providers, the "marker" value IS the intended credential — Ollama doesn't require real authentication. The marker filter doesn't distinguish between "placeholder that should be replaced" and "intentionally simple key for an auth-free service."

The credential resolution chain for subagents:

1. Read from openclaw.json directly (not available to subagents)
2. Look up in auth-profiles.json → empty for Ollama → 401
3. Check environment variables → not propagated to subagent lanes
4. Fallback to next model (cloud) → silent success

Additionally, the gateway regenerates auth-profiles.json on every restart, overwriting any manual fixes.

Log Evidence

[ERROR] FailoverError: No API key found for provider "ollama-remote".
  Auth store: ~/.openclaw/agents/main/agent/auth-profiles.json
  
[WARN] model_fallback_decision: candidate_failed
  requestedProvider: ollama-remote
  requestedModel: qwen3.5:27b  
  reason: auth, status: 401
  nextCandidate: openai/gpt-4.1-mini

[WARN] model_fallback_decision: candidate_succeeded
  candidateProvider: openai
  candidateModel: gpt-4.1-mini
  previousAttempts: [{provider: ollama-remote, reason: auth, status: 401}]

Note: These entries are only visible in the gateway file log (/tmp/openclaw/openclaw-*.log), not in any user-facing UI or dashboard. Users have no way to detect this behavior without manually inspecting logs.

Proposed Fixes (ordered by priority)

Fix 1: Propagate all provider apiKeys to auth-profiles.json (minimal, quick win)

Write all models.providers.*.apiKey values to auth-profiles.json, regardless of marker classification. The auth store should reflect the config, not second-guess it. If a user configured a key, it should be available to all sessions including subagents.

Affected: Gateway auth-profiles writer/sync logic.

Fix 2: Skip auth lookup for auth-free providers (architectural)

Introduce an auth: "none" provider capability. When api: "ollama" is set (or explicitly configured), the auth pipeline should be bypassed entirely — no auth-profiles lookup needed. Ollama doesn't use authentication; the current system forces users to provide a dummy key just to satisfy the pipeline.

This would also benefit other local/auth-free providers like LM Studio, vLLM, llama.cpp server, and similar local inference backends.

Affected: Provider auth resolver, auth pipeline.

Fix 3: Add a fail-closed policy flag for local-only routing (privacy)

Add a per-agent or per-provider policy flag like allowCloudFallback: false or requireLocal: true. When set, the fallback mechanism must never cross the local→cloud boundary silently. If the local model fails, the task should fail with a clear error rather than leak data to a cloud provider.

Consider how this interacts with existing fallback chains — the flag should override automatic fallback behavior when privacy is at stake.

Affected: Model fallback engine, agent config schema.

Fix 4: Surface fallback decisions to the user (transparency)

When a model fallback crosses a provider boundary (especially local→cloud), emit a user-visible warning — not just a log entry buried in /tmp. The user should always know when their intended model was substituted. This could be a notification in the chat, a dashboard alert, or at minimum a clearly visible log line.

Affected: Model fallback engine, notification/messaging system.

Fix 5: Add CI/integration tests for auth-profiles behavior (prevention)

Establish automated tests that verify auth-profiles.json is correctly populated for all provider types — especially local providers with marker-style keys. This prevents regressions in the auth subsystem when future changes are made.

Affected: Test suite, CI pipeline.

Workaround

1. Manually add Ollama entries to auth-profiles.json:

{
  "ollama-remote:default": {
    "type": "api_key",
    "provider": "ollama-remote",
    "key": "sk-ollama-dummy"
  }
}

2. ⚠️ Protect the file from being overwritten on restart:

chmod 444 ~/.openclaw/agents/main/agent/auth-profiles.json

⚠️ Important caveats:

• The key value must NOT be "ollama-local" — it gets re-classified as a marker. Use any non-marker string like "sk-ollama-dummy".
• The chmod 444 prevents the gateway from updating auth-profiles.json for ANY provider — adding or rotating keys for other providers (Anthropic, OpenAI, etc.) will silently fail until the file is made writable again.
• After openclaw update, verify the file still contains the Ollama entries — updates may regenerate the file.
• This is a dirty hack, not a sustainable solution.

