fix(config): degrade gracefully on missing env vars (#39050, thanks @akz142857)

Co-authored-by: ziy <ziyang.liu@wahool.com>

src/config/env-vars.ts

@@ -3,6 +3,7 @@ import {
   isDangerousHostEnvVarName,
   normalizeEnvVarKey,
 } from "../infra/host-env-security.js";
+import { containsEnvVarReference } from "./env-substitution.js";
 import type { OpenClawConfig } from "./types.js";
 
 function isBlockedConfigEnvVar(key: string): boolean {
@@ -75,6 +76,13 @@ export function applyConfigEnvVars(
     if (env[key]?.trim()) {
       continue;
     }
+    // Skip values containing unresolved ${VAR} references — applyConfigEnvVars runs
+    // before env substitution, so these would pollute process.env with literal placeholders
+    // (e.g. process.env.OPENCLAW_GATEWAY_TOKEN = "${VAULT_TOKEN}") which downstream auth
+    // resolution would accept as valid credentials.
+    if (containsEnvVarReference(value)) {
+      continue;
+    }
     env[key] = value;
   }
 }