OpenClaw Skills Status Vulnerability in Discord Integration Allows Secret Disclosure

A vulnerability in OpenClaw's personal AI assistant, specifically in versions prior to 2026.2.14, allowed the `skills.status` feature to inadvertently disclose sensitive information to clients with `operator.read` access. This occurred by including unredacted configuration values in the `configChecks` for skills that required broad configuration paths, such as Discord channels. As a result, secrets like Discord bot tokens could be exposed. The issue has been addressed in version 2026.2.14, which removes the sensitive data from the `skills.status` checks and tightens the Discord token requirement.

Impact

The vulnerability could lead to unauthorized access to sensitive configuration values, including Discord bot tokens, for clients with `operator.read` access.

Reproduction

The vulnerability can be reproduced by calling the `skills.status` method with `operator.read` permissions in a version of OpenClaw prior to 2026.2.14. This will return a report that includes raw config values for any `requires.config` paths, potentially disclosing secrets like Discord tokens if the Discord skill is included.

Remediation

Users should upgrade to OpenClaw version 2026.2.14 or later and rotate any Discord tokens that may have been exposed to clients with read access.