Security: exec tool returns raw stdout/stderr to agent without secret redaction

[nhaener]

Bug Report: exec tool returns raw stdout/stderr to agent without secret redaction

Summary

Foreground exec results in OpenClaw are assembled directly from aggregated command output and returned to the agent without an obvious secret-redaction pass. If a command prints secrets, those secrets can enter internal tool/agent context.

Severity

High, internal secret exposure risk

Impact

• Any exec command that prints .env contents, tokens, API keys, passwords, or other sensitive output can expose that data to the agent runtime.
• Chat surfaces may or may not separately suppress rendering, but the exec tool path itself appears unsafe.
• This appears to affect more than one agent/runtime, not a single isolated profile.

Confirmed behavior

In the exec implementation, foreground output is returned via logic equivalent to:

function buildExecForegroundResult(params) {
	const warningText = params.warningText?.trim() ? `${warningText}\n\n` : "";
	if (params.outcome.status === "failed") return failedTextResult(`${warningText}${params.outcome.reason}`, {
		status: "failed",
		exitCode: params.outcome.exitCode ?? null,
		durationMs: params.outcome.durationMs,
		aggregated: params.outcome.aggregated,
		timedOut: params.outcome.timedOut,
		cwd: params.cwd
	});
	return textResult(`${warningText}${params.outcome.aggregated || "(no output)"}`, {
		status: "completed",
		exitCode: params.outcome.exitCode,
		durationMs: params.outcome.durationMs,
		aggregated: params.outcome.aggregated,
		cwd: params.cwd
	});
}

And this is used directly after process completion:

run.promise.then((outcome) => {
	...
	resolve(buildExecForegroundResult({
		outcome,
		cwd: run.session.cwd,
		warningText: getWarningText()
	}));
})

This means params.outcome.aggregated is passed straight into the tool result text.

Related files traced

• Tool wrapper:
  • dist/pi-tools-*.js
• Exec implementation:
  • dist/bash-tools-*.js
• Upstream exec runtime:
  • dist/bash-tools.exec-runtime-*.js

What is not the issue

• ${SECRET} indirection in config is working as expected.
• EnvironmentFile=... rendering is not itself the leak.
• There is env sanitization for process env overrides, but that only controls what env is passed into the command, not what the command prints back out.

Evidence from code review

I found sanitization/redaction paths for:

• config snapshots
• logs
• chat history
• exec approval display text

I did not find a dedicated secret-redaction pass for generic exec stdout/stderr before tool result delivery.

Reproduction idea

Run a command that prints a secret-bearing env file, for example:

• cat /path/to/.env
• grep TOKEN /path/to/.env

Observed behavior:

• output is incorporated into the exec tool result returned to the agent

Expected behavior:

• either block obviously sensitive file reads, or
• redact secret-looking values before tool result delivery, or
• require explicit opt-in to reveal raw secret-bearing stdout

Recommended fix

Best fix points:

1. Primary: redact secrets before buildExecForegroundResult(...) emits params.outcome.aggregated
2. Also recommended: redact at the lower runtime layer when constructing outcome.aggregated

Suggested protections

• redact env-style assignments like:
  • KEY=value
  • especially keys matching TOKEN, SECRET, PASSWORD, API_KEY, AUTH, PAT
• redact known secret formats:
  • bot tokens
  • provider API keys
  • bearer tokens
  • hex secrets
• optionally hard-block raw reads of common secret files:
  • .env
  • generated env files
  • credential stores

Real-world consequence seen

A diagnostic env-file read produced raw secret-bearing stdout into internal tool context during live troubleshooting. User-facing chat may have stayed clean, but the internal exposure path is confirmed and should be treated as a security bug.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main has useful downstream redaction for UI/tool-event and persisted transcript surfaces, but the exec, process, and node-host builders still create raw stdout/stderr-derived tool-result content/details before an exec-owned redaction boundary.

Reproducibility: yes. Source inspection gives a high-confidence static reproduction for the raw exec result object: secret-looking command output is copied into exec/process/node-host result content or details before a local redaction call.

Next step
This is a narrow valid security fix, but it changes the raw exec output contract and should get maintainer/secops policy approval before an autonomous repair PR.

Security
Needs attention: This security-sensitive issue remains actionable because current main still constructs raw stdout/stderr-derived exec tool results before an exec-owned redaction boundary.

Review details

Best possible solution:

Add or confirm a shared exec/tool-result redaction boundary before stdout/stderr-derived result content and structured details are handed to any agent runtime, while keeping transcript, UI, and log redaction as defense in depth.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence static reproduction for the raw exec result object: secret-looking command output is copied into exec/process/node-host result content or details before a local redaction call.

