OpenClaw Patched a Secret Leak Where Agent Operators Actually Keep Browser Credentials

One of the more reliable ways to tell whether an agent platform has grown up is to ask a rude question: what counts as a secret now? In 2024, a lot of teams would have answered with the usual suspects, API keys, bearer tokens, passwords, maybe a webhook secret if they were feeling diligent. In 2026, that list is incomplete to the point of being dangerous. Browser control URLs now belong on it too. OpenClaw’s latest fix around browser.cdpUrl is small, but it lands directly on that category shift.

The immediate patch, merged in PR #67738, is almost comically modest. The pull request says the root cause for issue #67656 was that browser.cdpUrl and browser.profiles.*.cdpUrl “were not marked as sensitive URLs, allowing credentials to leak in config responses.” The fix was to add the .cdpUrl suffix to isSensitiveUrlConfigPath. That is the code change. The operational meaning is much bigger.

The underlying issue report is unusually clear, and that clarity makes the story worth paying attention to. The reporter laid out all three existing redaction gates and explained why CDP URLs slipped through every one of them. They were not registered as sensitive in schema, they did not match the usual suffix-based path-name patterns like token or apiKey, and they were absent from the special-case sensitive URL path list. The result, according to the issue, was that config.get could return plaintext browser credentials across all five snapshot surfaces: raw, parsed, sourceConfig, runtimeConfig, and resolved.

That is not a hypothetical edge case. OpenClaw’s own browser docs explicitly warn operators to “treat remote CDP URLs/tokens as secrets.” The docs also spell out exactly why: remote CDP endpoints can carry credentials in query-string form, like https://chrome.browserless.io?token=<secret>, or through HTTP Basic Auth, like https://user:[email protected]. Those URLs are not descriptive metadata. They are bearer material for browser control.

And browser control is not a toy permission. If an agent platform can steer a remote Chromium session, it can often read pages, drive authenticated workflows, observe content behind login, and act with whatever session state that browser already holds. That makes a CDP URL closer in spirit to an access token than to a harmless endpoint string. Treating it like ordinary config is the kind of mistake teams make right before they learn their admin surfaces are broader than they thought.

The deeper problem here is architectural, not just procedural. OpenClaw did not have zero redaction logic. It had several layers. The issue body reads like a miniature audit memo precisely because the reporter shows that the system was already trying to be careful through a mix of schema sensitivity registration, suffix heuristics, and explicit path checks. Yet a high-value credential still fell through. That is what happens when secret classification becomes partly declarative, partly heuristic, and partly special-case. Coverage starts to depend on whether the newest secret happens to look enough like the previous secrets.

That is a bad fit for modern agent platforms, because modern agent platforms are turning into infrastructure aggregators. They now absorb model providers, browser endpoints, MCP servers, webhooks, gateway credentials, remote object stores, managed vector systems, and cloud identity flows. The platform surface grows faster than the old naming conventions. A field called cdpUrl does not end in token, but it can still be one of the most privileged strings in your stack.

There is also a useful second-order lesson in the timing of this patch. Remote browser control has quietly become normal agent plumbing. OpenClaw’s browser documentation is long, detailed, and clearly written for real operators, not dabblers. It describes loopback-only local control, isolated profiles, remote CDP attachment, Browserless support, SSRF-guarded navigation, profile allowlists on node-host browser proxies, and multiple ways to bind or route control. In other words, the browser layer is no longer “nice automation.” It is a core subsystem. Once that happens, every config inspection endpoint, admin API, debug surface, and read-only status path has to treat browser credentials with the same seriousness it already gives model keys and gateway secrets.

That is why this patch matters beyond OpenClaw. The whole agent-tooling ecosystem is drifting toward a world where the most sensitive credentials are not always obviously shaped like credentials. They may be URLs, host descriptors, embedded auth strings, or capability-bearing endpoints. If your secret handling model still depends on developers remembering which fields look secret-y enough to register by hand, you are building a leak lottery.

The practical advice for engineers is not subtle. First, patch if you run OpenClaw and use remote browser profiles, Browserless, or any CDP endpoint with embedded auth. Second, audit who can read config surfaces and what those surfaces actually return, not what you assume they return. Third, stop writing internal security policy that distinguishes between “credentials” and “URLs” as if those are different categories. Increasingly, they are the same category.

There is an even broader platform-design takeaway. Redaction should converge toward one canonical sensitivity model that flows through schemas, storage, resolved config, and every user-facing or API-facing representation. The more a project relies on scattered suffix matching and hand-maintained exception lists, the more inevitable bugs like this become. OpenClaw fixed this one correctly, but the issue body is a warning label for the next one too.

The other half of PR #67738, the Windows Teams OAuth launcher fix, makes the same point in a smaller way. Review comments debated whether explorer.exe or cmd /c start was the safer opener for delegated OAuth flows. That kind of detail work is easy to mock, and exactly the sort of work that decides whether cross-platform auth paths are boring or brittle. Mature platforms sweat details because the details are where operator trust goes to live or die.

OpenClaw did not just fix one redaction bug here. It tripped over a category boundary the rest of the agent ecosystem is about to trip over too. Browser endpoints are now privileged infrastructure. The platforms that internalize that early will look disciplined. The ones that do not will keep discovering new ways to leak power through fields that seemed harmless right up until someone put a token in the URL and called it config.

Sources: OpenClaw PR #67738, OpenClaw issue #67656, OpenClaw browser docs