How to Stop Storing OpenClaw API Keys in Plaintext

How to Stop Storing OpenClaw API Keys in Plaintext On February 13, a Vidar infostealer variant grabbed openclaw.json from a compromised machine. The full credential dump, including LLM API keys, was confirmed by Hudson Rock. Their CTO said infostealer developers will probably release dedicated modules for OpenClaw configs, same as they did for Chrome and Telegram. 42,900 exposed instances. 15,200 vulnerable to RCE. 341 malicious skills on ClawHub distributing the AMOS infostealer. Plaintext config files went from bad habit to actively dangerous. OpenClaw v2026.2.26 shipped a secrets CLI that moves keys out of plaintext in 4 commands: audit, configure, apply, reload. Supports env vars, file-based storage, and external vaults like HashiCorp Vault or AWS Secrets Manager. Full walkthrough: https://clawhosters.com/blog/posts/openclaw-secrets-management-api-key-security