fix(plugins): redact git install failure urls

src/plugins/git-install.test.ts

@@ -200,6 +200,27 @@ describe("installPluginFromGitSpec", () => {
     }
   });
 
+  it("redacts authenticated git URLs from command failure details", async () => {
+    runCommandWithTimeoutMock.mockResolvedValueOnce({
+      code: 1,
+      stdout: "",
+      stderr: "fatal: could not read Username for 'https://token:secret@github.com/acme/demo.git'",
+    });
+
+    const result = await installPluginFromGitSpec({
+      spec: "git:https://token:secret@github.com/acme/demo.git",
+    });
+
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toContain("failed to clone github.com/acme/demo");
+      expect(result.error).toContain("https://***:***@github.com/acme/demo.git");
+      expect(result.error).not.toContain("token");
+      expect(result.error).not.toContain("secret");
+    }
+    expect(installPluginFromInstalledPackageDirMock).not.toHaveBeenCalled();
+  });
+
   it("keeps the existing managed repo when replacement install fails", async () => {
     const gitDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-git-install-preserve-"));
     const normalizedSpec = "git:https://github.com/acme/demo.git";

src/plugins/git-install.ts

@@ -235,7 +235,9 @@ function formatGitCommandFailure(params: {
   stdout: string;
   stderr: string;
 }): string {
-  const detail = sanitizeForLog(params.stderr.trim() || params.stdout.trim() || "git failed");
+  const detail = sanitizeForLog(
+    redactSensitiveUrlLikeString(params.stderr.trim() || params.stdout.trim() || "git failed"),
+  );
   return `failed to ${params.action} ${sanitizeForLog(redactSensitiveUrlLikeString(params.source.label))}: ${detail}`;
 }