Discord leaks internal tool-call traces (NO_REPLY, commentary, to=functions) to channel

[ychi6567-glitch]

Summary

Discord channels occasionally surface internal LLM tool-call artifacts that should never be visible to end-users. The leaked content includes:

• NO_REPLY
• to=functions.memory_search
• commentary
• Raw tool-call JSON arguments (e.g. {"query":"...","maxResults":5})
• recipient_name / parameters envelope fields

Other channels (Telegram, WhatsApp, Signal) do not exhibit this issue.

Expected Behavior

1. NO_REPLY should be consumed silently — never sent to any channel.
2. commentary, to=functions.*, tool-call JSON, and other internal envelope fields should be stripped before delivery.
3. Only natural-language content should reach end-users.

Actual Behavior

Discord intermittently delivers raw internal messages as visible chat messages in the channel.

Root Cause Analysis

Traced through the delivery pipeline in v2026.3.8:

1. Discord missing from PLAIN_TEXT_SURFACES (src/infra/outbound/sanitize-text.ts)

const PLAIN_TEXT_SURFACES = new Set([
  "whatsapp", "signal", "sms", "irc", "telegram", "imessage", "googlechat"
  // ← "discord" is absent
]);

normalizePayloadsForChannelDelivery() calls sanitizeForPlainText() only for surfaces in this set. Discord payloads skip sanitization entirely.

2. sanitizeTextContent() does not strip tool-routing traces (src/auto-reply/extract-text.ts)

function sanitizeTextContent(text) {
  return stripThinkingTagsFromText(stripDowngradedToolCallText(stripMinimaxToolCallXml(text)));
}

This strips thinking tags and Minimax XML, but does not catch:

• NO_REPLY
• to=functions.*
• commentary
• Bare JSON tool arguments

3. sendDiscordText() has no pre-send filter (src/infra/send/discord.ts)

The Discord send path serializes and posts the text chunk directly — no final sanitization gate.

4. NO_REPLY suppression has a gap (src/infra/outbound/normalize.ts)

In normalizeReplyPayloadsForDelivery, silent payloads are only suppressed when mergedMedia.length === 0. Payloads with media attached can pass through with NO_REPLY still in the text.

High-Probability Trigger Scenarios

• Inter-session / cross-agent message relay
• Subagent completion auto-forwarding
• Intermediate tool-call messages during multi-step reasoning
• NO_REPLY return branches

Suggested Fix

Add a universal outbound sanitizer in normalizePayloadsForChannelDelivery (or equivalent) that runs for all channels, not just plain-text surfaces:

const INTERNAL_TRACE_RE = /^(?:NO_REPLY|to=functions\.\S+.*|commentary|recipient_name|parameters)$/m;
const TOOL_JSON_RE = /^\s*\{\s*"(?:query|maxResults|tool_name|function_call|name)"\s*:/m;

function stripInternalTraces(text) {
  if (!text) return text;
  const trimmed = text.trim();
  if (trimmed === "NO_REPLY") return null;
  if (INTERNAL_TRACE_RE.test(trimmed)) return null;
  if (TOOL_JSON_RE.test(trimmed) && trimmed.length < 500) return null;
  return text
    .replace(/^NO_REPLY\s*/gm, "")
    .replace(/^to=functions\.\S+.*$/gm, "")
    .replace(/^commentary\s*$/gm, "")
    .replace(/^recipient_name\s*$/gm, "")
    .replace(/^parameters\s*$/gm, "")
    .replace(/\n{3,}/g, "\n\n")
    .trim() || null;
}

Also enhance sanitizeTextContent() to strip the same patterns at the extraction layer.

Environment

• OpenClaw: 2026.3.8 (3caab92)
• Platform: macOS (darwin)
• Channels affected: Discord
• Channels working correctly: Telegram, WhatsApp, Signal

[dsantoreis]

Confirmed this one. Traced through the delivery pipeline:

The PLAIN_TEXT_SURFACES angle is a red herring. That set controls HTML-to-markdown conversion (sanitizeForPlainText) for channels that cannot render HTML tags. Discord supports markdown natively so its absence is intentional.

The actual root cause is a missing send-level guard in Discord.

Slack has this at src/slack/send.ts:259:

if (isSilentReplyText(trimmedMessage) && !opts.mediaUrl && !opts.blocks) {
  logVerbose("slack send: suppressed NO_REPLY token before API call");
  return { messageId: "suppressed", channelId: "" };
}

Discord has no equivalent. sendMessageDiscord (src/discord/send.outbound.ts:132) takes text straight through to chunking and delivery with zero silent-token filtering.

The shared delivery pipeline (normalizeReplyPayloadsForDelivery in src/infra/outbound/payloads.ts) does catch NO_REPLY via parsed.isSilent, but only when mergedMedia.length === 0. Payloads with attached media pass through with NO_REPLY still in the text body. This media-gap hits Discord harder because it lacks the final send-level guard that Slack has.

