Missing User Warnings
Medium
- Confidence
- 87% confidence
- Finding
- The onboarding flow states that a new API key is generated and written to ~/.openclaw/.env, but it does not prominently warn the user that credentials will be stored locally on disk. This can lead users to unknowingly persist a sensitive token in a file that may be backed up, synced, or readable by other local processes, increasing the chance of credential disclosure.
