[Bug]: Security / Privacy / Session Routing

[nicclark2nd]

Summary

When a system message (Slack DM) arrived during an active WhatsApp session, the platform appears to have: 1. Received the Slack system message, 2. Generated a WhatsApp response to the original user (Nic), 3. Incorrectly delivered that response to the Slack sender (Charmaine)

Steps to reproduce

The WhatsApp response was echoed to the most recent Slack sender.

---

ROOT CAUSE HYPOTHESIS

Session Context Bleeding

When a system message (Slack DM) arrived during an active WhatsApp session, the platform appears to have:

1. Received the Slack system message
2. Generated a WhatsApp response to the original user (Nic)
3. Incorrectly delivered that response to the Slack sender (Charmaine)

This suggests a failure in session isolation at the platform routing layer.

---

IMPACT

• Privacy violation: Private workflow discussion exposed to team member
• Trust erosion: User confidence in system security compromised
• Operational risk: Potential for further cross-channel leaks

---

REPRODUCTION STEPS

Unknown — appears to be a race condition or session state corruption.

Conditions present:

• Active WhatsApp conversation in progress
• Incoming Slack system message (team member DM)
• Agent generates response to WhatsApp user

---

REQUESTED ACTIONS

Immediate

1. Investigate session routing logic for cross-channel message leaks
2. Review message delivery pipeline for context confusion bugs
3. Audit session isolation between WhatsApp and Slack channels

Short-term

1. Add session boundary validation — verify recipient matches source channel
2. Implement delivery confirmation — require explicit target verification
3. Create cross-channel safeguards — prevent any message routing between channels

Long-term

1. Session isolation architecture review — ensure complete channel separation
2. Add regression tests for multi-channel concurrent scenarios
3. Consider channel-specific agent instances — eliminate shared session state

---

SAFEGUARDS IMPLEMENTED (Agent-side)

1. ✅ All automated Slack messaging PAUSED
2. ✅ Slack DMs set to receive-only (store reports, never reply)
3. ✅ Explicit recipient verification before any message send
4. ✅ Session context checks enforced

---

URGENCY

This is a critical privacy breach that could result in:

• Further unauthorized disclosures
• Loss of user trust
• Potential regulatory issues (GDPR, etc.)

Please prioritize immediate investigation.

Expected behavior

Expected Behavior (if no bug):

When Nic Clark (+66972796305) and Mary are having a private WhatsApp conversation about Apple Reminders:

1.⁠ ⁠Mary generates a response intended for Nic's WhatsApp
2.⁠ ⁠The message is delivered ONLY to Nic's WhatsApp (+66972796305)
3.⁠ ⁠No copy, echo, or routing to any other channel or recipient
4.⁠ ⁠Charmaine's Slack DM (which arrived as a separate system message) is processed silently and stored — no reply sent
5.⁠ ⁠The two conversations remain completely isolated

What Actually Happened (the bug):

The WhatsApp response to Nic was incorrectly delivered to Charmaine's Slack DM.

The Fix Needed:

Platform must ensure:
•⁠ ⁠Messages generated in WhatsApp session → Deliver to WhatsApp recipient only
•⁠ ⁠Messages generated in Slack session → Deliver to Slack recipient only
•⁠ ⁠Never cross-route between channels, even during concurrent sessions
•⁠ ⁠System messages (incoming DMs) don't corrupt active session context

Actual behavior

Send a message in WhatsApp and it does not message a random team member in Slack.

OpenClaw version

OpenClaw 2026.2.19-2

Operating system

MacOS Tahoe 26.3

Install method

npm global

Logs, screenshots, and evidence

KEY EVIDENCE TO INCLUDE:

1. Timeline Proof:

07:47:04 - Charmaine's Slack DM arrives
07:48:00 - WhatsApp response sent to Nic  
07:48:xx - SAME content appears in Charmaine's Slack DM


2. Session ID:

cacf9d0b-2264-4875-bc9b-188e7c8768af


3. The Breach:
•⁠  ⁠Content intended for WhatsApp (+66972796305) 
•⁠  ⁠Was delivered to Slack DM (U0AEMECNCBV / Charmaine)
•⁠  ⁠Full content was private system architecture discussion

4. Code Proof:
•⁠  ⁠Agent's Slack messaging uses fixed templates only
•⁠  ⁠Breached content does not exist in any Slack messaging code
•⁠  ⁠All Slack targets are explicit (never inferred)

5. Logs Available:
•⁠  ⁠⁠ ~/.openclaw/agents/mary/sessions/cacf9d0b-2264-4875-bc9b-188e7c8768af.jsonl ⁠
•⁠  ⁠⁠ ~/.openclaw/cron/runs/ ⁠

---

Full evidence file: ⁠ EVIDENCE_PACKAGE.md ⁠

This proves the bug is at the platform level — my code couldn't have sent that message to Slack.

Impact and severity

SLACK: Version 4.47.72
28e482e508c0480b9f7a57609a3374e4ac917296@1771639056 (Production)

Additional information

No response

[sstklen]

Hey! I ran into a similar pattern in our bug knowledge base and thought this might help.

What's happening: Session context bleeding in the message routing layer - when a Slack DM arrived during an active WhatsApp session, the system incorrectly delivered the WhatsApp response to the Slack sender instead of the intended WhatsApp recipient

What worked for us:

Implement proper session isolation and message routing validation to prevent cross-channel message delivery

Steps:

1. Audit the message routing pipeline to identify where session context is being shared between channels
2. Add session ID validation before message delivery to ensure responses go to the correct channel/user
3. Implement channel-specific message queues to prevent cross-contamination
4. Add logging to track message flow from generation to delivery with session/channel metadata
5. Create unit tests for concurrent multi-channel scenarios to prevent regression
6. Review and strengthen session isolation boundaries between WhatsApp and Slack handlers

// Add session validation before message delivery
function deliverMessage(message, sessionContext) {
  // Validate session matches intended recipient
  if (message.targetChannel !== sessionContext.channel) {
    throw new Error(`Channel mismatch: message for ${message.targetChannel} attempted delivery to ${sessionContext.channel}`);
  }
  
  // Ensure recipient ID matches session
  if (message.recipientId !== sessionContext.userId) {
    throw new Error(`Recipient mismatch: message for ${message.recipientId} attempted delivery to ${sessionContext.userId}`);
  }
  
  return channelHandlers[sessionContext.channel].send(message);
}

Hope this helps! Let me know if it doesn't match your case — happy to dig deeper. 🦞

Disclosure: This analysis is from Confucius Debug, an AI-powered community KB for agent bugs. Please verify before applying.

---

_{🦞 Confucius Debug — community knowledge base for AI agent bugs. Free to search via MCP.}