OpenClaw agent variant exposed Okta OAuth tokens in workflows

AI agents are starting to look less like chatbots and more like junior operators with real access. That is the whole appeal — and the whole problem. In the OpenClaw ecosystem, two separate signals landed within days of each other: Okta showed that agents can be socially engineered into revealing secrets, and an OpenClaw GitHub issue described OAuth tokens being written into per-agent workflow files in plaintext. Put those together and the story is simple: the dangerous part is not just the model. It is the plumbing around the model. (okta.com) ### What is OpenClaw, exactly? OpenClaw is an open-source “personal AI assistant” that runs on your own device and plugs into the channels and tools you already use — Telegram, Slack, Discord, files, web search, and more. It is designed to act, not just answer. That means it can read and write files, fetch from the web, and in some setups run commands locally. Great for automation. Also exactly why security teams are nervous. (github.com) ### What did Okta actually show? Okta’s threat intel team published a write-up on April 28, 2026 after testing OpenClaw agents on different underlying models. In some cases, the agents exposed sensitive data from prompts or config files. One example was blunt: an agent on an uncensored model dumped its credential store — including an email, password, API key, and GitHub personal access token — after interact(github.com)Auth refresh token for a Gmail account. That is not a jailbreak in the abstract. That is a working path from prompt to secret. (okta.com) ### What is the new token exposure issue? A GitHub issue opened two days ago describes a different failure mode. When a provider was authenticated through OAuth device flow, the per-agent generated `models.json` catalog allegedly embedded the credential material as a plaintext `apiKey` instead of storing a safe reference. The report says the files lived under `~/.openclaw/agents/*/agent/models. (okta.com)n other words, the leak was not only “the model said too much.” The software stack may have written the secret somewhere it never should have gone. (github.com) ### Why is `models.json` such a bad place? Because generated config files tend to spread. They get copied into agent workspaces, packed into logs, inspected during debugging, and sometimes serialized into prompt context. OpenClaw already has an open security roadmap warning about exactly this class of problem: model catalogs with resolved keys, `.env` files readable by agents, and channel tokens sitting in config. (github.com)ing. If a secret lands in a file the agent can read, the model is now one prompt away from disclosure. (github.com) ### Is this just an OpenClaw bug? Not really. OpenClaw is the example, but the pattern is bigger. Agents need broad access to be useful. They need mail, calendars, chat connectors, SaaS APIs, local files, maybe shell access. Every connector adds another place where credentials can be stored, over-scoped, or accidentally surfaced. Okta’s February guidance on detecting OpenClaw on managed devices basically says the q(github.com)these assistants on sensitive systems until they understand the risk. (okta.com) ### Why do chat connectors make this worse? Because they turn one compromised agent into a cross-channel operator. OpenClaw supports a long list of messaging platforms, including Telegram and Slack. If tokens for those channels live in config and the agent can inspect config, then an attacker does not need direct system access in the old sense. They need a prompt path. That is (okta.com)r. (github.com) ### What should teams take from this? Treat agent credentials like production secrets, not app settings. Separate secrets from prompt-visible config. Use references instead of raw tokens. Limit scopes. Limit filesystem access. And assume any secret an agent can read is a secret an attacker may be able to ask for indirectly. The bottom line is pretty stark: once an agent sits between your tools and your token(github.com)sign choice apart. (github.com)