Related Issue

Ollama model cold-start causes timeout fallback (see #43946)

Even with auth fixed, Ollama models need ~13 seconds to load on first request. The default LLM request timeout appears too short for cold-start scenarios, causing a secondary timeout-based fallback (status 408). Pre-loading models via curl /api/generate with keep_alive works around this, but a configurable requestTimeout per provider or model would be the proper fix.

Environment

• OpenClaw 2026.3.11
• Ollama 0.17.7 (remote, Windows + local, Linux)
• Both ollama-local and ollama-remote providers affected
• Issue likely affects all Ollama provider configurations used in subagent context

[Meli73]

Technical Fix Proposal

After tracing the auth pipeline through the source code, here's the root cause analysis and two proposed fixes.

Root Cause

The function isNonSecretApiKeyMarker() in model-auth-markers.ts classifies "ollama-local" as a non-secret marker — the same category as OAuth tokens and AWS SDK markers:

function isNonSecretApiKeyMarker(value: string, opts?): boolean {
    if (trimmed === "minimax-oauth" || trimmed === "qwen-oauth" 
        || trimmed === "ollama-local"     // ← THE PROBLEM
        || trimmed === "secretref-managed" 
        || isAwsSdkAuthMarker(trimmed)) return true;
}

This propagates through the auth pipeline:

1. resolveUsableCustomProviderApiKey() → returns null for marker keys
2. toDiscoveryApiKey() → filters out marker keys, preventing auth-profiles.json entry
3. Provider normalization → adds provider to secretRefManagedProviders but never writes credential

Result: Subagent's resolveApiKeyForProvider() finds nothing → 401 → silent cloud fallback.

Fix Option A: Minimal (recommended)

Modify resolveApiKeyForProvider() to fall back to resolveSyntheticLocalProviderAuth() for Ollama providers when no credential is found. This function already exists (handles the built-in ollama provider) — it just needs to also cover custom-named Ollama providers like ollama-remote:

// In resolveApiKeyForProvider():
if (!resolved && providerConfig?.api === "ollama") {
    const syntheticKey = resolveSyntheticLocalProviderAuth({ provider, cfg });
    if (syntheticKey) {
        return { apiKey: syntheticKey.apiKey, source: syntheticKey.source };
    }
}

Scope: ~5 lines changed. Only affects api: "ollama" providers. Zero impact on cloud providers.

Fix Option B: Comprehensive

1. New helper isAuthFreeProviderMarker() — identifies auth-free local providers
2. Add skipAuthFreeProviders option to isNonSecretApiKeyMarker()
3. Modify toDiscoveryApiKey() to pass the new option → ollama markers get written to auth-profiles.json
4. In provider normalization, explicitly upsertAuthProfile() for auth-free providers

Scope: ~30 lines across 3 files. More future-proof for LM Studio, vLLM, llama.cpp.

Edge Cases to Consider

• LM Studio / vLLM / llama.cpp: Any local inference backend using api: "openai-completions" with a dummy key should also be covered. Fix B handles this generically; Fix A would need an additional check for providerConfig.baseUrl pointing to localhost/private IPs.
• Secret store sanitization: The marker should still be treated as non-secret for logging/display purposes — only the auth-profiles propagation needs to change.

Testing

# Manual verification after fix:
1. Configure ollama-remote with apiKey: "ollama-local"
2. openclaw gateway restart
3. cat auth-profiles.json | jq '.profiles | keys'  # should include ollama-remote:default
4. Spawn subagent with ollama model → should NOT fallback
5. openclaw models status → effective=ollama-local (not missing:missing)

Related

• Configurable LLM request timeout per provider/model (Ollama cold-start causes silent fallback) #43946 — Timeout issue (separate fix needed, compounds the silent fallback problem)
• resolveSyntheticLocalProviderAuth() at line ~3220 in dist — the existing function that already handles this correctly for the built-in provider

Happy to test either approach and provide more detailed diffs if helpful.

[maxramsay]

Adding a production data point to this thread: we hit the silent-fallback-to-cloud pattern described here in our agent fleet last week, though through a different entry path than the subagent credential lookup in the original report.

