From ca7b47e68318953cde6dd22fb8917f3c59a184b7 Mon Sep 17 00:00:00 2001 From: orion Date: Thu, 16 Apr 2026 14:33:01 +0000 Subject: [PATCH] fix: avoid clobbering sensitive config fields in install/uninstall openclaw config get returns redacted values for sensitive fields (apiKey, token, etc). Reading a parent object and writing it back overwrites real secrets with the __OPENCLAW_REDACTED__ sentinel. - install step 5: set only the dirigent provider instead of all providers - uninstall step 2: set only plugins.load.paths instead of entire plugins tree --- scripts/install.mjs | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/scripts/install.mjs b/scripts/install.mjs index 857702b..02532a2 100755 --- a/scripts/install.mjs +++ b/scripts/install.mjs @@ -197,12 +197,10 @@ if (mode === "install") { ok("plugin configured"); step(5, 7, "configure no-reply provider"); - const providers = getJson("models.providers") || {}; - providers[NO_REPLY_PROVIDER_ID] = { + setJson(`models.providers.${NO_REPLY_PROVIDER_ID}`, { baseUrl: NO_REPLY_BASE_URL, apiKey: NO_REPLY_API_KEY, api: "openai-completions", models: [{ id: NO_REPLY_MODEL_ID, name: `${NO_REPLY_MODEL_ID} (Custom Provider)`, reasoning: false, input: ["text"], cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 }, contextWindow: 200000, maxTokens: 8192 }], - }; - setJson("models.providers", providers); + }); ok("provider configured"); step(6, 7, "add no-reply model to allowlist"); @@ -229,10 +227,8 @@ if (mode === "uninstall") { ok("removed plugin entry"); step(2, 4, "remove plugin load path"); - const plugins = getJson("plugins") || {}; - const paths = Array.isArray(plugins?.load?.paths) ? plugins.load.paths : []; - plugins.load = plugins.load || {}; plugins.load.paths = paths.filter((p) => p !== PLUGIN_INSTALL_DIR); - setJson("plugins", plugins); + const paths = getJson("plugins.load.paths") || []; + setJson("plugins.load.paths", paths.filter((p) => p !== PLUGIN_INSTALL_DIR)); ok("removed load path"); step(3, 4, "remove installed files");