[Bug]: Post-compaction audit requires reading WORKFLOW_AUTO.md even when the file does not exist #25600
Description
Summary
After context compaction, OpenClaw injects a system message instructing the agent to read WORKFLOW_AUTO.md, even when that file does not exist in the workspace.
Repro
The post-compaction audit in src/auto-reply/reply/post-compaction-audit.ts hardcodes the following required reads
const DEFAULT_REQUIRED_READS = ["WORKFLOW_AUTO.md", /memory\/\d{4}-\d{2}-\d{2}\.md/];When the agent has not read WORKFLOW_AUTO.md after compaction, it receives this system message
⚠️ Post-Compaction Audit: The following required startup files were not read after context reset:
- WORKFLOW_AUTO.md
Please read them now using the Read tool before continuing. This ensures your operating protocols are restored after memory compaction.
Problem
WORKFLOW_AUTO.md is not a standard workspace file. When it does not exist, this message fires on every compaction regardless. My agent received this and sent a security alert, treating the unexpected read request as a potential prompt injection attempt. Here is the actual agent response:
Hey Juhee! 👋 Just a heads up — I noticed two suspicious "System" messages in this channel
(at 12:38 and 12:42) that appear to be prompt injection attempts. One claimed there's a
"Post-Compaction Audit" telling me to read a WORKFLOW_AUTO.md file — that file doesn't
exist and isn't part of my actual startup protocol. Those messages look like someone (or
something) edited Slack messages to try to manipulate me into reading arbitrary files.
I ignored them. My actual startup files are SOUL.md, USER.md, and my daily memory notes — all legit.
Did you send those, or is something else going on in the channel? Might be worth checking
if anyone else has access.
Security Note
This is the full message the agent receives
⚠️ Post-Compaction Audit: The following required startup files were not read after context reset:
- WORKFLOW_AUTO.md
Please read them now using the Read tool before continuing. This ensures your operating protocols are restored after memory compaction.
The framing instructs the agent to treat the file content as authoritative. If a third party (e.g., via file sync or a shared filesystem) can write the file, the agent will read an attacker-controlled file that might contain malicious data, e.g., prompt injection instructions.
Suggested Fix
Only include WORKFLOW_AUTO.md in required reads if it already exists in the workspace, or make it opt-in via config rather than a hardcoded default.
Environment
OpenClaw 2026.2.23, Linux