OpenClaw’s gateway install --force Regression Keeps Re-Embedding Secrets, Which Is Exactly the Kind of Installer Bug People Remember
Installer bugs do not usually trend, but they do something more damaging. They make users remember the wrong lesson. OpenClaw issue #70612 is a perfect example. The report says openclaw gateway install --force tells users it will stop persisting a SecretRef-managed gateway token, then goes right on embedding literal secrets in the generated service plist anyway. That is not a remote exploit headline. It is a trust failure at the exact moment the product asks for trust.
According to the issue, opened at 2026-04-23T13:04:40Z against OpenClaw 2026.4.21 on a Mac mini M4, the reproduction is deterministic. Re-running openclaw gateway install --force does not clean up the generated LaunchAgent configuration. The resulting plist still contains plaintext <string> values for OPENCLAW_GATEWAY_TOKEN, DISCORD_TOKEN, TAVILY_API_KEY, OPENROUTER_API_KEY, and OLLAMA_CLOUD_API_KEY. Even worse, the operator then gets a loop of contradictory product guidance. openclaw gateway status warns that the service embeds OPENCLAW_GATEWAY_TOKEN and explicitly recommends the same gateway install --force command that already failed to remove it.
That contradiction is the whole story in miniature. Security is not just about whether the software has a patchable vulnerability. It is also about whether the software’s abstractions tell the truth. If a CLI says a secret is SecretRef-managed and “will not be persisted,” then writes it into a service definition on disk, the user stops trusting not just that command but the conceptual model behind it.
This issue also does not appear in a vacuum. The report points back to issue #67595 on April 16, which described plaintext token persistence in a macOS LaunchAgent plist on 2026.4.14. It also cites issue #61340 from April 5, which said secrets were getting written into Linux user-systemd units and backup files during reinstall. Three closely related reports in less than three weeks is not random bad luck. It is a pattern around installer-time secret handling.
That pattern matters because agent platforms are unusually secret-dense products. A typical deployment may hold model-provider keys, channel tokens, webhook credentials, search credentials, browser session material, and gateway auth all at once. Every installer decision about what becomes a durable file on disk is part of the security model. Users often focus on runtime permission boundaries and miss the quieter places where secrets actually linger: launchd plists, systemd units, generated env files, backup copies, migration artifacts, and logs. Attackers do not need the most elegant secret leak. They need the one the operator forgot existed.
The release context makes the regression more notable, not less. OpenClaw’s v2026.4.21 release notes include auth hardening in other parts of the stack, specifically tighter owner identity checks for owner-enforced commands. That is good work. But it also sharpens the contrast. One area of the platform is getting stricter about authority boundaries while another still appears willing to materialize sensitive values into service definitions. Security maturity is not just about adding more hardening. It is about making the whole trust model cohere.
There is a recurring lesson here for anyone building self-hosted agent software. Installers are not setup fluff. They are where the product encodes its operational philosophy. Does the platform assume secrets should be references or literals. Does it cleanly migrate old state. Does a forced reinstall actually converge the host into the documented secure state, or does it just rerun a convenient code path and hope for the best. These sound like boring questions until one command writes half your provider stack into a plist that lasts longer than your memory of why it was created.
For practitioners running OpenClaw, the near-term action items are boring and urgent. Inspect generated service definitions after install or upgrade. Check launchd plists, systemd unit files, and any backup artifacts the installer leaves behind. Do not assume the CLI output accurately describes disk state. If you are on macOS, treat the LaunchAgent plist as an asset worth auditing directly. If you are on Linux, look at unit files and installer backups with the same suspicion. And if you rely on SecretRef or similar indirection, verify that the indirection actually survives the install path.
For platform authors, this bug is a reminder that secret handling in setup flows deserves the same engineering discipline as runtime auth. Service templates should default to references, not literal values. Reinstall paths should be idempotent and convergent. Status commands should never recommend a remediation path that is known to preserve the unsafe state. If the safe abstraction cannot be guaranteed, the product should warn explicitly instead of implying the cleanup succeeded.
There is also a reputational angle that should not be underestimated. Users forgive crashes. They often forgive missing features. They do not quickly forget secrets showing up where they were told secrets would not show up. Installer bugs stick because they feel like betrayal, not just breakage. In security terms, that emotional distinction matters. Products earn trust slowly and lose it fast, especially when the failure mode involves credentials and local persistence.
My view is that this is one of the more important OpenClaw stories of the day precisely because it is not flashy. A self-hosted agent platform lives or dies on whether operators believe its control-plane claims. If gateway install --force cannot reliably remove embedded secrets after promising to do so, the platform has a trust-contract problem, not just a bug. That can be fixed, and probably will be. But it is the kind of issue people remember when deciding whether a platform is ready for anything more serious than a hobby box.
The lesson is old-fashioned and still true. Security is not just what the code can do. It is what the user is justified in believing. Installer output that says one thing while generated files say another is exactly the kind of mismatch that makes operators reach for simpler systems. And frankly, they would have a point.
Sources: OpenClaw issue #70612, issue #67595, issue #61340, OpenClaw v2026.4.21 release notes