[Bug]: tools/sandbox: MEDIA_MAX_BYTES (5 MB) is hardcoded and not user-configurable

[lijihua2017]

Bug type

Regression (worked before, now fails)

Summary

Bug Description

The sandbox media staging limit is hardcoded at 5 MB in dist/store-*.js:

const MEDIA_MAX_BYTES = 5 * 1024 * 1024;

Files larger than 5 MB (e.g. large PDFs, PowerPoint files, images) cannot be
copied into the sandbox container and silently fail or are rejected.

This constant has been hardcoded since at least v2026.3.7 and is still present
in v2026.3.8.
Expected Behavior
MEDIA_MAX_BYTES should be user-configurable via openclaw.json, for example:
{
"tools": {
"media": {
"maxBytes": 524288000
}
}
}

The existing tools.media.image.maxBytes and tools.media.audio.maxBytes
per-type config keys suggest the infrastructure already supports per-type limits,
but there is no way to override the sandbox staging cap that applies before
the per-type check.

### Steps to reproduce

Configure a sandboxed agent (sandbox.mode: "non-main")
Send a file larger than 5 MB (e.g. a 10 MB PDF or PPTX)
Observe the file is rejected / not available inside the sandbox

### Expected behavior

MEDIA_MAX_BYTES should be user-configurable via openclaw.json, for example:
{
"tools": {
"media": {
"maxBytes": 524288000
}
}
}

The existing tools.media.image.maxBytes and tools.media.audio.maxBytes
per-type config keys suggest the infrastructure already supports per-type limits,
but there is no way to override the sandbox staging cap that applies before
the per-type check.

Steps to Reproduce
Configure a sandboxed agent (sandbox.mode: "non-main")
Send a file larger than 5 MB (e.g. a 10 MB PDF or PPTX)
Observe the file is rejected / not available inside the sandbox
Workaround
Manually patch dist/store-*.js after every npm install -g openclaw update:
sed -i 's/const MEDIA_MAX_BYTES = 5 \* 1024 \* 1024/const MEDIA_MAX_BYTES = 500 * 1024 * 1024/' \
$(find $(npm root -g)/openclaw/dist -name "store-*.js")
openclaw gateway restart

### Actual behavior

Files larger than 5 MB (e.g. large PDFs, PowerPoint files, images) cannot be
copied into the sandbox container and silently fail or are rejected.

This constant has been hardcoded since at least v2026.3.7 and is still present
in v2026.3.8.

### OpenClaw version

2026.3.8

### Operating system

ubuntu 24

### Install method

npm

### Logs, screenshots, and evidence

```shell

Impact and severity

No response

Additional information

No response

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 12, 2026, 1:02 AM ET / 05:02 UTC.

Summary
The issue remains necessary: current main still hardcodes the shared 5 MiB media-store limit, and sandbox staging still blocks larger files. The request needs maintainer product and security judgment because changing this limit can affect non-sandbox callers and resource-exhaustion exposure.

Reproducibility: yes. at source level. Current main directly binds sandbox staging to a fixed 5 MiB constant and has an explicit blocking branch for larger files, although this read-only review did not run a live gateway transfer.

Next step
Maintainers need to choose global versus sandbox-specific scope, a safe maximum, and the resource-security owner before a fix PR is safe to queue.

Review details

Best possible solution:

Define one bounded media-store limit policy with a safe default and actionable rejection, then expose it at the narrowest owner boundary maintainers choose—preferably passing the resolved limit through existing maxBytes seams instead of mutable global state.

Do we have a high-confidence way to reproduce the issue?

Yes at source level. Current main directly binds sandbox staging to a fixed 5 MiB constant and has an explicit blocking branch for larger files, although this read-only review did not run a live gateway transfer.

Is this the best way to solve the issue?

Unclear. Configurability is plausible, but the proposed global mutable setting is not yet proven to be the narrowest or safest solution because the constant is shared by other media paths.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A global override could raise limits for inbound storage, plugin SDK consumers, and outbound attachment hydration rather than only sandbox staging.
• Large configurable values can increase disk consumption, memory pressure, network transfer, and denial-of-service exposure.
• The earlier PR's mutable process-global approach and 500 MiB ceiling were not validated with a real oversized-file gateway workflow.

Codex review notes: model internal, reasoning high; reviewed against ff04e24eadef.

Label changes

Label changes:

• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• remove clawsweeper:needs-security-review: Current issue advisory state no longer selects this label.

Label justifications:

• P2: The fixed cap blocks common larger documents for affected sandboxed workflows but leaves the broader runtime usable.
• impact:message-loss: An oversized attachment is blocked before its contents become available to the sandboxed agent.

Evidence reviewed

What I checked:

• Current fixed limit: Current main exports MEDIA_MAX_BYTES as a fixed 5 MiB per-file media-store cap used by inbound staging and plugin SDK callers. (src/media/store.ts:28, ff04e24eadef)
• Source reproduction: Sandbox staging aliases STAGED_MEDIA_MAX_BYTES to MEDIA_MAX_BYTES and blocks an inbound source when its size exceeds that value, establishing the reported failure path from current source. (src/auto-reply/reply/stage-sandbox-media.ts:22, ff04e24eadef)
• Shared behavior surface: The same fixed constant is imported by outbound attachment handling, so a global override would affect more than sandbox staging. (src/infra/outbound/message-action-params.ts:23, ff04e24eadef)
• Existing internal seam: The media store already accepts explicit maxBytes values in several operations, suggesting a scoped policy can reuse current seams instead of introducing mutable process-global state. (src/media/store.ts:89, ff04e24eadef)
• Prior implementation attempt: The focused configuration PR was closed unmerged and explicitly lacked a real gateway and oversized-file end-to-end test, so it does not resolve or safely supersede this issue.
• Repository direction: VISION.md prioritizes secure defaults while allowing explicit operator-controlled knobs for trusted high-power workflows, supporting continued design work with bounded security policy. (VISION.md:34, ff04e24eadef)

Likely related people:

• neeravmakwana: Recent merged history includes work to honor explicit media-store limits, directly adjacent to the requested policy surface. (role: recent media-store contributor; confidence: medium; commits: a743b30b8b0f; files: src/media/store.ts, src/config/types.openclaw.ts)
• vincentkoc: Recent history in media storage and image-operation boundaries overlaps the shared resource-limit behavior and its security implications. (role: media runtime contributor; confidence: medium; commits: ba9eaf2ee219, e174d96cc0b2, 0ed4f8a72bb1; files: src/media/store.ts, src/media/image-ops.ts)
• steipete: Merged work across agent image sanitization and attachment handling makes this a useful routing candidate for choosing a canonical media-limit policy. (role: adjacent media-policy contributor; confidence: medium; commits: b05e89e5e605, 2706cbd6d732, 3e2bc28e5147; files: src/agents/image-sanitization.ts, src/agents/tool-images.ts, src/auto-reply/reply/dispatch-acp-attachments.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.