solution config critical macos linux windows

Config migration writes ${ENV_VAR} secrets into openclaw.json (upgrade security risk)

If an OpenClaw upgrade/migration rewrites `${ENV_VAR}` references (like `${TELEGRAM_BOT_TOKEN}`) into plaintext values inside `~/.openclaw/openclaw.json`, rotate the affected tokens and move secrets back to env/.env to prevent accidental leaks.

By CoClaw Team •

Symptoms

  • You previously stored secrets in config via env references, for example:
    • "botToken": "${TELEGRAM_BOT_TOKEN}"
  • After upgrading OpenClaw (or after first gateway start on the new version), ~/.openclaw/openclaw.json is modified and the ${...} is replaced with the actual token in plaintext.

Cause

A config migration / config rewrite path can accidentally resolve env references and write the resolved value back to disk.

This is a security risk because:

  • the plaintext secret may be committed to backups/repos by mistake,
  • it can be exposed in screenshots/pastes,
  • it increases blast radius if the machine is compromised.

Fix

1) Treat the secret as compromised and rotate it

Examples:

  • Telegram Bot API: rotate the bot token in @BotFather (revoke / regenerate).
  • Provider API keys (OpenAI/Anthropic/etc): rotate/revoke the key in the provider console.

2) Move the secret back to env / ~/.openclaw/.env

Recommended: store long-lived secrets in the gateway environment file:

printf 'TELEGRAM_BOT_TOKEN=%s\n' 'YOUR_NEW_TOKEN' >> ~/.openclaw/.env

Then edit ~/.openclaw/openclaw.json to restore the placeholder:

channels: {
  telegram: {
    botToken: "${TELEGRAM_BOT_TOKEN}",
  },
}

Restart the gateway:

openclaw gateway restart

3) Reduce accidental exposure

  • Avoid pasting openclaw.json unredacted into GitHub issues or chat.
  • Keep your state directory permissions tight (especially on shared servers).

Verify

  1. Confirm the config contains ${...} placeholders again (not plaintext).
  2. Confirm the gateway still works with the env-loaded secret:
openclaw channels status --probe telegram

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows

References

Official docs

  1. OpenClaw docs: /help/faq

Issue threads

  1. OpenClaw GitHub issue #23307
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Telegram: 'setMyCommands failed' / Bot API requests fail
Fix
Fix Telegram Bot API failures caused by outbound HTTPS/DNS/IPv6 issues to api.telegram.org (common on restricted VPS or proxies).
Telegram: channel stops working because persisted session state JSON is bad
Fix
Recover a Telegram channel that looks mysteriously broken by identifying the bad persisted Telegram session-state JSON, backing it up, resetting only that file, and restarting the gateway.
Telegram: bot is in a group but never responds
Fix
Fix Telegram group response issues caused by allowlist/groups config, requireMention, or Telegram privacy mode/admin permissions.
Web search: missing_brave_api_key even though it's configured
Fix
If `web_search` fails with `missing_brave_api_key` but you set the key via `openclaw configure --section web`, make sure the running gateway service can see the secret (often via `~/.openclaw/.env`) and restart the gateway.
OpenClaw Configuration Guide: openclaw.json, Models, Gateway, Channels, and Plugins
Guide
Set up openclaw.json without guesswork: confirm the active config path, choose a safe baseline, add providers and channels in the right order, and verify each change before it becomes a production problem.
ClawHub Usage Guide: Discover, Evaluate, Install, Upgrade, and Roll Back Skills Safely
Guide
A practical guide to using ClawHub as a skill discovery and distribution channel: how to evaluate maintainers, install in a low-risk way, upgrade without surprises, and keep a real rollback path when a skill fails or disappears.