Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix sourceConfig in config.get exposes API keys in plaintext [1 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#65835Fetched 2026-04-14 05:40:07
View on GitHub
Comments
0
Participants
1
Timeline
2
Reactions
0
Author
JIRBOYJIRBOY
Participants
JIRBOYJIRBOY
Timeline (top)
cross-referenced ×2

Fix Action

Fixed

PR fix notes

PR #65858: fix: redact sourceConfig in config.get responses

Description (problem / solution / changelog)

Summary

Fixes #65835.

Root Cause

sourceConfig in ConfigFileSnapshot was not being redacted by redactConfigSnapshot() (src/config/redact-snapshot.ts). While config, parsed, raw, and resolved were properly redacted before returning from gateway config.get, sourceConfig was spread through unchanged, exposing API keys and secrets in plaintext.

Fix

Added sourceConfig to the redaction path in redactConfigSnapshot():

  • Invalid snapshots: sourceConfig is set to {} (alongside config: {}, raw: null, parsed: null, resolved: {})
  • Valid snapshots: redactObject(snapshot.sourceConfig, uiHints) is called, consistent with how resolved is handled

Test Coverage

  • New test: redacts sourceConfig in valid snapshots — verifies telegram botToken and gateway token are redacted in sourceConfig
  • Updated: withholds resolved config for invalid snapshots — also asserts result.sourceConfig is {}

All 39 redact-snapshot tests pass.

Changed files

  • src/agents/pi-embedded-runner/tool-result-char-estimator.test.ts (added, +79/-0)
  • src/agents/pi-embedded-runner/tool-result-char-estimator.ts (modified, +7/-1)
  • src/config/redact-snapshot.test.ts (modified, +13/-0)
  • src/config/redact-snapshot.ts (modified, +3/-0)
RAW_BUFFERClick to expand / collapse

Describe the bug

When calling the \gateway config.get\ tool, the \sourceConfig\ field in the response returns the raw contents of the config file with all API keys in plaintext (e.g. \piKey, \ppSecret, \ oken).

Meanwhile, the \parsed\ and
esolved\ fields in the same response are properly redacted (showing _OPENCLAW_REDACTED_).

Steps to reproduce

  1. Configure any provider with an \piKey\ in \openclaw.json\
  2. Call \gateway config.get\
  3. Inspect the \sourceConfig\ section of the response

Expected behavior

Sensitive fields in \sourceConfig\ should be redacted, consistent with \parsed\ and
esolved.

Actual behavior

\sourceConfig\ returns the full raw file contents without any redaction.

Environment

  • Version: 2026.4.11
  • OS: Windows 11
  • Config path: ~/.openclaw/openclaw.json\

Impact

The \sourceConfig\ field exposes credentials in plaintext through the tool interface. Any component that can call \config.get\ (including sub-agents, plugins, etc.) can read these credentials.

Suggested fix

Apply redaction to known sensitive fields in \sourceConfig\ before returning, consistent with \parsed\ /
esolved.

extent analysis

TL;DR

Apply redaction to known sensitive fields in the sourceConfig field of the config.get response to prevent exposure of API keys in plaintext.

Guidance

  • Review the config.get tool implementation to identify where the sourceConfig field is populated and modify it to apply redaction to sensitive fields, such as apiKey, appSecret, and token.
  • Verify that the redaction logic is consistent with the existing redaction applied to the parsed and resolved fields.
  • Test the modified config.get tool to ensure that the sourceConfig field no longer returns sensitive information in plaintext.
  • Consider adding additional logging or monitoring to detect and alert on any potential security issues related to sensitive field exposure.

Example

No code snippet is provided as the issue does not include specific implementation details.

Notes

The suggested fix assumes that the config.get tool has access to the necessary redaction logic and configuration to properly mask sensitive fields. Additional testing and validation may be required to ensure that the fix does not introduce any unintended consequences or security vulnerabilities.

Recommendation

Apply workaround: Modify the config.get tool to apply redaction to sensitive fields in the sourceConfig field, as this is a targeted fix that addresses the specific security issue without requiring a version upgrade.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Sensitive fields in \sourceConfig\ should be redacted, consistent with \parsed\ and
esolved.

#api#orchestration issue#cache issue#memory leak#API versioning

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING