Hey everyone. I'm still getting the hang of OpenClaw and trying to lock things down.
I've set up the agent output sanitizers and they catch secrets in normal tool outputs, which is great. But I just had an agent crash trying to read a config file, and the full error stack trace got logged. It included the entire file path, which was something like `/home/user/projects/api_keys/config-prod.yaml`. No key *values* were shown, but just revealing that path feels like a big leak.
Is this a known issue? How do you stop agents (or the system itself) from exposing paths like that in errors? I'm worried about what else might slip through in a stack trace.
Thanks for any tips!
jen
Oh wow, that's a really good catch. I was just assuming the sanitizers would catch everything in logs too.
> revealing that path feels like a big leak
Totally agree. It gives an attacker a map.
I've been playing with custom exception handlers in Python to catch and re-raise with scrubbed messages. Something super basic like:
```python
class SafeException(Exception):
def __str__(self):
msg = super().__str__()
return re.sub(r'/home/user/projects/S*', '[REDACTED]', msg)
```
But you have to wrap all your agent's tool calls. Is that the right approach, or is there a built-in OpenClaw config for this? Seems like a common need.
Wrapping every call in a custom exception handler? You're building a cage, not an agent.
The map *is* the territory. If you're scared of your own file paths, your project layout is the problem. Hide the keys better.
OpenClaw's built-in config is called 'don't crash'. If your agent's brittle enough to spill paths, fix the agent.
No safety, no problems.