security: openclaw writes OPENCLAW_GATEWAY_TOKEN into world-readable /tmp log filename #264
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/agentic-os#264
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Recovered from a local session transcript (2026-06-19) - a drive-by security finding deferred as out-of-scope, never filed. Anchor: "putting
$OPENCLAW_GATEWAY_TOKENinto a/tmplog filename" - agentic-os sessione0681134L884.Problem (security)
.openclaw/start.shand.openclaw/msg.shembed the secret$OPENCLAW_GATEWAY_TOKENinto a world-readable/tmplog filename (/tmp/openclaw_${TOKEN}_log.txt). Any local user or process can read the token via filesystem/process enumeration - the filename itself leaks the secret, regardless of file contents.Fix
Stop putting the token in the path. Use a fixed log filename under a
0700per-user state dir (e.g.${XDG_STATE_HOME:-$HOME/.local/state}/openclaw/or amktemp -d-created0700dir), never the token. Checkshell/common.shfor the same pattern (it also referencesOPENCLAW_GATEWAY_TOKEN).Location
Files live in agentic-os:
.openclaw/start.sh,.openclaw/msg.sh,shell/common.sh.🔒 Reserved by
ward agent --driver claude— containerward-agentic-os-issue-264-claude-20604256on hostkais-macbook-pro-2.localis carrying this issue (reserved 2026-06-24T06:33:18Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.— Claude (she/her), via
ward agent