Is this the best way to solve the issue?

Yes. Redacting stdout/stderr-derived output before tool-result delivery is the narrowest maintainable direction; blocking particular secret-file reads would be only a supplemental guard and would miss generic secret-bearing output.

Security concerns:

• [high] Redact stdout and stderr before exec tool results — src/agents/bash-tools.exec.ts:73
  Foreground exec returns raw failure reason and aggregate output in content/details, so command-printed secrets can enter the tool-result object before downstream event or transcript sanitizers run.
  Confidence: 0.9
• [medium] Cover background process output paths — src/agents/bash-tools.process.ts:377
  Process poll/log responses build returned text from drained or stored output buffers; a foreground-only repair would leave comparable background output paths uncovered.
  Confidence: 0.87
• [medium] Cover node-host exec formatting — src/agents/bash-tools.exec-host-node-phases.ts:62
  Node-host exec formats stdout, stderr, and error text into the returned result without applying the shared redaction helper first.
  Confidence: 0.86

Acceptance criteria:

• pnpm test src/agents/bash-tools.exec-runtime.test.ts src/agents/bash-tools.process.poll-timeout.test.ts src/agents/bash-tools.exec-host-node.test.ts src/agents/pi-embedded-subscribe.tools.test.ts src/agents/pi-embedded-subscribe.handlers.tools.test.ts src/agents/pi-embedded-runner.guard.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/bash-tools.exec.ts src/agents/bash-tools.exec-runtime.ts src/agents/bash-tools.process.ts src/agents/bash-tools.exec-host-node-phases.ts src/agents/session-tool-result-guard-wrapper.ts src/logging/redact.ts

What I checked:

• foreground exec raw result construction: buildExecForegroundResult still formats outcome.reason and outcome.aggregated directly into tool result content/details without a local redaction call. (src/agents/bash-tools.exec.ts:73, 73a95d3af4ef)
• runtime preserves raw aggregate: buildExecExitOutcome copies params.aggregated into completed and failed outcomes, and failed outcomes include the same aggregate in the reason text. (src/agents/bash-tools.exec-runtime.ts:492, 73a95d3af4ef)
• background process raw result construction: process poll/log paths return drained stdout/stderr or stored aggregate-derived text/details without applying a redaction helper in the process tool itself. (src/agents/bash-tools.process.ts:377, 73a95d3af4ef)
• node-host exec raw result construction: formatNodeRunToolResult renders raw stdout, stderr, and error text into content and details.aggregated. (src/agents/bash-tools.exec-host-node-phases.ts:62, 73a95d3af4ef)
• downstream redaction is later than exec construction: guardSessionManager redacts persisted transcript message text, and sanitizeToolResult redacts Control UI/tool-event payloads, but those are downstream of raw exec result object construction. (src/agents/session-tool-result-guard-wrapper.ts:20, 73a95d3af4ef)
• docs describe downstream safety boundaries: The logging docs document redaction for logs, persisted transcript text, Control UI tool payloads, sessions_history, diagnostics, provider observations, and exec approval display, but not a generic exec-result construction boundary. Public docs: docs/logging.md. (docs/logging.md:208, 73a95d3af4ef)

Likely related people:

• Vincent Koc: The shallow/grafted local blame routes current exec, process, node-host, session guard, and CODEOWNERS lines to the current main snapshot commit; deeper pre-snapshot authorship is unavailable locally. (role: recent maintainer in available local history; confidence: low; commits: 994bfc1cb934; files: src/agents/bash-tools.exec.ts, src/agents/bash-tools.process.ts, src/agents/bash-tools.exec-host-node-phases.ts)
• @openclaw/openclaw-secops: CODEOWNERS marks security-sensitive code, config, and docs for secops review, and this issue is explicitly about secret exposure through agent tool results. (role: security review owner; confidence: medium; files: .github/CODEOWNERS)
• stainlu: Provided related context shows merged PR security(logging): redact payment credential fields #75230 expanded default and structured tool-payload redaction in files adjacent to this issue, which is useful context for follow-up routing. (role: adjacent redaction contributor; confidence: medium; commits: 5f5f1fadbbd1; files: src/logging/redact.ts, src/agents/pi-embedded-subscribe.tools.ts)

Remaining risk / open question:

• The checkout's local git history is shallow/grafted, so authorship before the current snapshot could not be fully reconstructed from local commits.
• The exact in-memory pi-coding-agent handoff cannot be revalidated from dependency source in this read-only checkout because node_modules is absent.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 73a95d3af4ef.