[Bug]: [Windows] exec() and read() commands corrupted with </arg_value>> suffix

[koden588-blip]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

Description

All exec() and read() tool calls are being corrupted with </arg_value>> suffix on Windows.

Environment

• OS: Windows 10 (NT 10.0.19041 x64)
• Shell: PowerShell
• Node.js: v25.2.1
• Platform: Windows_NT

Reproduction

User input: echo "test"
Actual executed: echo "test</arg_value>> ← Suffix appended!

Impact

🔴 Critical - Blocks all file operations and command execution on Windows.

Attachments

Full analysis in workspace docs if needed.

Please patch at serialization/injection layer.

Steps to reproduce

local host

Expected behavior

nothing

Actual behavior

Blocks all file operations and command execution on Windows

OpenClaw version

2026.3.11

Operating system

windows 10

Install method

pnpm

Model

dashscope/qwen3.5-flash

Provider / routing chain

openclaw-dashscope/qwen3.5-flash

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[Ryce]

This is a session-state integrity failure. When exec() and read() return corrupted output, that corruption gets written directly into the JSONL session transcript. The model receives the corrupted text in its context on the next turn, so all subsequent reasoning is based on poisoned input.

The dangerous part is not just the immediate failure — it is that there is no signal the state is wrong. The session continues operating on corrupted tool results as if they were valid. By the time you notice, the corruption has compounded through multiple turns.

This connects to a broader pattern where the gateway persists state (tool results, session transcripts, config snapshots) but has no validation that the persisted state matches what was actually produced. If you had a clean session snapshot before the corruption started, you could diff the two states and identify exactly when and where the corruption entered.

For anyone hitting this regularly on Windows — consider running automated session backups so you have pre-corruption snapshots to recover from. The transcript is the only record of what happened; if it is wrong, you have no way to reconstruct what actually occurred.

[Ryce]

This is tool output state corruption — every single command on Windows gets a silent suffix appended. The user runs echo "test" and the system executes echo "test</arg_value>>. The </arg_value>> is XML/HTML serialization leaking into the execution layer.

Pattern: the argument serialization boundary is injecting markup into the actual command string. This means the tool call argument parser is treating the value as XML-escaped content somewhere, then failing to unescape it before passing to the shell. Or the reverse — the serialization layer is wrapping values in XML tags but the deserialization on the Windows side isn't stripping them.

Critical because it's silent corruption. The command runs (doesn't crash), but produces wrong results. read() returns file contents with garbage appended. exec() runs commands with injected syntax. On a system like OpenClaw where the agent chains tool calls — reading a file, parsing its contents, executing based on what it read — this creates a cascading failure where every downstream operation is working on corrupted input.

This connects to a broader pattern across recent issues: the boundary between the tool call layer and the actual execution environment is leaking state. On Windows, the serialization format (likely XML-based for the tool call protocol) is bleeding into the execution format (shell commands). Two different state representations disagree on what the "real" value is.

For Windows users: until this is fixed, the entire tool chain is unreliable. If your config file paths or critical commands have any special characters, the corruption might not be as obvious as </arg_value>> — it could be subtler encoding issues that break things in harder-to-debug ways.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has no </arg_value>> suffix repair, the active exec and read paths forward received strings unchanged, and open PR #48792 already targets this issue with closing syntax.

Reproducibility: yes. for the local boundary behavior: if exec receives command: "echo test</arg_value>>" or read receives a suffixed path, current main forwards that value unchanged. The original Windows/DashScope model emission was not live-reproduced in this read-only pass.

Next step
Not a separate repair-lane candidate because open PR #48792 already targets this issue with closing syntax; the next action is maintainer review, rework, land, or closure of that PR.

Security
Needs attention: The issue crosses the model-to-tool exec/read argument boundary, so any fix should be reviewed as security-sensitive command/path handling.

Review details

Best possible solution:

Keep this issue open until PR #48792 or a replacement lands a narrow fix at the malformed tool-argument or affected provider stream boundary, with regression coverage for the suffix and negative coverage for legitimate XML-like payload text.

