openclaw-credential-vault addresses four credential leakage paths in AI agents

openclaw-credential-vault is a security tool that addresses credential exposure risks in OpenClaw AI agent setups. The tool implements three layers of defense against four identified credential leakage paths.
Four credential exposure paths
The source identifies these primary threats:
- Direct file/env access: Agents running commands like
cat ~/.envorecho $GITHUB_TOKENcan expose credentials stored in environment variables or config files. - Context window leakage: Tool output containing tokens or auth headers becomes permanently stored in conversation history.
- Prompt injection exfiltration: Malicious instructions can trick agents into forwarding credentials they can access.
- Supply chain attacks: Malicious ClawHub skills executing arbitrary code with agent permissions.
The key insight: the first three paths depend on credentials being visible to the agent process. Removing that visibility eliminates 75% of the attack surface.
How openclaw-credential-vault works
The tool provides three defense layers:
OS-level isolation
A dedicated system user owns encrypted vault files, with filesystem permissions enforced by the kernel. The agent process cannot access these files at the filesystem level.
Subprocess-scoped injection
Credentials are decrypted by a sandboxed resolver binary and injected only into specific subprocess environments. For example, a GITHUB_TOKEN only exists inside the gh process and disappears when that subprocess exits. The agent's own process never sees plaintext credentials.
4-hook output scrubbing
Before tool output reaches the agent, four independent layers scan for leaks:
- Regex pattern matching for known formats like
ghp_andsk_live_ - Hash-based literal matching against exact stored credentials
- Environment variable name matching
- Global known-format detection
Technical implementation
- Encryption: AES-256-GCM with per-credential random salts
- Key derivation: Argon2id with 64 MiB memory cost, 3 iterations
- Compatibility: Works with any CLI tool or API, including browser login or session cookies
- BYOT (Bring your own tools) support
- Test coverage: ~700 tests across 36 files
- Open source
Setup and usage
Installation: npm install -g openclaw-credential-vault
Basic setup: openclaw vault add github --key ghp_xxx
The tool addresses limitations in SecretRefs (v2026.3.2), which handles config-level secrets but lacks OS-level separation and only covers OpenClaw's own config keys, not arbitrary tools like gh or stripe CLI.
📖 Read the full source: r/openclaw
👀 See Also

Wide OpenClaw: Security Risks from Loose Discord Bot Permissions
A security researcher demonstrates how OpenClaw can be exploited when users add the AI assistant bot to their Discord server with excessive permissions, targeting users who grant root/admin access without considering security controls.

Malware Found in OpenClaw Community Skills — Crypto Theft Alert

Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
A vulnerability in Snowflake Cortex Code CLI version 1.0.25 and earlier allowed arbitrary command execution without human approval via process substitution bypass, enabling malware installation and sandbox escape through indirect prompt injection.

Agent Passport: Identity Verification for AI Agents
Agent Passport is an open-source identity verification layer using Ed25519 authentication and JWT tokens for AI agents, addressing the problem of agent impersonation.