Block provider credentials from workspace dotenv [AI]

[mmaps]

Summary

• Problem: Workspace .env filtering did not cover registered provider credential env vars, so cwd files could provide those values before the trusted global fallback.
• Why it matters: Provider credential selection should come from shell or trusted global runtime config, not project-local cwd files.
• What changed: Added registered provider credential env var names to the workspace dotenv blocklist and added regression coverage against the provider env-var registry.
• What did NOT change (scope boundary): Trusted global .env and shell environment values still work; user-defined non-control workspace vars remain allowed.

AI-assisted: yes.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• N/A
• This PR addresses a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Registered provider credential env vars from cwd .env are ignored, and trusted global .env values are retained.
• Real environment tested: Local OpenClaw source checkout using temp cwd and state-dir fixtures, installed as a local node package. Also used openclaw@2026.5.12 as the public version with the issue to be fixed.
• Exact steps or command run after this patch: node scripts/run-vitest.mjs src/infra/dotenv.test.ts and from the regular home and evil/ subdirectory run:

HOME=/tmp/dotenv-lab/op-home node --input-type=module -e '
import { t as loadDotEnv } from "/tmp/dotenv-lab/dist/dotenv-CM15HNAf.js";
loadDotEnv({ quiet: true });
for (const k of ["GEMINI_API_KEY","XAI_API_KEY","MISTRAL_API_KEY","ANTHROPIC_API_KEY","OPENAI_API_KEY"])
  console.log(k + "=" + (process.env[k] || "<unset>"));
'

• What was not tested: A complete local installation and execution of OpenClaw, instead the code changed was tested with a simulated attacker controlled .env file in a subfolder, "evil".
• Before evidence (optional but encouraged): Real proof by reproducing the security issue on ubuntu latest with openclaw@2026.5.12 per researcher findings and proof-of-concept. Behavior before patch with openclaw@2026.5.12:

root@dd9bd6c64dce:/openclaw# cd /tmp/dotenv-lab/
root@dd9bd6c64dce:/tmp/dotenv-lab# HOME=/tmp/dotenv-lab/op-home node --input-type=module -e '
import { t as loadDotEnv } from "/tmp/dotenv-lab/node_modules/openclaw/dist/dotenv-DpVSuK0u.js";
loadDotEnv({ quiet: true });
for (const k of ["GEMINI_API_KEY","XAI_API_KEY","MISTRAL_API_KEY","ANTHROPIC_API_KEY","OPENAI_API_KEY"])
  console.log(k + "=" + (process.env[k] || "<unset>"));
'
GEMINI_API_KEY=op_legit_gemini_DO_NOT_LEAK
XAI_API_KEY=op_legit_xai_DO_NOT_LEAK
MISTRAL_API_KEY=op_legit_mistral_DO_NOT_LEAK
ANTHROPIC_API_KEY=op_legit_anthropic_DO_NOT_LEAK
OPENAI_API_KEY=op_legit_openai_DO_NOT_LEAK
root@dd9bd6c64dce:/tmp/dotenv-lab# cd /tmp/dotenv-lab/evil/
root@dd9bd6c64dce:/tmp/dotenv-lab/evil# HOME=/tmp/dotenv-lab/op-home node --input-type=module -e '
import { t as loadDotEnv } from "/tmp/dotenv-lab/node_modules/openclaw/dist/dotenv-DpVSuK0u.js";
loadDotEnv({ quiet: true });
for (const k of ["GEMINI_API_KEY","XAI_API_KEY","MISTRAL_API_KEY","ANTHROPIC_API_KEY","OPENAI_API_KEY"])
  console.log(k + "=" + (process.env[k] || "<unset>"));
'
GEMINI_API_KEY=attacker_gemini_VICTIM_PROMPTS_GO_HERE
XAI_API_KEY=attacker_xai_VICTIM_PROMPTS_GO_HERE
MISTRAL_API_KEY=attacker_mistral_VICTIM_PROMPTS_GO_HERE
ANTHROPIC_API_KEY=op_legit_anthropic_DO_NOT_LEAK
OPENAI_API_KEY=op_legit_openai_DO_NOT_LEAK
root@dd9bd6c64dce:/tmp/dotenv-lab/evil# cat .env
GEMINI_API_KEY=attacker_gemini_VICTIM_PROMPTS_GO_HERE
XAI_API_KEY=attacker_xai_VICTIM_PROMPTS_GO_HERE
MISTRAL_API_KEY=attacker_mistral_VICTIM_PROMPTS_GO_HERE
ANTHROPIC_API_KEY=attacker_anthropic_BLOCKED_BY_POLICY
OPENAI_API_KEY=attacker_openai_BLOCKED_BY_POLICY

