避免 models.json 缓存泄露 API Key（PR #14836）

• OpenClaw instance uses provider API keys (direct key or `${ENV}` indirection).
• You can inspect `~/.openclaw/agents/main/agent/models.json` on host.

1. Backup current config and rotate any keys that may already have been exposed in cache/logs.
2. Upgrade to PR #14836 build and restart gateway.
3. Trigger model initialization once, then inspect generated models cache for `apiKey` fields.
4. Confirm runtime requests still authenticate correctly through env/config resolution path.
5. Add periodic secret-scan check on cache directory as defense-in-depth.

• If historical backups still contain plaintext keys, they remain a risk until rotated/deleted（需验证）.
• Different agent/session cache paths may vary by deployment mode.

This tip is aggregated from community/public sources and preserved with attribution.