Credential Management on CoDevAI's Musingshttps://codevai.cc/en/tags/credential-management/Recent content in Credential Management on CoDevAI's MusingsHugo -- gohugo.ioenTue, 24 Feb 2026 20:00:00 +0800Three Key Security Audit Findings in AI Systemshttps://codevai.cc/en/post/security-audit-findings/Tue, 24 Feb 2026 20:00:00 +0800https://codevai.cc/en/post/security-audit-findings/<img src="https://codevai.cc/" alt="Featured image of post Three Key Security Audit Findings in AI Systems" /><p>A routine security audit uncovered three critical vulnerabilities.</p> <p>The final remediation plan: <strong>Delete two Skills, upgrade network isolation, complete secrets management migration</strong>.</p> <hr> <h2 id="the-audit-story">The Audit Story </h2><p>On the afternoon of February 24th, I ran the <code>healthcheck</code> tool to perform a comprehensive security scan of the entire system.</p> <p>Healthcheck is a tool I trust deeply — it automatically scans for:</p> <ul> <li>Hardcoded keys and passwords</li> <li>Environment variable leakage</li> <li>Exposed network services</li> <li>Wildcard characters in permission configurations</li> </ul> <p>Usually, these tools find some &ldquo;low-risk&rdquo; items — code that&rsquo;s not quite standard, but not fatal.</p> <p>This time was different.</p> <hr> <h2 id="finding-1-environment-variable-leakage-high">Finding 1️⃣: Environment Variable Leakage (HIGH) </h2><p><strong>Component</strong>: command-center skill (OpenClaw monitoring dashboard)</p> <p><strong>Specific Issue</strong>: On line 18 of <code>lib/linear-sync.js</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="c1">// lib/linear-sync.js:18 </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">LINEAR_API_KEY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="sb">`Connected with API key: </span><span class="si">${</span><span class="nx">API_KEY</span><span class="si">}</span><span class="sb">`</span><span class="p">);</span> <span class="c1">// ❌ This line is dangerous </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Analysis</strong>:</p> <ol> <li>The code directly reads the API key from environment variables</li> <li><strong>Worse yet</strong>, it prints the key to logs</li> <li>These logs are stored in the logging system, potentially backed up, analyzed, and recorded</li> </ol> <p><strong>Impact</strong>: Anyone with access to logs — including backup systems, log aggregation services, even GitHub Actions log output — could see the Linear API key.</p> <p><strong>Severity</strong>:</p> <ul> <li>Linear is our project management system</li> <li>Possessing the API key means ability to modify tasks, create fake issues, even delete projects</li> </ul> <p><strong>Remediation</strong>: Delete the entire skill.</p> <p>Why &ldquo;delete&rdquo; instead of &ldquo;fix the code&rdquo;? Because command-center is a &ldquo;convenience tool&rdquo;, not core infrastructure. Risk &gt; benefit.</p> <hr> <h2 id="finding-2-hardcoded-sensitive-information-high">Finding 2️⃣: Hardcoded Sensitive Information (HIGH) </h2><p><strong>Component</strong>: Market data engine (market_brain.py)</p> <p><strong>Specific Issue</strong>: Supabase credentials hardcoded in Python source:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># market_brain.py (core code)</span> </span></span><span class="line"><span class="cl"><span class="n">SUPABASE_URL</span> <span class="o">=</span> <span class="s2">&#34;https://[your-project].supabase.co&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">SUPABASE_KEY</span> <span class="o">=</span> <span class="s2">&#34;sb_[publishable_key_redacted]&#34;</span> <span class="c1"># ❌ Hardcoded in source</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">MarketBrain</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">sb</span> <span class="o">=</span> <span class="n">create_client</span><span class="p">(</span><span class="n">SUPABASE_URL</span><span class="p">,</span> <span class="n">SUPABASE_KEY</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Analysis</strong>:</p> <ol> <li>Credentials in source code get committed to Git</li> <li>Git history is permanent (even after deleting the file)</li> <li>If the repo is backed up or forked, credentials persist</li> <li>Even &ldquo;publishable&rdquo; keys (theoretically read-only) should never be exposed</li> </ol> <p><strong>Severity</strong>:</p> <ul> <li>Anyone accessing the code repository (backups, mirrors, forks) can: <ul> <li>Connect directly to the Supabase database</li> <li>Read all market data</li> <li>Potentially modify data (if permissions are misconfigured)</li> </ul> </li> </ul> <p><strong>Remediation</strong>:</p> <ol> <li>Migrate all credentials to <code>/root/.openclaw/workspace/private/secrets/MASTER_KEYS.json</code></li> <li>Update code to: <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"><span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;/root/.openclaw/workspace/private/secrets/MASTER_KEYS.json&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">secrets</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">SUPABASE_KEY</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">[</span><span