The to=functions.* and raw tool-call JSON leaks are a separate code path. sanitizeTextContent (used in src/agents/subagent-announce.ts for subagent completion forwarding) strips thinking tags and minimax XML but does not strip tool-routing envelope fields. These traces reach the delivery pipeline as normal text content.

Fix surface area:

1. Add isSilentReplyText guard to sendMessageDiscord (parity with Slack)
2. Strip NO_REPLY from text in media-carrying payloads in normalizeReplyPayloadsForDelivery
3. Extend sanitizeTextContent to strip to=functions.* prefixes and bare tool-call JSON from subagent completion text

[dsantoreis]

Traced through the delivery pipeline on main (3caab92). The root cause analysis in the issue is on the right track but the fix scope is broader than adding Discord to PLAIN_TEXT_SURFACES.

What I found

PLAIN_TEXT_SURFACES controls HTML tag sanitization (converting <br>, <b>, etc. to lightweight markup). Adding Discord there would strip HTML tags but would not address the tool-routing traces like to=functions.*, commentary, or bare JSON tool args. Those patterns are not handled anywhere in the outbound pipeline today.

The actual delivery flow:

1. normalizeReplyPayloadsForDelivery() in payloads.ts catches NO_REPLY via isSilentReplyText() (exact match on ^\s*NO_REPLY\s*$). This works correctly for standalone NO_REPLY, but the gap noted in the issue about media payloads bypassing suppression (parsed.isSilent && mergedMedia.length === 0) is real.

2. sanitizeTextContent() in sessions-helpers.ts strips [Tool Call]/[Tool Result] patterns, thinking tags, Minimax XML, and model special tokens (<|...|>), but does not cover to=functions.*, commentary, recipient_name, parameters, or bare JSON tool arguments.

3. normalizePayloadsForChannelDelivery() in deliver.ts only runs sanitizeForPlainText() for channels in PLAIN_TEXT_SURFACES. Discord, Slack, and others skip this entirely. There is no universal outbound filter for model-emitted tool-routing artifacts.

Fix

I have a branch ready (fix/44905-discord-tool-trace-leak) that adds stripInternalTraces() to sanitize-text.ts and wires it into normalizePayloadsForChannelDelivery() so it runs for all channels before the HTML sanitization step. It suppresses entire payloads that are purely internal traces and strips individual trace lines from multi-line text. All 295 existing outbound tests pass plus 12 new tests for the stripping logic.

Currently at the barnacle PR limit so cannot open a PR yet, but the branch is ready on the fork.

[ychi6567-glitch]

Thanks for the detailed triage and the fix branch! The Slack-parity guard angle makes a lot of sense — glad the root cause is clearer now. Looking forward to the PR when the limit frees up. 🦞

[mbelinky]

Related update: #61282 is now merged in commit 4175cae.

What #61282 fixes:

• commentary-phase assistant text is now suppressed at the shared embedded subscribe delivery boundary before it can become a user-visible partial or final reply

Why this issue stays open:

• This Discord thread mixes commentary leakage with broader sanitization / NO_REPLY / raw tool-envelope concerns.
• fix(agents): suppress commentary-phase output leaks #61282 likely covers the commentary-tagged subset, but it does not prove the remaining Discord-specific sanitizer claims are resolved.

Leaving this issue open for the non-commentary / sanitizer-specific remainder.

[sanchezm86]

Additional leak variant: REPLY_SKIP control token visible in public Discord channel

Adding a new leak pattern to this issue's family.

Observed

• Internal control sentinel REPLY_SKIP appeared as visible assistant output in a public Discord channel
• Previously observed related leaks in the same family: ANNOUNCE_SKIP, NO_REPLY, and tool-call/commentary envelope content (already documented in this issue)

Why it matters

REPLY_SKIP is an internal runtime routing token — it should be consumed by the output pipeline and never reach channel delivery. Its appearance in a public Discord lane confirms the output-sanitization gap extends beyond the tokens already documented here.

Suggested fix direction

All internal control tokens (REPLY_SKIP, ANNOUNCE_SKIP, NO_REPLY, and any similar sentinel markers) should be stripped or consumed at the channel-delivery boundary before any output reaches Discord or other user-facing surfaces.

---

Repro environment: Linux, custom gateway deployment. Flagging here rather than opening a new issue since this appears to be the same output-sanitization failure family — maintainers please advise if a separate issue would be preferred for control-token leakage vs. tool-call trace leakage.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 10, 2026, 9:36 PM ET / 01:36 UTC.

Summary
Current main has materially improved commentary suppression, control-token handling, tool-call block repair, and Discord front-channel sanitation, but the exact reported envelope forms (to=functions.*, recipient_name, parameters, and short bare argument JSON) are not all covered by the conservative line filters visible at the supplied SHA. The broader audience-boundary problem is also actively tracked in #25592, but this issue retains useful Discord-specific reproduction and sanitizer evidence rather than being a proven duplicate.

Reproducibility: yes. at source level: current main has identifiable paths and sanitizer profiles where malformed envelope-shaped text can be treated differently from typed commentary and exact control tokens. This read-only review did not perform a live Discord reproduction.

