Problem

When running openclaw secrets audit --check, the tool reports PLAINTEXT_FOUND warnings for apiKey fields in models.json, even when these values are environment variable references (e.g., OPENCLAW_DEEPSEEK_API_KEY), not actual plaintext secrets.

While the system correctly identifies that the apiKey field contains a string value, it does not distinguish between:

1. Actual plaintext secrets (real API keys stored in plain text - security risk)
2. Environment variable references (names like OPENCLAW_*_KEY pointing to env vars - no security risk)

This causes false positives that confuse users, especially those with a clean system preference who see these warnings as uncomfortable.

User Experience Impact

• Users with multiple providers see 4+ PLAINTEXT_FOUND warnings every time they run secrets audit --check
• Even knowing these are false positives, it creates cognitive load and reduces trust in the tool
• Users may start ignoring warnings, which could mask real security issues in the future

Suggested Solution

Add detection logic to distinguish between actual plaintext secrets and environment variable references:

1. Check for env var naming patterns: If the apiKey value contains keywords like KEY, TOKEN, SECRET, PASSWORD, or follows patterns like OPENCLAW_*, *_API_KEY, etc., treat it as an env var reference
2. Skip PLAINTEXT_FOUND warning for env var references: Only warn when the value is actually a secret, not when it is a reference to a secret stored elsewhere
3. Alternative: Add a config option to mark certain fields as env var reference so the audit tool knows to skip them

Expected Behavior

# With env var reference (should NOT warn):
apiKey: "OPENCLAW_DEEPSEEK_API_KEY"  # No warning, recognized as env var reference

# With actual plaintext secret (SHOULD warn):
apiKey: "sk-123…cdef"  # Warning, this is a real secret

This would improve user experience without compromising security.

Environment

• OpenClaw version: 2026.5.27
• OS: Ubuntu 25.10