openclaw - 💡(How to fix) Fix exec-denied raw_params logged verbatim in gateway.err.log can capture cleartext env-var credentials [1 pull requests]

Version: OpenClaw (denial occurred under an older version; behavior may persist in 2026.5.19 — please verify against current denial code path)

Summary

When an agent issues a tools/exec call that the gateway denies (allowlist miss, sandbox rejection, etc.), the gateway logs the full raw_params JSON to gateway.err.log for debugging. This is generally useful — but if the agent's command happened to inline export FOO_API_KEY="<actual-cleartext-key>" before the real command, those credentials become part of raw_params.command and are persisted verbatim to disk.

In our case this captured six live API keys to a log file with default ACLs (mode 644 on macOS). After discovery, we rotated all six, but the recovery path was disruptive and the underlying logging behavior is unchanged.

Concrete evidence

From ~/.openclaw/logs/gateway.err.log, dated 2026-04-04T01:15:25-07:00 (credential values masked for this report; the original log contained the cleartext values):

2026-04-04T01:15:25.219-07:00 [tools] exec failed: exec denied: allowlist miss raw_params={"command":"export MOONSHOT_API_KEY=\"sk-Tz9...<rest-of-key>\" && export MOONSHOT_API_URL=\"https://api.moonshot.ai/v1\" && export OPENROUTER_API_KEY=\"sk-or-...<rest-of-key>\" && export XAI_API_KEY=\"xai-...<rest-of-key>\" && export BRAVE_API_KEY=\"BSAm...<rest-of-key>\" && export GUMROAD_API_KEY=\"XIf8...<rest-of-key>\" && export INSTAGRAM_ACCESS_TOKEN=\"IGAA...<rest-of-token>\" && ...

Six distinct provider credentials all ended up in plain text in one log line. The log file's default permissions on macOS are 644 (world-readable on multi-user systems, and visible to anything with read access to the operator's home directory).

Why this happened on our side

The denied command was an agent attempting to set env vars before running a multi-step shell action. The gateway correctly denied execution. But its denial diagnostic logged the full command — including the env-var assignments — without scrubbing.

Suggested resolutions

1. Scrub raw_params before logging. Strip values from export KEY=... / KEY=... patterns (or any token-shaped string longer than N chars, e.g. \bsk-[A-Za-z0-9_-]{20,}\b, \bxai-[A-Za-z0-9_-]{20,}\b) before emitting to log. Replace with <redacted>. Lowest-risk change; preserves debuggability of which command was attempted while removing the credential leak.
2. Truncate or hash raw_params for denied commands. Log only the first ~80 chars of the command + a hash, sufficient for triage but not for credential recovery.
3. Stop logging raw_params on denial. Log only the denial reason + caller identity; defer raw-params inspection to a separate verbose-debug mode that requires explicit opt-in.

Option (1) is the most operator-friendly; (3) is the safest default.

Impact on operators

• Silent credential exposure to log file (and any backup, log-aggregation pipeline, or telemetry that ships gateway.err.log).
• Detection requires explicit grep through the err log — operators may not know to look.
• Recovery requires rotation across every provider whose key appears in the log.

Repro

1. From an agent context, issue an exec command that's not on the allowlist, with an inline export FOO=secret prefix.
2. Observe ~/.openclaw/logs/gateway.err.log — the full command including the secret is captured as raw_params.command.