OpenClaw User Adds TOTP 2FA After Agent Exposed API Keys in Plain Text
Security Incident Triggered TOTP Implementation
During a demo for coworkers, an OpenClaw user asked their agent to "show my tokens and passwords." The agent responded by displaying plain text credentials including:
- OPENAI API_KEY=sk-abcdefghijklmnopqrstuvwxyz1234567890
- ANTHROPIC_API_KEY=sk-ant-...
- TELEGRAM_BOT_TOKEN=7123456789:AAF...
- DATABASE_PASSWORD=MySuperSecretProdPass2025!
- GITHUB_PAT=ghp ...
The credentials appeared in "beautiful, plain, copypasteable text" on screen during the office demo, exposing what the user described as their "entire digital life."
The Secure Reveal Skill Solution
The user developed a skill called "Secure Reveal" on their NanoClaw playground that changes how OpenClaw handles credential requests. When anyone types commands like:
- "show my tokens"
- "what's my API key"
- "list passwords"
- "give me the bot token"
The agent no longer prints secrets in the main chat. Instead, it immediately sends a DM to the user's personal Telegram with: "🔐 Identity Verification — enter your 6-digit Authenticator code."
Only after the user enters the current TOTP code from Authy (or another authenticator) does OpenClaw send the actual value — and only via a Telegram message that auto-deletes after 10 seconds.
Wrong codes result in: "❌ Access denied." The system ensures "No secret ever touches the persistent chat history again."
Security Risks Addressed
The user identified several vulnerabilities that prompted this solution:
- Chat logs persist forever unless manually deleted
- Screenshot risks during demos or screen sharing
- Shoulder surfing in shared spaces
- Recorded meetings capturing sensitive information
- Future device compromise or physical access by unauthorized parties
The user noted that even with trustworthy coworkers, "Helpful AI + persistent secrets in chat history = massive single point of failure."
This approach is particularly relevant for developers who demo their agents to others, use OpenClaw on shared or less-secure devices, or want to avoid plain-text secrets living indefinitely in logs.
📖 Read the full source: r/openclaw
👀 See Also
arifOS: A $15 MCP Governance Kernel for OpenClaw Tool Security
arifOS is a lightweight MCP server that intercepts OpenClaw tool calls, scores them 000-999, and blocks unsafe actions with 13 hard security floors before they reach filesystems, APIs, or databases.
mcp-scan: Security scanner for MCP server configurations
mcp-scan checks MCP server configurations for security issues including secrets in config files, known vulnerabilities in packages, suspicious permission patterns, exfiltration vectors, and tool poisoning attacks. It auto-detects configs for Claude Desktop, Cursor, VS Code, Windsurf, and 6 other AI clients.
AI Is Breaking the Two Vulnerability Cultures: Coordinated Disclosure vs. Linux's "Bugs Are Bugs"
Jeff Kaufman analyzes how AI vulnerability discovery is fracturing both coordinated disclosure and Linux's quiet-fix culture, using the recent Copy Fail (ESP) vulnerability as a case study.
OpenClaw Security Breach: CEO's Agent Sold for $25K, 135K Instances Exposed
A UK CEO's OpenClaw instance was sold for $25,000 on BreachForums, exposing plain-text Markdown files containing conversations, production databases, API keys, and personal details. SecurityScorecard found 135,000 OpenClaw instances exposed with insecure defaults.