Do we have a high-confidence way to reproduce the issue?

Yes for the local boundary behavior: if exec receives command: "echo test</arg_value>>" or read receives a suffixed path, current main forwards that value unchanged. The original Windows/DashScope model emission was not live-reproduced in this read-only pass.

Is this the best way to solve the issue?

No current-main solution exists yet. The maintainable fix should be narrow to the malformed argument boundary or provider stream path rather than a broad record-wide string scrub unless tests prove it preserves valid content.

Security concerns:

• [medium] Keep suffix repair narrow at command boundaries — src/agents/bash-tools.exec.ts:1768
  The reported artifact reaches shell commands and filesystem paths. A future patch should strip only the proven malformed suffix shape and include negative tests for legitimate XML-like content so command and path semantics are not silently changed.
  Confidence: 0.74

What I checked:

• Current main inspected: Review performed against current main SHA 89f73a5. (89f73a5ef2b0)
• No suffix sanitizer found: A targeted search found no implementation or tests for arg_value, </arg_value, stripXml, XML_ARG, or normalizeToolParams; only the existing malformed tool-call repair helper name matched. (89f73a5ef2b0)
• Exec forwards raw command: The exec handler casts incoming args to params.command and later passes params.command directly to runExecProcess. (src/agents/bash-tools.exec.ts:1768, 89f73a5ef2b0)
• Read forwards raw path record: createOpenClawReadTool() validates record.path but passes record ?? {} into adaptive read execution without normalizing string values. (src/agents/pi-tools.read.ts:681, 89f73a5ef2b0)
• Parameter validation does not rewrite strings: wrapToolParamValidation() validates required keys and then calls the wrapped tool with the original params object. (src/agents/pi-tools.params.ts:139, 89f73a5ef2b0)
• Existing malformed-argument repair preserves valid JSON: tryExtractUsableToolCallArguments() returns parsed object JSON as kind: "preserved", so valid JSON containing a suffixed command/path value is not repaired there. (src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts:58, 89f73a5ef2b0)

Likely related people:

• steipete: Current blame and recent history route the active exec, read, param-validation, malformed tool-call repair, and Qwen provider manifest paths through Peter Steinberger's maintenance commits. (role: recent maintainer and likely follow-up owner; confidence: high; commits: 07f523be4a2f, ce1cd26fbcb0, e3ac0f43df3e; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.read.ts, src/agents/pi-tools.params.ts)
• vincentkoc: Recent main history shows Vincent Koc maintaining exec and agent runtime behavior near this surface, and the issue timeline shows this maintainer was mentioned/subscribed during the latest review pass. (role: adjacent agents/exec maintainer; confidence: medium; commits: 87b2a6a16aa2, 6f2e80418207, 2d53ffdec1da; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.params.ts)
• Vignesh Natarajan: History shows Vignesh Natarajan added malformed tool-call JSON recovery and structured write/edit parameter normalization, both adjacent to the reported argument-boundary behavior. (role: adjacent malformed tool-call repair contributor; confidence: medium; commits: a2e4707cfe4c, c8733822c547; files: src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts, src/agents/pi-tools.read.ts)
• zerone0x: Provided GitHub context shows zerone0x opened PR fix(tools): strip arg_value XML suffix from exec/read args #48792 with a direct attempted fix for this exec/read suffix corruption; it remains open and unmerged. (role: open implementation candidate author; confidence: high; commits: 71c6c921fd6d; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.params.ts, src/agents/pi-tools.params.test.ts)

Remaining risk / open question:

• The live Windows/DashScope emission path was not reproduced in this read-only review; the conclusion rests on the issue discussion, supported provider route, and current source-level absence of a defensive fix.
• A broad sanitizer across all string tool parameters could corrupt legitimate XML-like command, path, write, or edit content, so the eventual fix needs narrow matching and negative tests.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 89f73a5ef2b0.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this open. Current main still has no sanitizer for the reported </arg_value>> artifact, the active exec and read paths continue to forward string arguments unchanged, and an open implementation PR already targets this issue with closing syntax, so cleanup closure would be premature.

