Clawctl
Security Check

Credential Exposure: Keep API Keys Out of Config

OpenClaw configs can reference credentials via $secret: references, which store encrypted keys in ~/.openclaw/credentials/. Alternatively, keys can be placed inline — a major security risk.

Why It Matters

Plaintext API keys in config files get committed to git, copied to backups, and read by anyone with filesystem access. A single leaked OpenAI or Anthropic key can result in thousands of dollars in unauthorized API charges.

How to Fix

Use the $secret:credential-id syntax to reference encrypted credentials. Store keys with openclaw credentials set.

openclaw.json
{
  "agents": {
    "defaults": {
      "model": {
        "apiKey": "$secret:anthropic-key"
      }
    }
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.