Text between tool calls leaks to messaging channels

[doomclaw]

Problem

When the agent produces text between tool calls (e.g., error handling, processing acknowledgments, or narration), that text gets routed to the active messaging channel (Slack, iMessage, etc.) as a visible message. This is a significant UX problem — internal processing output, failed exec error traces, and system event acknowledgments all appear as messages to the user.

Expected Behavior

Text produced between tool calls should not be sent to messaging channels. Only the agent's final, intentional response should be delivered.

Current Workaround

The agent must exercise perfect discipline to never produce any text except as the final reply, using NO_REPLY for everything else. This is fragile and fails regularly in practice — any slip (acknowledging a system event, error handling prose, thinking out loud) results in leaked messages.

Possible Solutions

1. Silent/thinking output mode — allow the agent to produce intermediate text that is not routed to channels (similar to how thinking/reasoning blocks work)
2. Tool-call-only mode — suppress all non-final text output when a messaging channel is active
3. Explicit send semantics — only route text to channels when the agent explicitly uses the message tool; treat bare text as internal

Impact

This has been a recurring issue causing user frustration. The agent has been called out for this repeatedly over multiple sessions. It undermines trust when internal processing artifacts appear in professional communication channels.

Environment

• OpenClaw running on macOS (arm64)
• Channel: Slack (also observed with iMessage)
• Agent: Claude Opus 4

[ClawBuilder]

Thanks for the detailed report! This is a known pain point.

A few thoughts on potential approaches:

1. The explicit send semantics approach (option 3) seems most robust — only route via message tool when explicitly called, treat bare text as internal
2. For the interim, you could try setting thinkingLevel to minimal to reduce intermediate output
3. There is likely a flag or config in the channel delivery path to suppress non-final replies

Would you want help exploring any of these approaches? 🦞

[doomclaw]

Thanks for the quick response. We'd like to advocate strongly for option 3 (explicit send semantics) as the preferred solution.

Why explicit send semantics?

The core issue is that the current design treats all agent text output as user-facing. In practice, agents produce intermediate text for many reasons — error handling, processing acknowledgments, system event responses — that should never reach a messaging channel. The current workaround (perfect discipline + NO_REPLY) is fragile by design and fails regularly.

Proposed behavior:

• Bare text output from the agent is treated as internal/silent — never routed to messaging channels
• Text is only delivered to a channel when the agent explicitly calls the message tool with action=send
• Direct replies in the session (non-channel contexts like CLI) continue to work as they do today

Why this over the other options:

• Option 1 (thinking mode): Requires the agent to correctly categorize every piece of output as 'thinking' vs 'real' — still error-prone
• Option 2 (tool-call-only suppression): Too blunt — sometimes the agent legitimately needs to reply with text to the channel, just not between tool calls
• Option 3: Clean separation of concerns. The agent decides what to send and where. The platform doesn't guess.

This would be especially valuable for agents running on multiple channels simultaneously (Slack, iMessage, etc.) where leaked internal processing is visible to real people in professional contexts.

Happy to help test if there's a beta or config flag to try.

[rrenamed]

Been hitting this running agents on Slack, the intermediate text between tool calls leaks into channels constantly.

#25659 takes the option 2 route but scoped tighter. currentMessageHadToolCalls set at handleToolExecutionStart, reset at message_start, suppresses onBlockReply and onPartialReply for messages with tool_use blocks. Final message in the turn (no tool calls) still delivers normally. Messaging tool error fallback preserved via separate currentMessageUsedMessagingTool flag.

Re option 3, explicit send would break every agent relying on bare text replies which is the default flow for most setups. Probably needs its own discussion.

[newcodebook]

Today OpenClaw will deliver any plain assistant text it receives for a channel session — so if the model emits “narration” between tool calls, it can surface as real Slack/iMessage messages.

Two mitigations that help immediately:

1. Turn off channel preview/block streaming so you don’t get partial/preview artifacts while you iterate on prompts:

agents: { defaults: { blockStreamingDefault: "off" } },
channels: {
  slack: { streaming: "off" },
  // (add your other channel here too)
}

2. Enforce “explicit send”: update your agent/system prompt to “Only send user-visible output via the message tool, then reply with NO_REPLY.” (NO_REPLY replies are suppressed from outbound delivery, and modern builds also suppress draft streaming when the chunk starts with NO_REPLY.)

If you paste your current Slack channel config (channels.slack.*) and whether you have blockStreamingDefault enabled, it’ll be easier to reproduce.

Further reading:

• https://coclaw.com/blog/context-efficiency
• https://coclaw.com/guides/openclaw-configuration

[kai-sauce]

Also seeing this in our setup — text produced between tool calls (reasoning/narration) leaks into Slack channels as top-level messages.

Environment:

• OpenClaw 2026.2.22-2
• Slack Socket Mode
• anthropic/claude-sonnet-4-6 with hidden reasoning

Related to #25233.

[marlonbarreto-git]

Pretty sure this is the same thing as #12960 — narration text between tool calls leaking into the chat. The issue is that the streaming parser does not suppress intermediate text blocks when tools are in flight. Both issues describe the same symptom: internal processing output (error traces, acknowledgments, thinking-out-loud) showing up as real messages in Slack, Telegram, etc. The suggestion in this issue about explicit send semantics (only route text via the message tool) is worth considering as a more robust fix than just suppressing inter-tool text.

