Bug type
Regression (worked before, now fails)
Summary
Problem Description
When the sandbox is configured with workspaceAccess: "rw", the agent inside the sandbox cannot read the SKILL.md files of managed skills (~/.openclaw/skills/) or bundled/plugin skills (/usr/lib/node_modules/openclaw/skills/, extensions/*/skills/). The following error occurs:
[tools] read failed: Path escapes sandbox root (~/.openclaw/workspaces/workspace-xxx): /usr/lib/node_modules/openclaw/extensions/feishu/skills/feishu-doc/SKILL.md
Environment Configuration
agents.defaults.sandbox.workspaceAccess: "rw"
agents.defaults.sandbox.scope: "agent"
Attempted to use binds to mount the skills directory into the sandbox, but it was ineffective.
Root Cause
In workspaceAccess: "rw" mode, the sandbox read tool's path resolver uses the workspace directory as the sandbox root.
When the agent calls read to access a skill path (e.g., /usr/lib/.../feishu-doc/SKILL.md), the path resolver checks whether that path is within the workspace.
Since the skill path is an absolute path on the host and is not located within the workspace directory, it triggers the "Path escapes sandbox root" error.
The bind mount path matching logic does not take effect in this mode. While the code contains checks for container and host mounts, the rw mode follows a simplified validation path that strictly uses the workspace root as the boundary.
Comparison with Existing Mechanisms
workspaceAccess: "none" mode: OpenClaw has a built-in syncSkillsToWorkspace() function that automatically mirrors (copies) eligible skills into the skills/ directory of the sandbox workspace. The in the system prompt points to the path inside the sandbox, so no escape error is triggered.
workspaceAccess: "rw" mode: Lacks an automatic visibility mechanism for non-workspace skills.
Steps to reproduce
Configure the sandbox with workspaceAccess: "rw".
Start a staff agent (which creates an independent workspace).
Have the agent use feishu-doc or any other managed/bundled skill.
Check the logs to see the "Path escapes sandbox root" error.
Expected behavior
When the sandbox is configured with workspaceAccess: "rw", the agent should still be able to access and read the system-level and managed skills provided in the system prompt. The environment should ensure these skill files are either mirrored into the workspace or correctly mapped within the sandbox boundary, allowing for multi-step tasks that rely on those skills.
Actual behavior
The agent fails to read the SKILL.md files for non-workspace skills. Any attempt to access paths outside the specific workspace directory (such as /usr/lib/node_modules/openclaw/... or ~/.openclaw/skills/...) is blocked by the path resolver, resulting in a "Path escapes sandbox root" error. This effectively breaks all core skills for agents running in rw mode unless those skills are manually copied into the workspace beforehand.
OpenClaw version
2026.03.13
Operating system
Ubuntu24
Install method
No response
Model
claude-sonnet-4.6
Provider / routing chain
openclaw-openrouter-claude-sonne-4.6
Config file / key location
No response
Additional provider/model setup details
No response
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response
Bug type
Regression (worked before, now fails)
Summary
Problem Description
When the sandbox is configured with workspaceAccess: "rw", the agent inside the sandbox cannot read the SKILL.md files of managed skills (~/.openclaw/skills/) or bundled/plugin skills (/usr/lib/node_modules/openclaw/skills/, extensions/*/skills/). The following error occurs:
[tools] read failed: Path escapes sandbox root (~/.openclaw/workspaces/workspace-xxx): /usr/lib/node_modules/openclaw/extensions/feishu/skills/feishu-doc/SKILL.md
Environment Configuration
agents.defaults.sandbox.workspaceAccess: "rw"
agents.defaults.sandbox.scope: "agent"
Attempted to use binds to mount the skills directory into the sandbox, but it was ineffective.
Root Cause
In workspaceAccess: "rw" mode, the sandbox read tool's path resolver uses the workspace directory as the sandbox root.
When the agent calls read to access a skill path (e.g., /usr/lib/.../feishu-doc/SKILL.md), the path resolver checks whether that path is within the workspace.
Since the skill path is an absolute path on the host and is not located within the workspace directory, it triggers the "Path escapes sandbox root" error.
The bind mount path matching logic does not take effect in this mode. While the code contains checks for container and host mounts, the rw mode follows a simplified validation path that strictly uses the workspace root as the boundary.
Comparison with Existing Mechanisms
workspaceAccess: "none" mode: OpenClaw has a built-in syncSkillsToWorkspace() function that automatically mirrors (copies) eligible skills into the skills/ directory of the sandbox workspace. The in the system prompt points to the path inside the sandbox, so no escape error is triggered.
workspaceAccess: "rw" mode: Lacks an automatic visibility mechanism for non-workspace skills.
Steps to reproduce
Configure the sandbox with workspaceAccess: "rw".
Start a staff agent (which creates an independent workspace).
Have the agent use feishu-doc or any other managed/bundled skill.
Check the logs to see the "Path escapes sandbox root" error.
Expected behavior
When the sandbox is configured with workspaceAccess: "rw", the agent should still be able to access and read the system-level and managed skills provided in the system prompt. The environment should ensure these skill files are either mirrored into the workspace or correctly mapped within the sandbox boundary, allowing for multi-step tasks that rely on those skills.
Actual behavior
The agent fails to read the SKILL.md files for non-workspace skills. Any attempt to access paths outside the specific workspace directory (such as /usr/lib/node_modules/openclaw/... or ~/.openclaw/skills/...) is blocked by the path resolver, resulting in a "Path escapes sandbox root" error. This effectively breaks all core skills for agents running in rw mode unless those skills are manually copied into the workspace beforehand.
OpenClaw version
2026.03.13
Operating system
Ubuntu24
Install method
No response
Model
claude-sonnet-4.6
Provider / routing chain
openclaw-openrouter-claude-sonne-4.6
Config file / key location
No response
Additional provider/model setup details
No response
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
No response