[Bug]: /config show chat command returns unredacted config containing plaintext secrets

[coygeek]

Severity Assessment

CVSS Assessment

Metric	v3.1	v4.0
Score	7.7 / 10.0	8.3 / 10.0
Severity	High	High
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Calculator	CVSS v3.1 Calculator	CVSS v4.0 Calculator

Threat Model Alignment

Classification: security-specific

This is security-specific because /config show is documented as an operator inspection surface, not a plaintext secret export primitive, while surrounding config and logging guidance treats secrets as data that should be redacted on shared or operator-visible surfaces. OpenClaw also supports channel reply modes where owner-triggered chat responses remain visible in shared channels or groups, so owner-only invocation does not erase the confidentiality boundary. Returning raw config secrets in the chat reply therefore violates the documented secrecy model rather than exercising an intentionally trusted admin capability.

Impact

The /config show chat command returns the full parsed config object as a JSON-formatted chat message with no secret redaction applied, exposing plaintext passwords, API keys, and bot tokens stored in the config file to the channel message history.

Affected Component

File: src/auto-reply/reply/commands-config.ts:101-135

const snapshot = await readConfigFileSnapshot();
// ...
const parsedBase = structuredClone(snapshot.parsed as Record<string, unknown>);

if (configCommand.action === "show") {
  const pathRaw = configCommand.path?.trim();
  if (pathRaw) {
    // ...
    const value = getConfigValueAtPath(parsedBase, parsedPath.path);
    const rendered = JSON.stringify(value ?? null, null, 2);
    return {
      shouldContinue: false,
      reply: {
        text: `⚙️ Config ${pathRaw}:\n\`\`\`json\n${rendered}\n\`\`\``,
      },
    };
  }
  const json = JSON.stringify(parsedBase, null, 2);
  return {
    shouldContinue: false,
    reply: { text: `⚙️ Config (raw):\n\`\`\`json\n${json}\n\`\`\`` },
  };
}

Technical Reproduction

1. Deploy OpenClaw with a config file containing at least one sensitive field (e.g. gateway.token, irc.password, telegram.token, or any provider apiKey).
2. As the configured owner, send /config show on any enabled channel.
3. Observe: the bot replies with a full JSON dump of parsedBase — the raw parsed config — including any plaintext secret values. No values are masked or replaced with [REDACTED].

Alternatively, send /config show gateway.token to extract a specific secret field by path.

Demonstrated Impact

handleConfigCommand in commands-config.ts calls readConfigFileSnapshot() which returns the raw parsed config object at snapshot.parsed. It then calls structuredClone(snapshot.parsed) and immediately serializes this clone with JSON.stringify before returning it as the reply text. There is no call to redactConfigSnapshot() or redactConfigObject() anywhere in this path.

By contrast, the gateway's config.get HTTP endpoint (src/gateway/server-methods/config.ts:290) correctly calls redactConfigSnapshot(snapshot, schema.uiHints) before responding, which walks the schema and replaces all SecretInput / sensitive fields with the [REDACTED] sentinel.

Sensitive fields that can be exposed include: IRC password and nickserv password; gateway auth token and password; Slack signingSecret; Telegram token; Discord token; and all AI provider apiKey/token fields. These are marked as SecretInput or sensitive in the config schema (src/config/zod-schema.ts) but the chat command path never consults the schema hints.

Because the reply is delivered as a chat message, it is persisted in channel message history (Slack, Discord, iMessage, Telegram, etc.) and may be visible to any user with access to that channel history — including other channel members who are not the OpenClaw owner. The /config show <path> sub-command variant (lines 122–129) is equally affected, allowing targeted extraction of individual secrets by dot-path.

Existing controls do not prevent exploitation: the rejectNonOwnerCommand guard only checks that the sender is the configured owner, which is sufficient for issuing the command itself but does not constrain what data is returned in the reply. Log-level redaction in src/logging/redact.ts applies only to log output, not to chat reply text.

Environment

Affects all OpenClaw deployments where the config file contains at least one sensitive field and at least one messaging channel is enabled. Triggered by sending /config show from any owner session. No special runtime configuration required.

