Learning lots about security through securing OpenClaw: how the kernel is the closest code to your machine and Mac reads from that before anything else.
Nono (https://github.com/always-further/nono) by Luke Hinds is a great tool that sandboxes the keychain process so that your agent literally never touches your keys. Not native to OpenClaw so takes some work to install.