No API tokens in workspace files

Step 1 Identify which files contain exposed tokens. The audit finding's detail field will list the files and token patterns detected. You can also check manually:

openclaw security audit --json | jq '.findings[] | select(.checkId=="security.secrets.tokens_in_workspace") | .detail'

Step 2 Remove the token from the file. Edit the flagged file and replace the hardcoded value with an environment variable reference or a placeholder comment. For example, in a TOOLS.md or config file:

# Before (insecure)
API_KEY: sk-abc123...

# After (safe)
API_KEY: $MY_API_KEY  # set in environment

Step 3 Set the token as an environment variable. Add it to your shell profile or a .env file that is not inside the workspace:

# In ~/.zshrc or ~/.bash_profile
export MY_API_KEY="sk-abc123..."

Step 4 Rotate the exposed token. Since the token was present in a file (and potentially committed to git), treat it as compromised. Revoke it in the relevant service dashboard and issue a new one. Check your git history too:

git log --all -p | grep -i "sk-\|token\|secret" | head -20

Step 5 Verify: Re-run openclaw security audit --json and confirm security.secrets.tokens_in_workspace no longer appears.

clawvitals exclude NC-AUTH-002 reason "your reason here"