#9440: fix(security): warn users when gateway token appears in URLs
cli
commands
stale
Cluster:
UI Enhancements and Security Fixes
## Problem
The OpenClaw gateway passes authentication tokens as URL query parameters (`?token=...`) in the dashboard command, onboarding wizard, and SSH tunnel hints. While tokens are stripped from URLs after loading, they remain exposed in:
- Console output
- Clipboard
- Server access logs
- HTTP Referer headers
This is a security concern (CVSS 8.2) documented in issue #9435.
## Solution
Add security warnings to CLI output whenever URLs with authentication tokens are generated.
## Changes
### src/commands/dashboard.ts
- Added warning message when token is present in dashboard URL
### src/wizard/onboarding.finalize.ts
- Added security note when token is present in onboarding URL
### src/commands/onboard-helpers.ts
- Added warning when SSH tunnel hint URL contains token
Fixes #9435
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR adds user-facing security warnings when the CLI prints gateway Control UI URLs containing an authentication token in the query string, covering the `dashboard` command, onboarding wizard completion output, and the SSH tunnel hint text. It also updates `withTimeout` to treat AbortError as non-fatal (returning the fallback instead of crashing) and adds Vitest coverage for that behavior.
The changes fit into existing CLI/onboarding output paths by piggybacking on `resolveControlUiLinks()` URL generation and the shared `formatControlUiSshHint()` helper, ensuring warnings show up consistently across the main “open dashboard” surfaces.
<h3>Confidence Score: 4/5</h3>
- This PR is close to safe to merge, with one output-formatting issue to address.
- Changes are small and localized, and the new warning logic is straightforward. The main concern is unconditionally adding chalk-colored strings into copy/pasteable hints and non-TTY logs, which will introduce raw ANSI escape sequences in some environments.
- src/commands/onboard-helpers.ts (and other chalk warning call sites)
<!-- greptile_other_comments_section -->
**Context used:**
- Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8))
- Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))
<!-- /greptile_comment -->
Most Similar PRs
#6352: fix(ux): update gateway token error message UI location
by Glucksberg · 2026-02-01
79.0%
#18273: fix: extract token from URL query string for Control UI websocket auth
by MisterGuy420 · 2026-02-16
78.9%
#11439: fix(security): warn on relative OPENCLAW_CONFIG_PATH and disable co...
by coygeek · 2026-02-07
78.4%
#16961: docs: warn against storing secrets in injected workspace files
by soumikbhatta · 2026-02-15
76.9%
#21934: fix #21914 - Add the most obvious option to the error message
by vivganes · 2026-02-20
76.0%
#23280: fix(control-ui): remove stale allowInsecureAuth suggestion from err...
by anillBhoi · 2026-02-22
75.7%
#7316: fix: /chat dashboard performance
by felipcsousa · 2026-02-02
75.6%
#15757: feat(security): add hardening gap audit checks
by saurabhsh5 · 2026-02-13
74.9%
#12417: feat(ui): Add Native Token Optimization Dashboard
by oneles · 2026-02-09
74.9%
#10514: Security: harden AGENTS.md with gateway, prompt injection, and supp...
by catpilothq · 2026-02-06
74.8%