Subagent completion output leaks internal tool-failure reasoning to requester session

[cryptopoly]

Summary

When a subagent encounters a tool failure (e.g. calling message with a session key instead of a Telegram chat ID), the agent's internal reasoning about the failure leaks into the auto-announce completion output delivered to the requester session.

Steps to reproduce

1. Spawn a subagent with sessions_spawn
2. Subagent attempts to use message tool with a session key (e.g. agent:main:main) instead of a Telegram chat ID
3. Tool fails with an error
4. Subagent writes internal reasoning: "The message tool needs a Telegram chat ID, not a session key..."
5. This reasoning appears verbatim in the auto-announce output delivered back to the parent session

Expected behaviour

Subagent completion output should only include the final task result, not internal tool-failure reasoning or debugging thoughts.

Actual behaviour

Internal reasoning / error-handling thoughts from the subagent are forwarded to the requester as part of the completion announcement.

Impact

• Confuses end users who receive raw internal agent reasoning in their chat
• Exposes implementation details (session keys, tool names, error messages)
• Occurs reliably whenever a subagent misuses a channel tool

Proposed fixes

1. Strip tool-failure reasoning from subagent completion output before delivering to requester session
2. OR gate message tool in subagent context so it cannot be called with session key format (validate input, reject early with helpful error)
3. Longer term: Separate internal monologue from task result in subagent output pipeline

Workaround

Updated all subagent AGENTS.md files with explicit rule: use sessions_send (not message tool) for inter-agent communication. This prevents the trigger but doesn't fix the underlying leak.

Environment

• OpenClaw version: 2026.3.2
• Runtime: subagent (sessions_spawn)
• Affected tool: message (channel tool)

[mvanhorn]

Fix submitted in #39367 - skips error tool results (is_error/isError: true) in extractSubagentOutputText so internal tool-failure text no longer leaks to the parent session.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close: current main now prevents subagent completion selection from promoting tool/toolResult or user text into requester-visible completion output, with regression coverage and docs; the fix is current-main-only after v2026.5.22.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the stricter current-main selector and tests, and treat broader lost-context or stale-output subagent reports as separate follow-up items.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level for the historical/shipped path: v2026.5.22 still promotes tool/toolResult text, while current main's selector and tests block that path. I did not run a live subagent because this review is read-only.

Is this the best way to solve the issue?

Yes. The current-main solution is narrower and safer than filtering only error tool results because it removes raw tool/toolResult and user fallback from completion selection while preserving visible assistant output and safe no-output summaries.

Security review:

Security review cleared: Current main clears the reported information-leak selector path; the fix is not in v2026.5.22 yet.

What I checked:

• Current selector ignores tool results: Current main's subagent output snapshot only records assistant text, silent reply markers, sessions_yield continuation state, and a tool-call count; selectSubagentOutputText() has no raw tool/toolResult or user-text fallback. (src/agents/subagent-announce-output.ts:132, acf265d4d51d)
• Regression coverage blocks tool-output fallback: Unit tests cover trailing toolResult output and tool-output-only histories, asserting they are not returned as child completion output. (src/agents/subagent-announce-output.test.ts:92, acf265d4d51d)
• Completion-mode coverage blocks tool-output fallback: E2E-format coverage asserts completion announcements use assistant output when present and do not include toolResult-only fallback text when assistant output is empty. (src/agents/subagent-announce.format.e2e.test.ts:2013, acf265d4d51d)
• User-facing docs now state the contract: The subagent docs now say the Result is the latest visible assistant reply and that tool/toolResult output is not promoted into child results. Public docs: docs/tools/subagents.md. (docs/tools/subagents.md:94, acf265d4d51d)
• Fix provenance from blame: Blame ties the current selector shape to a705a9c, with b52c31f only adding the safe tool-call-count summary. (src/agents/subagent-announce-output.ts:132, a705a9c911bc)
• Fix commit details: Commit a705a9c introduced the current subagent announce output helper and focused no-tool-output tests on main at 2026-05-23T22:24:25+01:00. (src/agents/subagent-announce-output.ts:132, a705a9c911bc)

Likely related people:

• steipete: Authored the current main selector/test implementation that blocks tool-result promotion and has the heaviest recent history in the subagent announce surface. (role: recent area contributor; confidence: high; commits: a705a9c911bc, b52c31fe0e12, d73f3ac85d5f; files: src/agents/subagent-announce-output.ts, src/agents/subagent-announce-output.test.ts, src/agents/subagent-announce.ts)
• mvanhorn: Authored the closed unmerged branch that targeted this exact tool-failure reasoning leak with an error-tool-result guard and regression tests. (role: prior proposed fix author; confidence: high; commits: 7f25f5432308; files: src/agents/subagent-announce.ts, src/agents/subagent-announce.filter-tool-error-output.test.ts)
• Vincent Koc: Recent history shows subagent lifecycle and announce-adjacent fixes that may be relevant for any follow-up in the same runtime area. (role: recent adjacent contributor; confidence: medium; commits: 48042c387556, 350299401ff0, d23a81baa15d; files: src/agents/subagent-announce.ts, src/agents/subagent-registry-lifecycle.ts, src/agents/subagent-announce.format.e2e.test.ts)
• Tyler Yust: Earlier merged work in subagent announce delivery and descendant gating is part of the same completion-delivery behavior family. (role: adjacent announce delivery contributor; confidence: medium; commits: 81b93b9ce04b, 38543d819690, 41cf93efff4d; files: src/agents/subagent-announce.ts, src/agents/subagent-announce-delivery.ts, src/agents/subagent-registry-lifecycle.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against acf265d4d51d; fix evidence: commit a705a9c911bc, main fix timestamp 2026-05-23T22:24:25+01:00.

[dcapclaw]

We've been hitting this exact symptom locally — the cause is that the announce flow's childFindings branch never runs the isAnnounceSkip check. When the sub-agent uses tools that produce childCompletionFindings (e.g., web_search returning a Tavily payload), the flow skips the ANNOUNCE_SKIP check entirely and falls through to inject the tool result text into the parent session.

Suggested fix: add an explicit if (childCompletionFindings) { ... } mirror of the !childCompletionFindings branch that re-runs readSubagentOutput and checks isAnnounceSkip / isSilentReplyText before falling through. Running locally as a patch since 2026-04-15.

OpenClaw 2026.4.26 reproducer file: dist/subagent-announce-Dim2fAZI.js (hash floats — the one with childCompletionFindings).