OpenClaw Secret File Validator
Check your OpenClaw credential files for symlink vulnerabilities, hardlinks, and permission issues. Paste ls -la output for instant security analysis across Telegram, IRC, LINE, Zalo, and Nextcloud Talk channels. Based on OpenClaw PRs #84711 and #84713 merged May 20, 2026.
What the Secret File Validator Catches
Validates against the real @openclaw/fs-safe@0.2.7 security contract restored in PR #84711 and expanded in PR #84713.
Symlink Detection
Catches symbolic links that bypass credential isolation. After PR #84711, OpenClaw throws FsSafeError at startup instead of silently treating symlinked credentials as "not configured".
Hardlink Detection
Identifies files with link count > 1. Hardlinked credential files let another path modify the secret without going through the validated path — @openclaw/fs-safe rejects them.
File Type Validation
Ensures credential paths are regular files. Directories, block devices, character devices, pipes, and sockets all trigger FsSafeError on read.
Permission Audit
Flags world-readable and group-readable credential files. Credentials should be owner-only (600) to prevent local privilege escalation.
Multi-Channel Coverage
Validates across all five channels affected by PR #84711: Telegram (channel + account tokens), IRC (server + NickServ passwords), LINE, Zalo, and Nextcloud Talk.
Batch ls -la Parser
Paste raw ls -la output for instant batch analysis. The parser extracts permissions, link counts, file types, sizes, and symlink targets automatically.
Validate Your Credential Files
Paste your ls -la output or add file paths manually. All checks run locally in your browser — nothing is sent to any server.
Paste ls -la Output
Run ls -la /etc/openclaw/secrets/ (or wherever your credential files live) and paste the output below. The validator checks each file for symlinks, hardlinks, permissions, and file type issues.
ls -la /etc/openclaw/secrets/What @openclaw/fs-safe Validates
After PR #84711 (May 20, 2026), OpenClaw's tryReadSecretFileSync re-exports directly from @openclaw/fs-safe/secret, restoring strict validation:
Symbolic links
RejectedThrows FsSafeError("must not be a symlink"). Symlinks could point to files outside the approved directory.
Hard links (nlink > 1)
RejectedThrows FsSafeError. Another path could modify the credential without going through validation.
Non-regular files
RejectedDirectories, block/char devices, pipes, and sockets all throw FsSafeError.
Oversized files
RejectedFiles exceeding the size limit throw FsSafeError to prevent resource exhaustion.
Missing / not found
UndefinedReturns undefined — channel appears as "not configured" and skips gracefully.
Blank / empty files
UndefinedReturns undefined — same as missing. The channel won't start but won't error.
Frequently Asked Questions
What does the Secret File Validator check?
It validates credential files used by OpenClaw channel integrations against the same security rules enforced by @openclaw/fs-safe@0.2.7. It checks for symbolic links, hard links (link count > 1), non-regular file types (directories, devices, pipes), file permissions (world/group readable), empty files, oversized files, and path-level issues like traversal sequences and temp directories. You can either paste ls -la output for full file-level analysis, or enter paths manually for structural checks.
Why does OpenClaw reject symlinked credential files?
Symbolic links can point to files outside the intended secrets directory, breaking credential isolation. Before PR #84711 (May 20, 2026), a catch-all error handler silently swallowed the FsSafeError, treating symlinked credentials as "not configured" rather than failing. This meant channels would silently not start, hiding a potential security misconfiguration. The fix re-exports tryReadSecretFileSync directly from @openclaw/fs-safe, restoring the upstream security contract: returns undefined for missing files, throws FsSafeError for symlinks/hardlinks/non-regular files.
Which channels are affected?
Five channel integrations use tryReadSecretFileSync for credential files: Telegram (bot token file + account-level token file, per PR #84713), IRC (server password file + NickServ password file, per PR #84713), LINE (channel secret + access token files), Zalo (OA token file), and Nextcloud Talk (app password file). All five now throw explicit FsSafeError at startup if a credential file is a symlink, hardlink, or non-regular file.
How do I fix a symlinked credential file?
Replace the symlink with a regular file containing the credential: rm /path/to/symlink && cp /path/to/actual/credential /path/to/symlink && chmod 600 /path/to/symlink. The cp command creates a new regular file (not a link), and chmod 600 restricts access to the file owner only. For hardlinks, use the same approach — copy the file to break the link, then delete the extra link.
What is FsSafeError?
FsSafeError is the error class thrown by @openclaw/fs-safe when a file operation violates security constraints. It includes a descriptive message like "must not be a symlink" or "must be a regular file". Before PR #84711, these errors were caught and swallowed, returning undefined instead. Now they propagate to the caller, appearing as explicit startup-time error messages that tell operators exactly what's wrong.
Is my data sent to any server?
No. All validation runs entirely in your browser using client-side JavaScript. Your ls -la output, file paths, and credential information never leave your machine — there are no API calls, no server-side processing, and no data collection. You can verify this in your browser's network tab.