Missing User Warnings
Medium
- Confidence
- 96% confidence
- Finding
- The documentation explicitly instructs users to store API credentials in plaintext within `~/.openclaw/openclaw.json` and to pass secrets on the command line. Both practices can expose credentials through filesystem access, backups, shell history, process listings, and logging, which can lead to unauthorized access to the SeeSaw account or API actions. In this skill context, the risk is heightened because these are live service credentials and the document presents the insecure handling as the normal setup flow without any warning or safer alternative.