• Observed result after fix: Provider auth env vars in the regression fixture came from the trusted global .env, not the workspace .env, and all key values are the correct *_DO_NOT_LEAK.
• Evidence after fix (console output): Test Files 1 passed (1); Tests 31 passed (31) and console output below. Behavior after this PR, all key values are the correct *_DO_NOT_LEAK:

Node.js v24.15.0
root@21c249a0364f:/tmp/dotenv-lab# HOME=/tmp/dotenv-lab/op-home node --input-type=module -e '
import { t as loadDotEnv } from "/tmp/dotenv-lab/dist/dotenv-CM15HNAf.js";
loadDotEnv({ quiet: true });
for (const k of ["GEMINI_API_KEY","XAI_API_KEY","MISTRAL_API_KEY","ANTHROPIC_API_KEY","OPENAI_API_KEY"])
  console.log(k + "=" + (process.env[k] || "<unset>"));
'
GEMINI_API_KEY=op_legit_gemini_DO_NOT_LEAK
XAI_API_KEY=op_legit_xai_DO_NOT_LEAK
MISTRAL_API_KEY=op_legit_mistral_DO_NOT_LEAK
ANTHROPIC_API_KEY=op_legit_anthropic_DO_NOT_LEAK
OPENAI_API_KEY=op_legit_openai_DO_NOT_LEAK
root@21c249a0364f:/tmp/dotenv-lab# cd evil/
root@21c249a0364f:/tmp/dotenv-lab/evil# cat .env
GEMINI_API_KEY=attacker_gemini_VICTIM_PROMPTS_GO_HERE
XAI_API_KEY=attacker_xai_VICTIM_PROMPTS_GO_HERE
MISTRAL_API_KEY=attacker_mistral_VICTIM_PROMPTS_GO_HERE
ANTHROPIC_API_KEY=attacker_anthropic_BLOCKED_BY_POLICY
OPENAI_API_KEY=attacker_openai_BLOCKED_BY_POLICY
root@21c249a0364f:/tmp/dotenv-lab/evil# HOME=/tmp/dotenv-lab/op-home node --input-type=module -e '
import { t as loadDotEnv } from "/tmp/dotenv-lab/dist/dotenv-CM15HNAf.js";
loadDotEnv({ quiet: true });
for (const k of ["GEMINI_API_KEY","XAI_API_KEY","MISTRAL_API_KEY","ANTHROPIC_API_KEY","OPENAI_API_KEY"])
  console.log(k + "=" + (process.env[k] || "<unset>"));
'
GEMINI_API_KEY=op_legit_gemini_DO_NOT_LEAK
XAI_API_KEY=op_legit_xai_DO_NOT_LEAK
MISTRAL_API_KEY=op_legit_mistral_DO_NOT_LEAK
ANTHROPIC_API_KEY=op_legit_anthropic_DO_NOT_LEAK
OPENAI_API_KEY=op_legit_openai_DO_NOT_LEAK
root@21c249a0364f:/tmp/dotenv-lab/evil#

Root Cause (if applicable)

• Root cause: Workspace dotenv filtering used an explicit blocklist that covered only part of the provider credential surface.
• Missing detection / guardrail: No regression test compared workspace dotenv handling against the registered provider auth env-var names.
• Contributing context (if known): Provider credential env vars are declared across provider/plugin metadata while dotenv filtering is maintained separately.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/infra/dotenv.test.ts
• Scenario the test should lock in: Every registered provider auth env var remains sourced from trusted global .env when workspace .env contains the same key.
• Why this is the smallest reliable guardrail: It exercises the actual dotenv loader and uses the provider env-var registry without live provider calls.
• Existing test that already covers this (if any): Existing dotenv tests covered selected credential and runtime-control keys, but not the registered provider auth set.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Workspace .env no longer supplies registered provider credential env vars. Use shell env or trusted global OpenClaw runtime .env for provider credentials.

Diagram (if applicable)

N/A

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) Yes
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: Workspace dotenv can no longer provide registered provider credential names; shell and trusted global runtime dotenv remain supported.

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node via repo Vitest wrapper
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): Temporary cwd and state-dir dotenv fixtures

Steps

1. Create a workspace .env and trusted global .env containing the same registered provider credential keys.
2. Run the dotenv loader through the focused test file.
3. Assert each credential key resolves to the trusted global value.

Expected

• Registered provider credential keys from workspace .env are ignored.
• Trusted global .env values are loaded.

Actual

• Focused regression passed with all dotenv tests green.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

node scripts/run-vitest.mjs src/infra/dotenv.test.ts -> Test Files 1 passed (1); Tests 31 passed (31)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Focused dotenv test file with provider-auth registry regression.
• Edge cases checked: Trusted global dotenv remains accepted; workspace credential values do not win for registered provider auth keys.
• What you did not verify: Full package install flow, broad changed checks, live provider traffic.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes, with narrowed workspace dotenv credential sourcing.
• Config/env changes? (Yes/No) Yes
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: Operators who intentionally kept provider credentials only in workspace .env should move them to shell env or trusted global OpenClaw runtime .env.

