fix(openshell): drop poisoned sandbox skills downloads

steipete · steipete · commit ab80721966d1 · 2026-06-07T12:12:19.000+01:00
diff --git a/extensions/openshell/src/backend.ts b/extensions/openshell/src/backend.ts
@@ -602,18 +602,24 @@ function resolveRemoteMaterializedSkillsWorkspaceDir(remoteWorkspaceDir: string)
 
 async function removeMaterializedSkillsFromDownloadedWorkspace(tmpDir: string): Promise<void> {
   let cursor = tmpDir;
-  for (const part of MATERIALIZED_SKILLS_REMOTE_PARTS) {
+  for (const [index, part] of MATERIALIZED_SKILLS_REMOTE_PARTS.entries()) {
     const next = path.join(cursor, part);
     const stats = await fs.lstat(next).catch(() => null);
-    if (!stats || stats.isSymbolicLink()) {
+    if (!stats) {
+      return;
+    }
+    if (index === MATERIALIZED_SKILLS_REMOTE_PARTS.length - 1) {
+      await fs.rm(next, { recursive: true, force: true });
+      return;
+    }
+    if (stats.isSymbolicLink()) {
       return;
     }
     if (!stats.isDirectory()) {
       return;
     }
     cursor = next;
   }
-  await fs.rm(cursor, { recursive: true, force: true });
 }
 
 async function moveMaterializedSkillsShadowAside(params: {
diff --git a/extensions/openshell/src/openshell-core.test.ts b/extensions/openshell/src/openshell-core.test.ts
@@ -372,6 +372,45 @@ describe("openshell backend manager", () => {
       renameSpy.mockRestore();
     }
   });
+
+  it("drops non-directory materialized sandbox skills from mirror downloads", async () => {
+    const workspaceDir = await makeTempDir("openclaw-openshell-workspace-");
+    cliMocks.runOpenShellCli.mockImplementation(async ({ args }: { args: string[] }) => {
+      if (args[0] === "sandbox" && args[1] === "download") {
+        const tmpDir = args[4];
+        await fs.writeFile(path.join(tmpDir, "from-remote.txt"), "remote", "utf8");
+        await fs.mkdir(path.join(tmpDir, ".openclaw"), { recursive: true });
+        await fs.writeFile(path.join(tmpDir, ".openclaw", "sandbox-skills"), "poison", "utf8");
+      }
+      return { code: 0, stdout: "", stderr: "" };
+    });
+
+    const factory = createOpenShellSandboxBackendFactory({
+      pluginConfig: resolveOpenShellPluginConfig({
+        command: "openshell",
+        mode: "mirror",
+      }),
+    });
+    const backend = await factory({
+      sessionKey: "agent:main:turn",
+      scopeKey: "agent:main",
+      workspaceDir,
+      agentWorkspaceDir: workspaceDir,
+      cfg: createOpenShellBackendSandboxConfig(),
+    });
+
+    await backend.finalizeExec?.({
+      status: "completed",
+      exitCode: 0,
+      timedOut: false,
+      token: undefined,
+    });
+
+    await expect(fs.readFile(path.join(workspaceDir, "from-remote.txt"), "utf8")).resolves.toBe(
+      "remote",
+    );
+    await expectPathMissing(path.join(workspaceDir, ".openclaw", "sandbox-skills"));
+  });
 });
 
 const tempDirs: string[] = [];
