openclaw-credential-vault addresses four credential leakage paths in AI agents
openclaw-credential-vault is a security tool that addresses credential exposure risks in OpenClaw AI agent setups. The tool implements three layers of defense against four identified credential leakage paths.
Four credential exposure paths
The source identifies these primary threats:
- Direct file/env access: Agents running commands like
cat ~/.envorecho $GITHUB_TOKENcan expose credentials stored in environment variables or config files. - Context window leakage: Tool output containing tokens or auth headers becomes permanently stored in conversation history.
- Prompt injection exfiltration: Malicious instructions can trick agents into forwarding credentials they can access.
- Supply chain attacks: Malicious ClawHub skills executing arbitrary code with agent permissions.
The key insight: the first three paths depend on credentials being visible to the agent process. Removing that visibility eliminates 75% of the attack surface.
How openclaw-credential-vault works
The tool provides three defense layers:
OS-level isolation
A dedicated system user owns encrypted vault files, with filesystem permissions enforced by the kernel. The agent process cannot access these files at the filesystem level.
Subprocess-scoped injection
Credentials are decrypted by a sandboxed resolver binary and injected only into specific subprocess environments. For example, a GITHUB_TOKEN only exists inside the gh process and disappears when that subprocess exits. The agent's own process never sees plaintext credentials.
4-hook output scrubbing
Before tool output reaches the agent, four independent layers scan for leaks:
- Regex pattern matching for known formats like
ghp_andsk_live_ - Hash-based literal matching against exact stored credentials
- Environment variable name matching
- Global known-format detection
Technical implementation
- Encryption: AES-256-GCM with per-credential random salts
- Key derivation: Argon2id with 64 MiB memory cost, 3 iterations
- Compatibility: Works with any CLI tool or API, including browser login or session cookies
- BYOT (Bring your own tools) support
- Test coverage: ~700 tests across 36 files
- Open source
Setup and usage
Installation: npm install -g openclaw-credential-vault
Basic setup: openclaw vault add github --key ghp_xxx
The tool addresses limitations in SecretRefs (v2026.3.2), which handles config-level secrets but lacks OS-level separation and only covers OpenClaw's own config keys, not arbitrary tools like gh or stripe CLI.
📖 Read the full source: r/openclaw
👀 See Also
OpenClaw security patches fix QR code credential exposure and plugin auto-load vulnerabilities
OpenClaw released two security patches addressing critical vulnerabilities: QR codes embedded permanent gateway credentials without expiry, and plugins auto-loaded from cloned repos without user confirmation. Version 2026.3.12 fixes both issues.
Why Internal RAG and Doc-Chat Tools Fail Security Audits
Community discusses real-world security and compliance blockers that prevent RAG tools from reaching production.
Testing Uncensored Qwen 3.5 35B Models for Cybersecurity Questions
A cybersecurity professional tested three uncensored Qwen 3.5 35B models on hacking and security bypass questions, finding significant differences in response quality compared to the original censored model. The uncensored models consistently provided answers where the original model refused or gave incomplete responses.
Clawvisor: Purpose-Based Authorization Layer for OpenClaw Agents
Clawvisor is an authorization layer that sits between AI agents and APIs, enforcing purpose-based authorization where agents declare intentions, users approve specific purposes, and an AI gatekeeper verifies every request against that purpose. Credentials never leave Clawvisor and agents never see them.