Risks and Mitigations

• Risk: Some workflows may have relied on cwd .env for provider credentials.
  • Mitigation: Shell env and trusted global runtime .env remain supported credential sources.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 6:53 PM ET / 22:53 UTC.

Summary
The PR expands workspace dotenv filtering to block registered provider credential env vars, adds dotenv/docs regression tests, and updates environment/security docs for trusted credential sources.

PR surface: Source +107, Tests +176, Docs +20. Total +303 across 6 files.

Reproducibility: yes. A high-confidence reproduction path is to create cwd and global .env files with the same registered provider keys; current main loads cwd first and only blocks selected credential names, and the PR body supplies before/after terminal output for that path.

Review metrics: 1 noteworthy metric.

• Credential-source policy surface: 1 changed dotenv source boundary. Provider credential env vars are newly blocked from workspace .env, which can affect existing upgrade behavior even when CI is green.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Run node scripts/run-vitest.mjs src/infra/dotenv.test.ts src/docs/environment-docs.test.ts on the final head.
• Run a changed check in Testbox before merge because the change touches startup/config/provider metadata behavior.

Risk before merge

• Existing users who intentionally keep provider credentials only in workspace .env will lose provider auth after upgrade until they move keys to process env, global runtime dotenv, config env, or login-shell import.
• Workspace dotenv parsing now consults provider metadata for dynamic auth names, so final validation should cover startup/config/provider metadata paths before merge.
• The change is a deliberate auth-source policy boundary; maintainers should explicitly accept that workspace provider credentials are no longer supported.

Maintainer options:

1. Accept the credential boundary (recommended)
   Maintainers can accept that workspace .env is no longer a provider credential source and land after focused dotenv/docs tests plus changed checks pass.
2. Preserve project-local keys
   If project-local provider credentials must remain supported, revise toward a warning-on-shadowing path or an explicit strict mode instead of unconditional blocking.
3. Pause for auth-source policy
   If the permanent provider credential policy is still unsettled, pause this PR until the source boundary is decided.

Next step before merge
Human maintainer review should own the compatibility/auth-source policy acceptance and final changed-check validation; there is no narrow automated repair left.

Security
Cleared: The diff narrows credential sourcing and adds regression/docs coverage without adding dependencies, downloads, lifecycle hooks, CI permission changes, or new code-execution surface.

Review details

Best possible solution:

Land the fail-closed workspace provider-credential boundary after maintainer acceptance and final checks, or revise to warning/opt-in strict mode if project-local provider keys remain supported.

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence reproduction path is to create cwd and global .env files with the same registered provider keys; current main loads cwd first and only blocks selected credential names, and the PR body supplies before/after terminal output for that path.

Is this the best way to solve the issue?

Yes, if maintainers accept the auth-source policy. The implementation reuses the provider env-var registry and documents trusted sources; the safer alternative is warning or opt-in strict mode if workspace provider keys remain supported.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6ac3561c6983.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. Sufficient terminal proof: the PR body includes before/after output showing workspace provider credential values ignored after the patch while trusted global dotenv values are retained.

Label justifications:

• P2: This is a focused security hardening and provider-auth behavior change with limited but real compatibility impact.
• merge-risk: 🚨 compatibility: Existing setups that use workspace .env as the only provider credential source can stop authenticating after merge.
• merge-risk: 🚨 auth-provider: The PR changes where provider credentials may be sourced during startup and can affect provider auth resolution.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): Sufficient terminal proof: the PR body includes before/after output showing workspace provider credential values ignored after the patch while trusted global dotenv values are retained.
• proof: sufficient: Contributor real behavior proof is sufficient. Sufficient terminal proof: the PR body includes before/after output showing workspace provider credential values ignored after the patch while trusted global dotenv values are retained.

Evidence reviewed

PR surface:

Source +107, Tests +176, Docs +20. Total +303 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	113	6	+107
Tests	2	176	0	+176
Docs	3	24	4	+20
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	313	10	+303

Acceptance criteria:

• node scripts/run-vitest.mjs src/infra/dotenv.test.ts src/docs/environment-docs.test.ts
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --shell -- "pnpm check:changed"

What I checked:

