openclaw-credential-vault addresses four credential leakage paths in AI agents
openclaw-credential-vault is a security tool that addresses credential exposure risks in OpenClaw AI agent setups. The tool implements three layers of defense against four identified credential leakage paths.
Four credential exposure paths
The source identifies these primary threats:
- Direct file/env access: Agents running commands like
cat ~/.envorecho $GITHUB_TOKENcan expose credentials stored in environment variables or config files. - Context window leakage: Tool output containing tokens or auth headers becomes permanently stored in conversation history.
- Prompt injection exfiltration: Malicious instructions can trick agents into forwarding credentials they can access.
- Supply chain attacks: Malicious ClawHub skills executing arbitrary code with agent permissions.
The key insight: the first three paths depend on credentials being visible to the agent process. Removing that visibility eliminates 75% of the attack surface.
How openclaw-credential-vault works
The tool provides three defense layers:
OS-level isolation
A dedicated system user owns encrypted vault files, with filesystem permissions enforced by the kernel. The agent process cannot access these files at the filesystem level.
Subprocess-scoped injection
Credentials are decrypted by a sandboxed resolver binary and injected only into specific subprocess environments. For example, a GITHUB_TOKEN only exists inside the gh process and disappears when that subprocess exits. The agent's own process never sees plaintext credentials.
4-hook output scrubbing
Before tool output reaches the agent, four independent layers scan for leaks:
- Regex pattern matching for known formats like
ghp_andsk_live_ - Hash-based literal matching against exact stored credentials
- Environment variable name matching
- Global known-format detection
Technical implementation
- Encryption: AES-256-GCM with per-credential random salts
- Key derivation: Argon2id with 64 MiB memory cost, 3 iterations
- Compatibility: Works with any CLI tool or API, including browser login or session cookies
- BYOT (Bring your own tools) support
- Test coverage: ~700 tests across 36 files
- Open source
Setup and usage
Installation: npm install -g openclaw-credential-vault
Basic setup: openclaw vault add github --key ghp_xxx
The tool addresses limitations in SecretRefs (v2026.3.2), which handles config-level secrets but lacks OS-level separation and only covers OpenClaw's own config keys, not arbitrary tools like gh or stripe CLI.
📖 Read the full source: r/openclaw
👀 See Also
pi-governance: RBAC, DLP, and audit logging for OpenClaw coding agents
pi-governance is a plugin that sits between AI coding agents and your system, classifying tool calls and blocking risky operations. It provides bash command blocking, DLP scanning for secrets and PII, role-based access control, and structured audit logging with zero configuration.
Frontier AI Has Broken Open CTF Competitions — GPT-5.5 One-Shots Insane Pwn Challenges
Claude Opus 4.5 and GPT-5.5 can solve medium-to-hard CTF challenges autonomously, turning scoreboards into a measure of orchestration and token budget rather than security skill.
Fake Claude site delivers PlugX malware via sideloading attack
A fake Claude website serves a trojanized installer that deploys PlugX malware through DLL sideloading, giving attackers remote access to compromised systems. The attack uses a legitimately signed G DATA antivirus updater to load malicious code.
mcp-scan: Security scanner for MCP server configurations
mcp-scan checks MCP server configurations for security issues including secrets in config files, known vulnerabilities in packages, suspicious permission patterns, exfiltration vectors, and tool poisoning attacks. It auto-detects configs for Claude Desktop, Cursor, VS Code, Windsurf, and 6 other AI clients.