Manage API Keys Throughout the Lifecycle, Prohibit Plaintext Storage, and Rotate Keys Periodically
By default, OpenClaw stores API keys in plaintext within its configuration files, which poses a critical security risk. If the system is compromised, attackers can directly obtain your commercial service keys (such as Anthropic or OpenAI), potentially leading to unexpected charges or data leaks. Storing API keys in plaintext is strictly prohibited. If any associated instances have been exposed to the public network, you must immediately regenerate or replace those credentials. Adopt an encryption solution to avoid storing sensitive data in plaintext (see Step 1 in 2.2.2).
In addition, ensure that configuration files, memory, and logs do not contain plaintext passwords or any other sensitive information.
Parent topic: Manual Configuration Items