Description
Slack onboard exposes one auth knob: dmPolicy=allowlist + allowFrom=[<Slack user id>]. After onboarding, DMs from the listed user work end-to-end — the agent receives the message and replies. But when the SAME user @mentions the bot from a Slack channel where the bot is invited, the channel-mention path goes through a SEPARATE pairing gate that the user was never asked to configure.
The bot posts a "OpenClaw: access not configured. Pairing code: ..." reply instead of invoking the agent, and the suggested fix (openclaw pairing approve slack <code>) is itself broken on the same build (see related NVB#6187303 filed by Merc Lau).
Net effect: a user who has correctly allowlisted themselves for the bot via the documented onboard wizard CANNOT get channel-mention replies to work, even when the pairing CLI is fixed, because:
- The onboard wizard never asks for a channel-mention allowlist.
- The runtime config (
channels.slack.accounts.default) only exposes dmPolicy/allowFrom — no channel-side equivalent.
- The only documented way to grant channel auth is the pairing flow, which is broken AND wasn't introduced in the wizard.
Environment
Device: MacBook (M4)
OS: macOS 26.1 (Darwin 25.1.0)
Architecture: arm64
Node.js: v23.10.0
npm: 11.3.0
Docker: 27.4.0 (Colima)
OpenShell CLI: 0.0.39
NemoClaw: v0.0.44
OpenClaw: 2026.4.24 (cbcfdf6)
Slack workspace: nvidia-ai (channel #nemoclaw-test, bot @nemoclawtest, user U0AR85ATALW)
Steps to Reproduce
-
Run nemoclaw onboard, enable Slack messaging, paste SLACK_BOT_TOKEN + SLACK_APP_TOKEN, set allowFrom to your Slack user id (e.g. U0AR85ATALW). Accept defaults otherwise.
-
After the sandbox is Ready, in Slack open a DM with the bot and send hi. Bot replies — DM auth works.
-
In a channel where the bot is a member (e.g. #nemoclaw-test), post @<bot> hi from the SAME user as step 2.
-
Bot reply in the channel thread is a pairing notice, NOT an agent reply:
OpenClaw: access not configured.
Your Slack user id: U0AR85ATALW
Pairing code: KJ4XHULK
Ask the bot owner to approve with:
openclaw pairing approve slack KJ4XHULK
-
Inspect channel config: /sandbox/.openclaw/openclaw.json → channels.slack.accounts.default has dmPolicy + allowFrom but NO channel-side allowlist or policy.
-
Re-run nemoclaw onboard — there is no prompt asking about channel-mention auth.
Expected Result
Pick ONE of these resolutions; current behavior is none of them:
- A)
DM allowFrom transitively covers channel @mentions from the same user — a user who is already trusted on DM does not get re-prompted in channels.
- B) The onboard wizard asks a second question for channel-mention policy (e.g. "Allow channel @mentions from: " or "Auto-allow whole channel: yes/no"), parallel to the existing DM prompt.
- C) There is a documented
nemoclaw <name> channels set --allow-channel ... CLI to add channel-mention allowlist post-onboard.
Whichever is chosen, the in-sandbox pairing CLI flow (currently broken — NVB#6187303) should NOT be the only path.
Actual Result
DM allowFrom is the ONLY auth knob the onboard wizard exposes.- Channel mention triggers an entirely separate pairing flow whose only documented action is
openclaw pairing approve slack <code> — which itself is broken in v0.0.44 / OpenClaw 2026.4.24 (NVB#6187303: "No pending pairing request found").
- Result: channel
@mention replies are unconfigurable through the supported tooling.
Related Bugs
- NVB#6187303 (Merc Lau, 2026-05-18) — the CLI-side bug:
openclaw pairing approve slack returns "No pending pairing request found", so even if the user discovers the pairing flow they cannot complete it. THIS bug is the design/UX gap that surfaces NVB#6187303 to users: the gate exists, the wizard never opted them in, and the only escape (pairing CLI) doesn't work.
- NVB#6187476 — originally filed as docs-only; superseded by THIS bug because the root cause is a product configuration gap, not just missing documentation.
Logs
Gateway log excerpt from /sandbox/.openclaw/logs/gateway-persistent.log and the in-sandbox CLI session:
2026-05-18T11:30:14 [slack] users resolved: U0AR85ATALW→Lynn Hu (id:U0AR85ATALW)
2026-05-18T11:30:15 [slack] socket mode connected
(DM from U0AR85ATALW works — agent replies)
(channel mention from U0AR85ATALW → bot posts "access not configured / Pairing code: KJ4XHULK")
$ openclaw pairing list slack
[openclaw] Failed to start CLI: Error: Channel required. ... (expected one of: )
$ openclaw pairing approve slack KJ4XHULK
[openclaw] Failed to start CLI: Error: No pending pairing request found for code: KJ4XHULK
NVB#6187490
Description
Slack onboard exposes one auth knob:
dmPolicy=allowlist+allowFrom=[<Slack user id>]. After onboarding, DMs from the listed user work end-to-end — the agent receives the message and replies. But when the SAME user@mentionsthe bot from a Slack channel where the bot is invited, the channel-mention path goes through a SEPARATE pairing gate that the user was never asked to configure.The bot posts a
"OpenClaw: access not configured. Pairing code: ..."reply instead of invoking the agent, and the suggested fix (openclaw pairing approve slack <code>) is itself broken on the same build (see related NVB#6187303 filed by Merc Lau).Net effect: a user who has correctly allowlisted themselves for the bot via the documented onboard wizard CANNOT get channel-mention replies to work, even when the pairing CLI is fixed, because:
channels.slack.accounts.default) only exposesdmPolicy/allowFrom— no channel-side equivalent.Environment
Steps to Reproduce
Run
nemoclaw onboard, enable Slack messaging, pasteSLACK_BOT_TOKEN+SLACK_APP_TOKEN, setallowFromto your Slack user id (e.g.U0AR85ATALW). Accept defaults otherwise.After the sandbox is Ready, in Slack open a DM with the bot and send
hi. Bot replies — DM auth works.In a channel where the bot is a member (e.g.
#nemoclaw-test), post@<bot> hifrom the SAME user as step 2.Bot reply in the channel thread is a pairing notice, NOT an agent reply:
Inspect channel config:
/sandbox/.openclaw/openclaw.json→channels.slack.accounts.defaulthasdmPolicy+allowFrombut NO channel-side allowlist or policy.Re-run
nemoclaw onboard— there is no prompt asking about channel-mention auth.Expected Result
Pick ONE of these resolutions; current behavior is none of them:
DM allowFromtransitively covers channel@mentionsfrom the same user — a user who is already trusted on DM does not get re-prompted in channels.nemoclaw <name> channels set --allow-channel ...CLI to add channel-mention allowlist post-onboard.Whichever is chosen, the in-sandbox pairing CLI flow (currently broken — NVB#6187303) should NOT be the only path.
Actual Result
DM allowFromis the ONLY auth knob the onboard wizard exposes.openclaw pairing approve slack <code>— which itself is broken in v0.0.44 / OpenClaw 2026.4.24 (NVB#6187303: "No pending pairing request found").@mentionreplies are unconfigurable through the supported tooling.Related Bugs
openclaw pairing approve slackreturns "No pending pairing request found", so even if the user discovers the pairing flow they cannot complete it. THIS bug is the design/UX gap that surfaces NVB#6187303 to users: the gate exists, the wizard never opted them in, and the only escape (pairing CLI) doesn't work.Logs
Gateway log excerpt from
/sandbox/.openclaw/logs/gateway-persistent.logand the in-sandbox CLI session:NVB#6187490