API Keys in Plain Sight
The openai-image-gen skill, designed to generate images using DALL-E, contained a critical flaw: it stored API keys directly in environment variables. This vulnerability affected thousands of OpenClaw deployments.
This was one of the most discussed vulnerabilities on x.com in early 2026, as attackers automated mass scanning for exposed API keys.
Before/After Case Study
BEFORE: Any skill reads OPENAI_API_KEY, attacker uses it for unlimited image generation at victim expense.
AFTER (ASF): Skills cannot access environment. API calls go through secure proxy. Usage is metered and limited.
The Vulnerable Code
api_key = os.environ.get("OPENAI_API_KEY")Attack Impact
- Unauthorized image generation at victim expense
- Token theft and resale on dark web markets
- Billing fraud accumulating thousands in charges
ASF Prevention
- Encrypted credential storage with hardware security module integration
- Pre-installation security scanning with YARA rules
- Permission-based access control for all APIs
- Usage monitoring and anomaly detection