From fd77a047f9311dbc20eec518accf9f97c19c8bad Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@openclaw>
Date: Sun, 8 Feb 2026 12:04:38 -0800
Subject: [PATCH] security: zero plaintext after copying to memguard in
 DecryptWithIdentity

The decrypted data from io.ReadAll was copied into a memguard
LockedBuffer but the original byte slice was never zeroed, leaving
plaintext in swappable, dumpable heap memory.
---
 internal/secret/crypto.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/secret/crypto.go b/internal/secret/crypto.go
index cd60b88..1bf20a3 100644
--- a/internal/secret/crypto.go
+++ b/internal/secret/crypto.go
@@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 
+	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
+	for i := range result {
+		result[i] = 0
+	}
+
 	return resultBuffer, nil
 }
 
-- 
2.45.2