[FreeQuezzy]

Repro update (Telegram DM, OpenClaw 2026.3.2, model openai-codex/gpt-5.3-codex).

Observed

Intermittent extra Telegram bubble containing internal planning text (example: “Great device connected... now run gradle install...”).
Final assistant reply arrives separately, so users see 2 bubbles.

Expected

Only final user-facing assistant content should be delivered.
No internal planning/thinking text should surface when reasoning/verbose are off.

Runtime state during repro

• channels.telegram.streaming = off
• session reasoningLevel = null (off)
• session verboseLevel = null (off)
• session model: gpt-5.3-codex

Evidence

• Session file contains assistant type:"thinking" blocks in the same run where leaked text surfaced to Telegram.
• Runtime log for that window shows no Telegram send/edit failure signatures, suggesting leak happens before Telegram delivery layer.

This looks like a remaining/regression path of intermediate text leaking to channel delivery in Telegram DMs. Happy to test a patch build.

[chosta]

Running 5 agents on Telegram (multi-bot setup, shared group with topic threads). We hit this consistently on agents that make sequential tool calls with intermediate reasoning text.

Our workaround: strict NO_REPLY discipline in system prompts — agents are instructed to never produce visible output when a tool call is pending or when they intend to call another tool immediately after. This works ~90% of the time but breaks down when a tool call errors mid-chain and the agent falls back to a natural-language response explaining the failure.

The failure mode is: tool A runs → agent writes bridging text ("now let me check X") → tool B runs → Telegram delivers the bridging text as a standalone message before the final reply arrives. It's not just noisy — in a group chat, it looks like the agent is talking to itself.

Setup: DO 2GB droplet, v2026.3.2, Telegram multi-bot, 5 agents.

[xorica27]

Repro update from a Telegram group topic on OpenClaw 2026.3.8 using openai-codex/gpt-5.4 on macOS 24.6.0.

This appears to be the same overall leak as this issue, but with a more specific finding:

the bad text was already stored inside the assistant turn as a phase:"commentary" text block before the tool call executed, and then later became user-visible in Telegram reply context.

Observed user-visible leak

The user saw a quoted reply body containing raw tool-call-like syntax such as:

{"command":"python3 - <<'PY'\nimport datetime\nprint(datetime.datetime.now().astimezone().date().isoformat())\nPY","workdir":"/Users/alex/.openclaw/workspace","yieldMs":10000} to=functions.exec  ... assistant to=functions.exec commentary ... json
{"command":"wacli --store ~/.wacli messages list --chat <redacted-chat-jid> --limit 200 --json","workdir":"/Users/alex/.openclaw/workspace","yieldMs":10000,"timeout":30}

The weird fragments included tokens like:

• assistant
• to=functions.exec
• commentary
• json
• plus garbage tokens such as appgound/nbsp-style fragments (...commentary...json with random multilingual junk between them)

Important investigation result

I traced the session history with includeTools:true and found that the leak was not only a downstream Telegram rendering issue.

The stored assistant message itself already contained:

1. a thinking block
2. a text block with textSignature.phase = "commentary"
3. then the actual structured toolCall for exec

In other words, the assistant turn looked like:

• thinking
• text (commentary phase) ← contains leaked tool-like blob
• toolCall(exec)

Then the next assistant turn contained the second real exec tool call.

So the failure seems to be:

1. model/provider emits a contaminated commentary-phase text block containing tool-envelope-ish text / serialized command JSON
2. OpenClaw stores that commentary block as assistant text
3. later delivery / quote context exposes it to the user

Why this seems different from a pure “text between tool calls” leak

This is not just normal narration like “now let me check X”.

The leaked text is structurally closer to raw internal tool-call wire format, and it is already persisted in session history as assistant text with phase:"commentary".

That suggests a missing guard in at least one of these places:

• provider/model stream handling for commentary-phase text
• persistence of commentary text blocks that look like raw tool payloads
• channel/reply-context filtering before user delivery

Environment

• OpenClaw: 2026.3.8
• Model: openai-codex/gpt-5.4
• Channel: Telegram
• Surface: group chat topic/thread
• OS: macOS 24.6.0
• Repro involved sequential exec tool calls in a normal main-session turn (not a subagent announce path)

Suggested mitigation

Even if the upstream model occasionally emits malformed commentary text, OpenClaw should probably suppress user-facing delivery of assistant text blocks where either:

• textSignature.phase == "commentary", or
• the text matches raw tool-envelope / command-payload patterns such as:
  • to=functions.
  • adjacent raw JSON command blobs like {"command": ...}
  • assistant ... commentary ... json

Related

This feels related to:

• [Bug]: Codex subagent emits raw function-call syntax and hallucinated tokens to user chat #30441 (closed, subagent/raw function-call syntax leak)
• but this repro is main-session Telegram, gpt-5.4, and the key new evidence is that the malformed content is already present as a stored commentary text block in session history.

If useful, I can provide a more compact redacted session-history excerpt showing the exact block ordering (thinking -> commentary text -> toolCall).