Next step
Keep coordinated with the broader audience-boundary work; a maintainer must choose the permanent typed event boundary and acceptable fallback-filter scope before another fix PR is attempted.

Review details

Best possible solution:

Enforce structured phase/audience filtering before reply payload creation for normal provider events, then add narrowly tested shared text repair for proven malformed envelope variants, with Discord front-channel sanitation retained as defense in depth.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main has identifiable paths and sanitizer profiles where malformed envelope-shaped text can be treated differently from typed commentary and exact control tokens. This read-only review did not perform a live Discord reproduction.

Is this the best way to solve the issue?

No, the proposed universal regex sanitizer is not the best primary fix because it infers private audience from ordinary text and JSON. The maintainable solution is typed audience filtering plus conservative shared fallback repair for specifically proven malformed forms.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A universal regex that rejects generic JSON or words such as parameters could silently drop legitimate user-facing technical replies.
• Fixing only Discord would leave the same malformed fallback content available to other channel paths and create divergent sanitizer behavior.
• Treating every tool-progress payload as internal would remove intentionally visible progress messages; the audience or payload-kind contract needs an explicit maintainer decision.

Codex review notes: reasoning high; reviewed against 46a344225181.

Label changes

Label changes:

• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-security-review: Current issue advisory state no longer selects this label.

Label justifications:

• P1: Internal orchestration text can be exposed in active user channels, which is an urgent trust and messaging regression even though it is intermittent.
• impact:security: Leaked tool names and argument payloads can disclose internal operations or sensitive data to unintended Discord participants.
• impact:message-loss: The affected boundary decides whether content is delivered or suppressed, and an overbroad repair could silently discard legitimate replies.

Evidence reviewed

What I checked:

• Current Discord boundary: Discord inbound reply delivery now passes final and block payloads through a front-channel sanitizer before transport, but tool-progress payloads intentionally use a profile that preserves trace lines. (extensions/discord/src/monitor/message-handler.process.ts:677, 46a344225181)
• Sanitizer coverage gap: The shared internal-line detector covers emoji-prefixed command/failure traces and lines beginning with tool-call, tool-result, or function-call labels; its patterns do not directly match the reported to=functions.*, recipient_name, parameters, or arbitrary short bare JSON forms. (src/shared/text/assistant-visible-text.ts:15, 46a344225181)
• Profile behavior: Normal delivery runs internal-trace stripping, while the tool-progress profile explicitly disables it; this makes the intended audience boundary dependent on the payload kind and upstream event classification. (src/shared/text/assistant-visible-text.ts:824, 46a344225181)
• Partial merged fix: Merged pull request fix(agents): suppress commentary-phase output leaks #61282 suppresses commentary-phase assistant output at the embedded subscription boundary, confirming that one reported subset was fixed without proving the remaining malformed-envelope cases. (src/agents/pi-embedded-subscribe.handlers.messages.ts, 4175caee6e95)
• Recent hardening provenance: Three June commits added conservative Discord/shared sanitation for internal agent failure traces, compact command failures, and tool-progress scaffolding; those improvements postdate the May retest but do not demonstrate coverage of every envelope listed in this issue. (src/shared/text/assistant-visible-text.ts:15, 8f1ae5967ef2)
• Codex protocol contract: Codex represents assistant message phase as structured MessagePhase metadata on AgentMessageItem; this supports filtering commentary/final audience at the typed event boundary rather than inferring all normal cases from rendered text. (../codex/codex-rs/core/src/event_mapping.rs:108, 0e461ae2b7d9)

Likely related people:

• obviyus: Committed the June follow-up fixes that expanded the shared Discord trace sanitizer and merged the original failure-trace work. (role: recent sanitizer contributor and merger; confidence: high; commits: a8bf14da846e, d82bfcecb1d8, 8f1ae5967ef2; files: src/shared/text/assistant-visible-text.ts, extensions/discord/src/monitor/reply-safety.ts, extensions/discord/src/monitor/message-handler.process.ts)
• fuller-stack-dev: Authored the source change that moved internal failure-trace sanitation into shared visible-text handling and Discord delivery. (role: introduced recent Discord failure-trace hardening; confidence: high; commits: a8bf14da846e; files: src/shared/text/assistant-visible-text.ts, extensions/discord/src/monitor/reply-safety.ts, extensions/discord/src/monitor/message-handler.process.ts)
• mbelinky: Authored the merged typed commentary suppression that fixed one major subset of this report and is relevant to choosing the remaining owner boundary. (role: commentary-phase fix author; confidence: high; commits: 4175caee6e95; files: src/agents/pi-embedded-subscribe.handlers.messages.ts)
• steipete: Recent history shows repeated work across the shared visible-text sanitizer and Discord outbound lifecycle, including tool-response leak repair and Discord transport refactors. (role: recent adjacent owner; confidence: medium; commits: 8ac30279b302, 29b5563ccda2, 05eda57b3c72; files: src/shared/text/assistant-visible-text.ts, extensions/discord/src/send.outbound.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.