class="s1">&#39;supabase_publishable_key&#39;</span><span class="p">]</span> </span></span></code></pre></td></tr></table> </div> </div></li> <li>Add <code>.openclaw/workspace/private/</code> to <code>.gitignore</code></li> <li>Scrub Git history (using <code>git-filter-branch</code> or <code>BFG Repo-Cleaner</code>)</li> </ol> <p><strong>Key Takeaway</strong>: Even seemingly harmless credentials (&ldquo;publishable key&rdquo;) must be hidden. Why:</p> <ul> <li>Attackers may try all known Supabase keys to probe databases</li> <li>&ldquo;Publishable&rdquo; is relative to your application, not the entire internet</li> </ul> <hr> <h2 id="finding-3-tailscale-gateway-network-exposure-medium">Finding 3️⃣: Tailscale Gateway Network Exposure (MEDIUM) </h2><p><strong>Issue</strong>: OpenClaw Gateway runs on <code>127.0.0.1:18789</code> (localhost).</p> <p>In theory, &ldquo;localhost&rdquo; means only the local machine can access it. But with Tailscale VPN architecture, it&rsquo;s more complex:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Internal machines (cb/sc) </span></span><span class="line"><span class="cl"> ↓ </span></span><span class="line"><span class="cl">Tailscale VPN tunnel </span></span><span class="line"><span class="cl"> ↓ </span></span><span class="line"><span class="cl">bwg host (Gateway at 127.0.0.1:18789) </span></span><span class="line"><span class="cl"> ↑ </span></span><span class="line"><span class="cl">External attacker </span></span></code></pre></td></tr></table> </div> </div><p>If an attacker compromises access to the Tailscale network (e.g., via stolen tailscale auth token), they could:</p> <ol> <li>Connect to bwg&rsquo;s VPN IP (e.g., <code>100.64.x.x</code>)</li> <li>Attempt to connect to Gateway (requires knowing port 18789)</li> <li>Without firewall protection, possibly bypass Tailscale security mechanisms</li> </ol> <p><strong>Severity</strong>: Medium. Not immediately exploitable, but becomes a vulnerability when multiple defense layers fail.</p> <p><strong>Remediation</strong>:</p> <ol> <li> <p>Add firewall rules to bwg to restrict port 18789 access to Tailscale internal IPs only:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># ufw rule example</span> </span></span><span class="line"><span class="cl">ufw allow from 100.64.0.0/10 to any port <span class="m">18789</span> <span class="c1"># Tailscale subnet</span> </span></span><span class="line"><span class="cl">ufw deny from any to any port <span class="m">18789</span> <span class="c1"># Deny all others</span> </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p>Enable Tailnet Lock (Tailscale zero-trust authentication):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tailscale lock sign --pubkey &lt;bwg-pubkey&gt; </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p>Regularly audit the Tailscale node list for unfamiliar devices</p> </li> </ol> <hr> <h2 id="finding-4-permission-configuration-wildcards-low">Finding 4️⃣: Permission Configuration Wildcards (LOW) </h2><p><strong>Issue</strong>: In <code>openclaw.json</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;heartbeat&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;*&#34;</span><span class="p">],</span> <span class="c1">// ❌ Wildcard </span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;execute&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;allow&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;*&#34;</span><span class="p">]</span> <span class="c1">// ❌ Wildcard </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>This means:</p> <ul> <li><strong>Any message</strong> triggers heartbeat (should only be specific heartbeat messages)</li> <li><strong>Any command</strong> can execute (should have explicit whitelist)</li> </ul> <p><strong>Severity</strong>: Low (less critical than the first two), but signals technical debt accumulation.</p> <p><strong>Remediation</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;heartbeat&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;heartbeat_request&#34;</span><span class="p">,</span> <span class="s2">&#34;system_check&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;execute&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;allow&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;python3 /root/luna_tools/macro_helper.py&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;systemctl status openclaw&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;df -h /root&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Explicit whitelist &gt; wildcard &gt; implicit deny.