Remediation Advice

Apply redactConfigSnapshot() (from src/config/redact-snapshot.ts) to the parsed config clone before serializing it for the chat reply in handleConfigCommand, matching the pattern already used by the config.get gateway endpoint. Both the full-config path (line 131) and the per-path extraction path (line 122) must be covered.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still renders the raw parsed config for both full and path-scoped /config show replies, while the existing gateway config API uses schema-aware redaction; the open closing PR #65637 has not merged.

Reproducibility: yes. Mock readConfigFileSnapshot() with a parsed secret such as gateway.auth.token, invoke handleConfigCommand for /config show or /config show gateway.auth.token, and current main will stringify the raw value into the reply.

Next step
Not a repair-lane candidate because this is security-sensitive and already has open closing PR #65637; maintainers should review/land it or replace it with an equivalent approved fix.

Security
Needs attention: Current main still serializes raw config into chat replies, creating a concrete secret-disclosure path.

Review details

Best possible solution:

Ship a maintainer-approved patch that redacts the cloned parsed config before both full and path-scoped /config show rendering, with focused regression tests, then close after merge/release provenance is known.

Do we have a high-confidence way to reproduce the issue?

Yes. Mock readConfigFileSnapshot() with a parsed secret such as gateway.auth.token, invoke handleConfigCommand for /config show or /config show gateway.auth.token, and current main will stringify the raw value into the reply.

Is this the best way to solve the issue?

Yes. Reusing schema-aware config redaction before path lookup and full JSON rendering is the narrowest maintainable fix and matches the existing config.get behavior.

Security concerns:

• [high] Redact config before chat replies — src/auto-reply/reply/commands-config.ts:128
  Both full and path-scoped /config show replies use the raw parsed config object, so sensitive schema fields can be posted into channel history.
  Confidence: 0.95

What I checked:

• Current chat command serializes raw parsed config: handleConfigCommand clones snapshot.parsed into parsedBase and uses that object for /config show rendering without a redaction call. (src/auto-reply/reply/commands-config.ts:116, f523620abe7f)
• Path-scoped show reads raw values: The path branch calls getConfigValueAtPath(parsedBase, parsedPath.path) and stringifies the result, so a sensitive path can be extracted directly. (src/auto-reply/reply/commands-config.ts:128, f523620abe7f)
• Full show renders the same unredacted object: The full-config branch stringifies parsedBase as Config (raw) without using redactConfigObject or redactConfigSnapshot. (src/auto-reply/reply/commands-config.ts:137, f523620abe7f)
• Gateway config API already redacts: config.get reads the config snapshot, loads schema UI hints, and returns redactConfigSnapshot(snapshot, schema.uiHints). (src/gateway/server-methods/config.ts:274, f523620abe7f)
• Existing helper supports the intended fix: redactConfigObject exists for plain config objects, and redactConfigSnapshot is the established snapshot redaction path. (src/config/redact-snapshot.ts:409, f523620abe7f)
• Schema hints mark reported paths sensitive: Tests assert sensitive hints for gateway.auth.token, provider headers, proxy TLS certs, and skill API keys. (src/config/schema.hints.test.ts:167, f523620abe7f)

Likely related people:

• vincentkoc: Merged history shows work on /config owner gating and credential scrubbing in the relevant command/redaction area. (role: adjacent command-security and redaction maintainer; confidence: high; commits: 08aa57a3de37, f0202264d0de; files: src/auto-reply/reply/commands-config.ts, src/config/redact-snapshot.ts)
• Ayaan Zaidi: Current blame for the vulnerable /config show rendering block attributes the present lines to the recent command-file refactor commit. (role: recent maintainer of affected command file; confidence: medium; commits: 626a22decb9b; files: src/auto-reply/reply/commands-config.ts)
• steipete: Recent main history touches the gateway config method area and current main/release snapshots, making him a practical maintainer routing candidate. (role: recent gateway config maintainer and release/current-main owner; confidence: medium; commits: 9fff2b779159, f523620abe7f; files: src/gateway/server-methods/config.ts)

Remaining risk / open question:

• The secret-disclosure path remains present until a maintainer-approved fix lands; closing before fix: redact secrets in /config show replies #65637 merges would be premature.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f523620abe7f.