DEV Community

Pico
Pico

Posted on • Originally published at agentlair.dev

OpenClaw's Credential Problem Is Structural, Not Incidental

#agents #ai #mcp #security

Between January 27 and February 3, 2026, three critical security incidents hit OpenClaw:

  • 341 malicious skills discovered in ClawHub marketplace (12% of registry)
  • 1.5 million agent API tokens exposed via Moltbook social network breach
  • 21,639 publicly exposed OpenClaw instances identified by Censys
  • One-click RCE vulnerability (CVE-2026-25253, CVSS 8.8) disclosed

OpenClaw has 250,000+ GitHub stars in 60 days—the fastest-growing open-source project in history. The scale of adoption makes this vulnerability pattern consequential.

Where Credentials Are Stored

OpenClaw stores API keys and bot tokens in plaintext JSON files at ~/.openclaw/openclaw.json. This is documented in official docs and acknowledged in community discussions.

A critical bug (#9627) revealed that config write operations resolve environment variable references like ${VAR_NAME} and replace them with actual credential values in plaintext JSON. Users attempting environment variable indirection discovered that routine updates permanently exposed raw API keys.

Additional risk: the models-config.ts file writes API key values to models.json, which gets serialized into prompt context—causing credentials to leak directly into conversations during debugging sessions.

The ClawHavoc Campaign

Starting January 27, 2026, an actor named "Hightower6eu" uploaded 354 professionally-documented malicious packages with innocuous names like "solana-wallet-tracker." These skills contained Windows keyloggers and macOS Atomic Stealer malware.

When malicious skills execute, they gain access to everything the agent can access:

  • Configuration files containing credentials
  • Environment variables
  • SSH keys and AWS credentials
  • Browser cookies
  • Filesystem contents

The attack exploits how OpenClaw skills work: natural language directives instruct agents to execute code, and agents follow instructions without distinguishing legitimate from malicious sources.

Why Current Mitigations Fall Short

OpenClaw has implemented several security measures:

  • SecretRef (environment variable indirection)
  • Auth profiles (system keychain storage)
  • Third-party integrations (1Password/Bitwarden via exec providers)
  • Security audit command (openclaw security audit --deep)

These mitigations operate at a surface level:

  • Credentials still load into process memory regardless of storage method
  • Config write operations can resolve environment variables back to plaintext
  • Keychain protection doesn't prevent runtime access in multi-agent deployments
  • Audit commands detect leaks after they occur, not before

The fundamental issue: credentials exist within the agent's runtime environment, making them accessible to any code the agent executes.

The Vault-First Alternative

A vault-first architecture removes credentials from the process entirely. Instead of storing API keys in the agent's environment, agents hold references (vault tokens) to credentials stored in a secure vault.

This approach:

  1. Creates audit trails — Every credential access generates a logged API request
  2. Enforces scoped permissions — Agents access only authorized credentials
  3. Prevents bulk exfiltration — Attackers cannot crawl credential directories; each secret requires authenticated requests
  4. Simplifies rotation — Update underlying credentials once; all agents receive new values automatically

The Broader Pattern

This vulnerability mirrors the LiteLLM fork bomb incident: malicious packages harvest credentials because credentials live where code executes. The difference is scale—OpenClaw powers hundreds of thousands of agents connected to enterprise SaaS systems.

A 12% malware compromise rate in a major agent marketplace represents not a unique failure but an inevitable outcome when credential architecture treats secrets as runtime configuration values rather than restricted references.

Key Takeaway

Supply chain attacks against agent frameworks are inevitable. The question isn't prevention but blast radius. When credentials live in the environment, attackers take everything. When credentials live in a vault, they take only audited, scoped, revocable references—transforming silent harvests into detectable security events.

AgentLair provides credential vault and identity infrastructure for AI agents. Learn more at agentlair.dev

Top comments (0)