System runtime instructions leaking into chat UI on third message

[JamieLaing]

Bug Description

On the third message in a fresh NemoClaw installation, system runtime instructions are being displayed to the user in the chat interface. The <nemoclaw-runtime> block containing sandbox policy information is rendered in the UI instead of being filtered out.

Steps to Reproduce

1. Fresh NemoClaw install using curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
2. Complete onboarding with Nemotron 3 Super 120B via Local Ollama
3. Access Web UI via SSH tunnel: ssh -L 18789:127.0.0.1:18789 user@host
4. Send 2-3 messages in the chat interface
5. On approximately the third message, the system runtime instructions appear in the UI

Expected Behavior

System messages and runtime instructions should be filtered out before being displayed to the user.

Actual Behavior

The following content is displayed in the chat UI:

<nemoclaw-runtime> You are running inside OpenShell sandbox "openclaw" via NemoClaw. Treat this as a sandboxed environment, not unrestricted host access. Network policy: - outbound network is deny-by-default; assume no arbitrary internet access - blocked requests can return proxy 403 and may need operator approval or policy changes Filesystem policy: - filesystem/process access is sandboxed; do not assume host-level access Behavior: - Do not claim unrestricted host or internet access. - if access is blocked, say it is blocked and ask the operator to adjust policy or approve it in OpenShell </nemoclaw-runtime>

Environment

• NemoClaw Version: Latest (installed 2026-05-21)
• OpenShell Version: 0.0.39
• Model: nemotron-3-super:120b (Local Ollama)
• Platform: DGX Spark (GB10), Ubuntu 24.04, ARM64
• Access Method: Web UI via SSH tunnel

Impact

This exposes internal system prompts to users on their third interaction with a fresh install, suggesting fragile message boundary handling or UI filtering logic.

Additional Context

• The user asked: "What's the difference between nemoclaw and openclaw?"
• The runtime message appeared after the agent's response was completed
• No errors visible in browser console
• Sandbox logs show normal operation, no specific errors related to message rendering

[JamieLaing]

Additional Critical Details

The bug is more severe than initially reported:

1. The runtime message appeared in the USER's input bubble, not the agent's response
2. The user's original question was modified retroactively - the clean input "What's the difference between nemoclaw and openclaw?" had the <nemoclaw-runtime> block appended to it AFTER the agent had already responded
3. The user's question was duplicated - a clean version of the original question appeared AGAIN below the agent's response

UI Sequence

[User bubble] What's the difference between nemoclaw and openclaw?
[Agent bubble] <agent's response about the difference>
[User bubble - MODIFIED] What's the difference between nemoclaw and openclaw? <nemoclaw-runtime>...</nemoclaw-runtime>
[User bubble - DUPLICATE] What's the difference between nemoclaw and openclaw?

This indicates the UI is:

• Retroactively modifying historical message bubbles
• Not properly separating user input from system messages
• Duplicating user input in the message stream

This suggests serious bugs in message history management and WebSocket/streaming message handling, not just a simple rendering filter issue.

[wscurran]

✨ Thanks for submitting this detailed issue about system runtime instructions leaking into the chat UI on the third message. This identifies a bug where the NemoClaw runtime instructions are not being filtered out before being displayed to the user.