• Repository policy read: Full root AGENTS.md was read; its auth/provider/config compatibility guidance affects the merge-risk assessment for this PR. (AGENTS.md:1, 6ac3561c6983)
• Scoped docs policy read: docs/AGENTS.md was read because the PR changes docs/help and docs/gateway pages; the changed docs use root-relative links and generic wording consistent with that guide. Public docs: docs/AGENTS.md. (docs/AGENTS.md:1, 6ac3561c6983)
• Current main dotenv behavior: Current main blocks selected credential/runtime keys from workspace .env, but loadDotEnv still loads cwd .env before the trusted global runtime .env, so unblocked provider keys can currently win precedence. (src/infra/dotenv.ts:16, 6ac3561c6983)
• Provider env-var registry contract: Provider auth env-var names are already centralized through listKnownProviderAuthEnvVarNames, which combines provider auth candidates and provider setup env vars. (src/secrets/provider-env-vars.ts:394, 6ac3561c6983)
• PR implementation: The PR head adds a static provider auth workspace blocklist, augments it from the registered provider env-var registry while excluding untrusted workspace plugin metadata, and applies it during workspace dotenv parsing. (src/infra/dotenv.ts:208, 2459912e604e)
• Regression coverage: The PR adds tests proving registered provider auth keys and manifest-backed plugin provider auth keys are ignored from workspace .env while trusted global dotenv values are retained. (src/infra/dotenv.test.ts:807, 2459912e604e)

Likely related people:

• drobison00: Commit 6a79324 introduced untrusted cwd dotenv filtering before OpenClaw startup, which is the central surface this PR extends. (role: introduced behavior; confidence: high; commits: 6a793248024d; files: src/infra/dotenv.ts, src/infra/dotenv.test.ts)
• Jacob Tomlinson: Commit 7a5c5f3 added auth env var blocking from workspace dotenv, directly adjacent to this PR's provider credential blocklist expansion. (role: adjacent feature contributor; confidence: high; commits: 7a5c5f33d05c; files: src/infra/dotenv.ts)
• Agustin Rivera: Recent commits dbfcef3 and dafcaf9 hardened workspace runtime/browser override loading, and the same person authored the PR branch docs clarification commit 4ecbf71. (role: recent area contributor and policy reviewer; confidence: medium; commits: dbfcef319618, dafcaf9d69d2, 4ecbf71a988b; files: src/infra/dotenv.ts, docs/help/environment.md, docs/gateway/security/index.md)
• Peter Steinberger: Current-main blame and recent history show Peter carrying the latest checked-out dotenv file state and release-adjacent changes, making him a useful routing candidate for final compatibility review. (role: recent area contributor; confidence: medium; commits: 94749b0a45ce, 10ad3aa16068; files: src/infra/dotenv.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[mmaps]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26049660974
• Updated: 2026-05-18T17:41:52.215Z

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Velvet Clawlet

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: stacks clean commits.
Image traits: location diff observatory; accessory review stamp; palette amber, ink, and glacier blue; mood focused; pose sitting proudly on a smooth stone; shell polished stone shell; lighting cool dashboard glow; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[eleqtrizit]

I don't think we should do this PR. The user risk is non-existent.

What It Does

PR #83655 blocks known provider credential env vars from workspace .env files: GEMINI_API_KEY, XAI_API_KEY, MISTRAL_API_KEY, OPENROUTER_API_KEY, plugin-declared provider auth vars, etc.

It does not block .env generally. It only says provider credentials cannot come from the current project/workspace .env; they must come from process env, ~/.openclaw/.env, config env,
SecretRefs, or shell import.

Claimed Risk

OpenClaw currently loads cwd .env before global ~/.openclaw/.env, and dotenv loading is non-overriding. So if a workspace has:

GEMINI_API_KEY=workspace-supplied-key

that value can win over the operator’s global fallback key.

The PR frames that as credential substitution: model traffic could go through the workspace-supplied provider account.

Who Is Actually At Risk

Mostly the owner of the key in the repo/workspace. If they committed or distributed a real provider key, they exposed their own credential and billing. OpenClaw blocking it does not fix
the fact that the key is sitting in the repo.

The OpenClaw user risk is weaker: if they run an untrusted workspace and send sensitive prompts through a workspace-provided provider key, the provider account owner might see logs/usage
depending on the provider. That is real in theory, but it is not the same as stealing the user’s own credentials.

Recommendation

I would not merge this as-is.

It breaks a normal developer workflow: project-local .env containing project-scoped API keys. That pattern is common, useful, and currently consistent with OpenClaw’s env precedence
docs. Blocking provider keys from workspace .env changes product policy from “workspace .env is valid project config except dangerous runtime controls” to “provider credentials are never
valid project config.” That is too broad for the actual risk.

Better options:

• Close as not planned, with rationale.
• Or add docs/warnings about .env precedence and not running untrusted workspace credentials with sensitive data.
• Or warn only when a workspace provider key shadows a global/trusted provider key.

[eleqtrizit]

After reconsideration, I think this is ok, since it is happening before a known boundary we expect to be there.