Bug type
Behavior bug (incorrect output/state without crash)
Beta release blocker
No
Summary
The OpenClaw CLI identifies embedded tokens in the systemd service file as a security issue and recommends running openclaw gateway install --force or openclaw doctor --repair creating an endless loop of ineffective repairs.
Steps to reproduce
- Configure OpenClaw with sensitive tokens (e.g.,
OPENCLAW_GATEWAY_TOKEN, LLM_API_KEY) defined in ~/.openclaw/openclaw.json (even if referenced via placeholders like ${OPENCLAW_GATEWAY_TOKEN}).
- Install the gateway service:
openclaw gateway install.
- Run
openclaw doctor.
- Observe the warning:
- Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled. (Run
`openclaw gateway install --force` to remove embedded service token.)
- Accept the prompt to "Update gateway service config to the recommended defaults now?" (or run
openclaw doctor --repair).
- Inspect the generated systemd service file:
cat ~/.config/systemd/user/[openclaw-gateway].service.
Expected behavior
When openclaw doctor attempts to repair the "embedded token" issue, it should update the systemd service file to read secrets securely, such as by using EnvironmentFile=/path/to/.env, and should not write raw tokens into the Environment= directives of the unit file.
Actual behavior
The CLI correctly identifies the security risk but fails to resolve it during the repair process. The generated unit file explicitly sets the tokens in plain text:
[Service]
...
Environment=OPENCLAW_GATEWAY_TOKEN=<RAW_TOKEN>
Environment=LLM_API_KEY=<RAW_KEY>
...
Subsequent runs of openclaw doctor will continue to flag the same issue, creating an endless loop of ineffective repairs.
OpenClaw version
2026.4.12 (1c0672b)
Operating system
Linux (Debian-based, x64)
Install method
Systemd User Service (openclaw gateway install)
Model
google/gemini-3.1-pro-preview
Provider / routing chain
openclaw -> gemini
Additional provider/model setup details
No response
Logs, screenshots, and evidence
openclaw doctor output:
Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled. (Run `openclaw gateway install --force` to remove embedded service token.)
Impact and severity
No response
Additional information
Workaround
Manually edit ~/.config/systemd/user/openclaw-gateway.service to remove the Environment= lines containing secrets and replace them with:
EnvironmentFile=/root/.openclaw/.env
Then run systemctl --user daemon-reload and systemctl --user restart openclaw-gateway. Note that running openclaw doctor --repair again will revert this manual fix and re-embed the tokens.
Bug type
Behavior bug (incorrect output/state without crash)
Beta release blocker
No
Summary
The OpenClaw CLI identifies embedded tokens in the systemd service file as a security issue and recommends running
openclaw gateway install --forceoropenclaw doctor --repaircreating an endless loop of ineffective repairs.Steps to reproduce
OPENCLAW_GATEWAY_TOKEN,LLM_API_KEY) defined in~/.openclaw/openclaw.json(even if referenced via placeholders like${OPENCLAW_GATEWAY_TOKEN}).openclaw gateway install.openclaw doctor.openclaw doctor --repair).cat ~/.config/systemd/user/[openclaw-gateway].service.Expected behavior
When
openclaw doctorattempts to repair the "embedded token" issue, it should update the systemd service file to read secrets securely, such as by usingEnvironmentFile=/path/to/.env, and should not write raw tokens into theEnvironment=directives of the unit file.Actual behavior
The CLI correctly identifies the security risk but fails to resolve it during the repair process. The generated unit file explicitly sets the tokens in plain text:
Subsequent runs of
openclaw doctorwill continue to flag the same issue, creating an endless loop of ineffective repairs.OpenClaw version
2026.4.12 (1c0672b)
Operating system
Linux (Debian-based, x64)
Install method
Systemd User Service (
openclaw gateway install)Model
google/gemini-3.1-pro-preview
Provider / routing chain
openclaw -> gemini
Additional provider/model setup details
No response
Logs, screenshots, and evidence
openclaw doctor output: Gateway service embeds OPENCLAW_GATEWAY_TOKEN and should be reinstalled. (Run `openclaw gateway install --force` to remove embedded service token.)Impact and severity
No response
Additional information
Workaround
Manually edit
~/.config/systemd/user/openclaw-gateway.serviceto remove theEnvironment=lines containing secrets and replace them with:EnvironmentFile=/root/.openclaw/.envThen run
systemctl --user daemon-reloadandsystemctl --user restart openclaw-gateway. Note that runningopenclaw doctor --repairagain will revert this manual fix and re-embed the tokens.