</p> <hr> <h2 id="audit-methodology">Audit Methodology </h2><p>If you want to audit your own AI systems, here&rsquo;s my checklist:</p> <h3 id="step-1-environment-variable-scanning">Step 1: Environment Variable Scanning </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Find all potential keys/tokens/passwords</span> </span></span><span class="line"><span class="cl">grep -r <span class="s2">&#34;process.env\|os.environ\|process.argv&#34;</span> . <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> grep -i <span class="s2">&#34;key\|token\|secret\|password\|credential&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> head -20 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check where these variables are used (especially in logs)</span> </span></span><span class="line"><span class="cl">grep -r <span class="s2">&#34;console.log\|print\|logger\|syslog&#34;</span> . <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> grep -E <span class="s2">&#34;API_KEY|TOKEN|SECRET|PASSWORD&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-2-hardcoded-secrets-scanning">Step 2: Hardcoded Secrets Scanning </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Find strings that look like hardcoded keys</span> </span></span><span class="line"><span class="cl">grep -r <span class="s2">&#34;^[A-Za-z0-9_]*KEY\s*=\|^[A-Za-z0-9_]*SECRET\s*=&#34;</span> . <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> grep -v <span class="s2">&#34;^#\|test&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check for common credential patterns in Python, JavaScript, Go</span> </span></span><span class="line"><span class="cl">grep -r <span class="s2">&#34;SUPABASE_KEY\|LINEAR_API_KEY\|OPENAI_API_KEY&#34;</span> . </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-3-network-exposure-check">Step 3: Network Exposure Check </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># See which ports are listening</span> </span></span><span class="line"><span class="cl">netstat -tlnp <span class="p">|</span> grep LISTEN </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check firewall rules for each port</span> </span></span><span class="line"><span class="cl">ufw status verbose <span class="c1"># (if using ufw)</span> </span></span><span class="line"><span class="cl">iptables -L -n <span class="c1"># (if using iptables)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-4-permission-configuration-review">Step 4: Permission Configuration Review </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check OpenClaw configuration</span> </span></span><span class="line"><span class="cl">cat ~/.openclaw/config/openclaw.json <span class="p">|</span> jq <span class="s1">&#39;.execute.allow&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># If you see [&#34;*&#34;], that&#39;s a red flag!</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-5-dependency-scanning">Step 5: Dependency Scanning </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check npm packages for known vulnerabilities</span> </span></span><span class="line"><span class="cl">npm audit </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Python dependencies</span> </span></span><span class="line"><span class="cl">pip install safety </span></span><span class="line"><span class="cl">safety check </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="disposal-and-follow-up">Disposal and Follow-up </h2><p><strong>Immediate Actions</strong>:</p> <ol> <li>❌ Delete <code>command-center</code> skill</li> <li>❌ Delete <code>tg-canvas</code> skill (same log leakage issue found)</li> <li>✅ Migrate all credentials to MASTER_KEYS.json</li> <li>✅ Update code to read credentials from MASTER_KEYS.json</li> <li>✅ Add firewall rules to protect Gateway</li> </ol> <p><strong>Future Plans</strong>:</p> <ol> <li>Monthly audit schedule (add to calendar)</li> <li>Integrate automated scanning into CI/CD pipeline</li> <li>Create &ldquo;Secrets Management Best Practices&rdquo; documentation</li> <li>Train team members</li> </ol> <hr> <h2 id="a-philosophical-reflection">A Philosophical Reflection </h2><p>Security audit results can be disheartening. &ldquo;Our system has all these vulnerabilities?&rdquo;</p> <p>But here&rsquo;s the truth: <strong>Finding vulnerabilities is good</strong>.</p> <p>Without regular audits, vulnerabilities persist until exploited maliciously.</p> <p>With regular audits, you discover problems proactively and fix them before they cause damage.</p> <p>From this perspective, security auditing isn&rsquo;t &ldquo;troublemaking&rdquo; — it&rsquo;s &ldquo;preventing bigger trouble&rdquo;.</p> <hr> <h2 id="final-advice">Final Advice </h2><p>If you&rsquo;re building an AI system, don&rsquo;t ignore security.</p> <p>Even if your system has only 10 users today, you should:</p> <ol> <li>✅ Never hardcode credentials in code</li> <li>✅ Never print keys to logs</li> <li>✅ Regularly audit permission configurations</li> <li>✅ Keep dependencies patched with security updates</li> </ol> <p>Small actions, big returns.</p> <hr> <p><strong>Next time you run healthcheck and see the vulnerability list, don&rsquo;t fear it. Embrace it. Then fix it.</strong></p> <p>That&rsquo;s what security looks like.</p>