What happened:

One of our OpenClaw agents (declared model chain: ollama/gemma4:31b primary → three Ollama fallbacks) experienced a transient DNS failure resolving ollama.com during a regional WAN outage. The fallback chain fully exhausted against getaddrinfo ENOTFOUND ollama.com errors. The gateway then reached into models.providers and found an opencode provider configured there (legacy from an earlier design phase — not in any declared fallback chain). Request succeeded against that provider.

After that success, the session cached the working provider. Every subsequent heartbeat in the same session called the non-Ollama provider directly, bypassing the declared chain entirely, for 7 days. Detection was billing-anomaly-based, not log-based — the session JSONL records model-snapshot events on the drift but no visible gateway log, Discord surface, or dashboard flagged it.

Damage: 585 calls representing a material cost impact through the non-declared provider before we noticed. Content routed to a third-party cloud model path we explicitly did not intend.

Relationship to this issue:

@Meli73's root cause (marker detection excluding "ollama-local" from auth-profiles.json → subagent 401 → silent fallback) is one path to the silent-cloud-fallback outcome. The incident above is a different path (primary-chain network failure → silent fallback to undeclared provider via session-level caching). Same privacy regression, different proximate cause. Both still unfixed in the current main.

I'm working on a realigned #59954 that targets only the Cloud-auth-vs-local-auth distinction in resolveSyntheticAuth (a third, narrower angle — remote Ollama Cloud providers need real auth, not the synthetic local marker). The three fixes are complementary:

1. This issue (Subagents miss Ollama credentials and silently fall back to cloud models (privacy regression) #43945): subagent credential lookup finds Ollama auth even when the value is a marker.
2. My realigned PR: synthetic auth doesn't apply to remote Ollama base URLs.
3. New issue (Session-level provider caching bypasses declared model chain after any fallback success (silent provider drift) #69855): session-level provider caching bypasses the declared fallback chain after any fallback success, regardless of provider.

Fix #1 closes the subagent-specific path. Fix #2 closes the remote-Cloud path. Fix #3 closes the whole session-drift class.

Happy to coordinate on sequencing if any of these three want to merge first for dependency reasons. @Meli73's Fix A for resolveApiKeyForProvider() is still the right shape for this issue — has it been discussed with the maintainers who did the recent auth-pipeline refactor (markers into manifests, shouldDeferSyntheticProfileAuth hook)?

[steipete]

Fixed on main in 67650c4c0a (fix(ollama): resolve custom local provider auth).

What changed:

• Custom provider ids such as ollama-remote with api: "ollama" now resolve provider hooks through both the configured provider id and the underlying native API owner (ollama).
• The Ollama synthetic-auth hook now receives the concrete provider id, so the source is recorded as models.providers.<custom-id> (synthetic local key) instead of hard-coding models.providers.ollama.
• Subagent/custom-provider auth resolution now preserves the ollama-local marker for local/LAN Ollama providers instead of treating it as missing auth and moving into fallback behavior.

Validation:

• pnpm test src/plugins/provider-runtime.synthetic-auth-discovery.test.ts src/agents/model-auth.test.ts extensions/ollama/index.test.ts extensions/ollama/provider-discovery.test.ts
• pnpm check:changed
• OPENCLAW_LIVE_OLLAMA=1 OPENCLAW_LIVE_OLLAMA_WEB_SEARCH=0 OPENCLAW_LIVE_OLLAMA_EMBED_MODEL=embeddinggemma:latest pnpm test:live -- extensions/ollama/ollama.live.test.ts
• pnpm test src/plugins/provider-runtime.test.ts src/plugins/providers.test.ts src/plugins/provider-runtime.synthetic-auth-discovery.test.ts
• Live local subagent proof against Ollama 0.21.2: spawned a subagent with model: ollama-remote/llama3.2:latest and config ollama-remote: { api: "ollama", baseUrl: "http://127.0.0.1:11434", apiKey: "ollama-local" }. The child session persisted modelProvider: "ollama-remote", the transcript model snapshot recorded modelApi: "ollama", the assistant turn used api: "ollama" / provider: "ollama-remote", and the child yielded OLLAMA_SUBAGENT_OK. The gateway log had zero model_fallback_decision entries for that run.

That closes the subagent/custom-provider credential path reported here. The broader session-level fallback/cache drift class discussed in #69855 is separate and should stay tracked there.