fix(outbound): sanitize message.send arguments to prevent runtime scaffolding leaks

LiLan0125 · claude · LiLan0125 · commit 68cb0fc669a5 · 2026-06-01T22:53:38.000+08:00
Weak tool-calling models (MiniMax, Kimi, small Ollama models) can verbatim-echo the runtime Delivery: hint and Conversation info / Sender (untrusted metadata) JSON envelopes into message.send tool arguments. The runtime forwarded them unfiltered to channel adapters, leaking internal metadata into real human conversations. Apply the existing stripInboundMetadata sanitizer to outbound message.send arguments so the same sentinels stripped from inbound prompts are also stripped from outbound tool-call text before delivery. Closes #89100 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -45,6 +45,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Outbound: sanitize `message.send` arguments through `stripInboundMetadata` so weak models that echo runtime delivery hints and untrusted-metadata blocks into tool arguments no longer leak internal scaffolding (chat_id, sender_id, inbound_event_kind, sender display name/phone) into real conversations on WhatsApp, Signal, Telegram, and SMS channels. (#89100)
 - Agents/TUI: keep local custom provider runs from loading plugin runtime and auth alias metadata when plugins are disabled.
 - Agents/TUI: restore in-flight TUI run switch-back behavior, keep no-policy native hook fallback available, guard vanished workspaces, and keep lightweight isolated subagents lightweight.
 - Agents/media: keep async image, music, and video generation starts from ending the Codex turn, so mixed requests can continue with summaries or other work while media renders in the background.
diff --git a/src/infra/outbound/message-action-runner.ts b/src/infra/outbound/message-action-runner.ts
@@ -38,6 +38,7 @@ import { hasPollCreationParams } from "../../poll-params.js";
 import { resolvePollMaxSelections } from "../../polls.js";
 import { resolveFirstBoundAccountId } from "../../routing/bound-account-read.js";
 import { stripUnsupportedCitationControlMarkers } from "../../shared/text/citation-control-markers.js";
+import { stripInboundMetadata } from "../../auto-reply/reply/strip-inbound-meta.js";
 import { stripFormattedReasoningMessage } from "../../shared/text/formatted-reasoning-message.js";
 import { parseInlineDirectives } from "../../utils/directive-tags.js";
 import {
@@ -983,7 +984,9 @@ async function buildSendPayloadParts(params: {
   mergedMediaUrls.length = 0;
   mergedMediaUrls.push(...normalizedMediaUrls);
 
-  message = stripPlainTextToolCallBlocks(stripUnsupportedCitationControlMarkers(parsed.text));
+  message = stripInboundMetadata(
+    stripPlainTextToolCallBlocks(stripUnsupportedCitationControlMarkers(parsed.text)),
+  );
   actionParams.message = message;
   if (!actionParams.replyTo && parsed.replyToId) {
     actionParams.replyTo = parsed.replyToId;