Required change / next step:

Not a repair-lane candidate because open PR #48792 already targets this issue with closing syntax; the next action is maintainer review or rework of that PR, not a separate automated fix PR.

Review details

Best possible solution:

Keep this issue open until PR #48792 or a replacement lands a narrow current-main fix at the active tool-argument boundary, with regression coverage for Qwen/DashScope suffixes and negative tests that preserve legitimate XML-like content.

What I checked:

• No current suffix sanitizer: A targeted current-main search found no arg_value, stripXmlArgValueSuffix, XML_ARG_VALUE, normalizeToolParams, or </arg_value implementation or regression test; only an unrelated assistant-visible XML test matched </arg. (e46dccb35374)
• Exec forwards raw command: The exec handler casts incoming args to params.command, validates only presence, then passes that same value into control-shell checks, node execution, gateway allowlist processing, script preflight, and runExecProcess without suffix cleanup. (src/agents/bash-tools.exec.ts:1444, e46dccb35374)
• Read forwards raw path record: createOpenClawReadTool() obtains record, validates required path, and passes record ?? {} to executeReadWithAdaptivePaging(); a suffix already present in record.path remains part of the filesystem argument and result label. (src/agents/pi-tools.read.ts:674, e46dccb35374)
• Parameter validation does not normalize strings: wrapToolParamValidation() validates required params, then calls the wrapped tool with the original params object; it does not rewrite string-valued arguments. (src/agents/pi-tools.params.ts:132, e46dccb35374)
• Existing malformed-argument repair preserves valid JSON values: tryExtractUsableToolCallArguments() immediately returns successfully parsed object JSON as kind: "preserved", so a valid payload such as { "command": "echo test</arg_value>>" } would keep the corrupted string rather than stripping the suffix. (src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts:54, e46dccb35374)
• Qwen/DashScope provider path remains in repo: The bundled Qwen plugin still declares qwen, qwencloud, modelstudio, and dashscope provider aliases, so the reported provider route remains an OpenClaw-supported surface. (extensions/qwen/openclaw.plugin.json:7, e46dccb35374)

Likely related people:

• steipete: Current blame and path history in this checkout route the active exec, read, parameter-validation, and tool-call repair files through Peter Steinberger's recent main-branch maintenance commit. (role: recent maintainer and likely follow-up owner; confidence: high; commits: 34d11d57579d, e46dccb35374; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.read.ts, src/agents/pi-tools.params.ts)
• zerone0x: Opened PR fix(tools): strip arg_value XML suffix from exec/read args #48792 with a direct attempted fix for the reported exec/read </arg_value> suffix corruption, and that PR is still open and unmerged. (role: open implementation candidate author; confidence: high; commits: 71c6c921fd6d; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.params.ts, src/agents/pi-tools.params.test.ts)
• MonkeyLeeT: The changelog credits this handle on the nearby OpenAI-compatible malformed streamed tool-call argument repair path, which is the closest existing generic repair mechanism inspected for this issue. (role: adjacent malformed tool-call argument reporter/contributor; confidence: medium; files: src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts, CHANGELOG.md)
• vincentkoc: The issue timeline shows this maintainer was mentioned and subscribed during the latest review pass, and the changelog shows repeated recent agents/runtime maintenance around tool-call, gateway, and provider surfaces adjacent to this behavior. (role: adjacent agents/runtime maintainer; confidence: medium; files: src/agents/bash-tools.exec.ts, src/agents/pi-tools.params.ts, src/agents/pi-embedded-runner/run/attempt.tool-call-argument-repair.ts)

Remaining risk / open question:

• The exact provider emission is still based on the issue discussion rather than a fresh live Windows/DashScope reproduction, but current main has no defensive fix for the reported suffix shape.
• A broad record-wide sanitizer could corrupt legitimate XML-like write/edit content, so a fix needs narrow scope and negative coverage for valid XML-like payload text.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e46dccb35374.