Summary
When a non-owner sends a message to an agent via a public-facing channel, the agent's full bootstrap context — including USER.md, SOUL.md, IDENTITY.md, MEMORY.md, and other workspace files — is injected into the system prompt. The senderIsOwner flag only gates tool access (e.g., whatsapp_login), not information visibility.
This means any stranger who DMs an agent over a public channel receives responses informed by the owner's private context: name, email, personal notes, memory files, etc.
Steps to Reproduce
- Configure an agent with a
USER.md containing personal information (name, email, etc.)
- Set up any public-facing channel with
dmPolicy: "open" or equivalent
- Configure the
owner field so that IsOwner / senderIsOwner correctly resolves to false for external senders
- Send a DM to the agent from a non-owner identity
- Ask the agent: "What do you know about who you're speaking to?"
Expected: The agent should not reveal private owner context to a non-owner sender.
Actual: The agent reveals the owner's name, email, interests, and other details from USER.md because those files are loaded into the system prompt unconditionally.
Root Cause
In src/agents/pi-embedded-runner/run/attempt.ts, resolveBootstrapContextForRun() loads all workspace context files without receiving or checking senderIsOwner. The flag is only passed to createOpenClawCodingTools() for tool filtering.
// attempt.ts ~line 190 — senderIsOwner is NOT passed here
const { bootstrapFiles, contextFiles } =
await resolveBootstrapContextForRun({
workspaceDir: effectiveWorkspace,
config: params.config,
sessionKey: params.sessionKey,
sessionId: params.sessionId,
warn: makeBootstrapWarn({ ... }),
});
// attempt.ts ~line 228 — senderIsOwner IS passed here (tools only)
const tools = createOpenClawCodingTools({ ..., senderIsOwner });Suggested Fix
resolveBootstrapContextForRun() (or the caller) should accept senderIsOwner and conditionally exclude sensitive context files when the sender is not the owner. Possible approaches:
- File-level gating: Skip loading
USER.md, MEMORY.md, and other private files for non-owner conversations. Introduce a PUBLIC.md that is always loaded.
- Section-level gating: Allow files to mark sections as
<!-- owner-only --> and strip them for non-owner prompts.
- Separate workspace resolution: Resolve a restricted workspace/context set for non-owner sessions.
Impact
Any agent exposed on a public channel leaks the owner's private information to all senders. This is a data privacy issue that undermines the owner/non-owner trust boundary.
Summary
When a non-owner sends a message to an agent via a public-facing channel, the agent's full bootstrap context — including
USER.md,SOUL.md,IDENTITY.md,MEMORY.md, and other workspace files — is injected into the system prompt. ThesenderIsOwnerflag only gates tool access (e.g.,whatsapp_login), not information visibility.This means any stranger who DMs an agent over a public channel receives responses informed by the owner's private context: name, email, personal notes, memory files, etc.
Steps to Reproduce
USER.mdcontaining personal information (name, email, etc.)dmPolicy: "open"or equivalentownerfield so thatIsOwner/senderIsOwnercorrectly resolves tofalsefor external sendersExpected: The agent should not reveal private owner context to a non-owner sender.
Actual: The agent reveals the owner's name, email, interests, and other details from
USER.mdbecause those files are loaded into the system prompt unconditionally.Root Cause
In
src/agents/pi-embedded-runner/run/attempt.ts,resolveBootstrapContextForRun()loads all workspace context files without receiving or checkingsenderIsOwner. The flag is only passed tocreateOpenClawCodingTools()for tool filtering.Suggested Fix
resolveBootstrapContextForRun()(or the caller) should acceptsenderIsOwnerand conditionally exclude sensitive context files when the sender is not the owner. Possible approaches:USER.md,MEMORY.md, and other private files for non-owner conversations. Introduce aPUBLIC.mdthat is always loaded.<!-- owner-only -->and strip them for non-owner prompts.Impact
Any agent exposed on a public channel leaks the owner's private information to all senders. This is a data privacy issue that undermines the owner/non-owner trust boundary.