[Bug]: Telegram/Codex still leaks commentary-phase tool-call trace text with multilingual garbage tokens in 2026.3.13

[hyspacex]

Summary

OpenClaw can still leak internal commentary / tool-call trace text into Telegram user-visible messages in 2026.3.13 when using openai-codex/gpt-5.4.

The leaked text includes:

• raw tool-call-like JSON arguments
• internal routing fragments like to=functions.exec / to=functions.process
• internal-looking labels like analysis / wait
• random multilingual garbage tokens such as 久久免费, 大香蕉, 平台主管

This looks very similar to earlier issues in the same family, but with a few important differences:

• reproduced on Telegram DM, not just Discord / Feishu / Olvid
• reproduced on current OpenClaw 2026.3.13
• reproduced with openai-codex/gpt-5.4, not just older Codex variants
• local transcript evidence shows the leaked string is already stored as assistant text with phase: "commentary", next to a valid structured tool call

Steps to reproduce

1. Use OpenClaw in a Telegram direct chat
2. Use openai-codex/gpt-5.4 as the runtime model
3. Trigger a multi-step task involving long-running local tools, e.g.
   • exec to download media / prepare files
   • background exec
   • repeated process poll
4. Wait for the task to run through several tool rounds
5. Observe that an occasional malformed internal-looking message can be sent to Telegram before the final answer

In the observed case, this happened during a local transcription workflow (download media → extract audio → run local MLX Whisper → poll background process).

Expected behavior

Only intentional user-facing natural language should reach Telegram.

The following should never be visible to the user:

• commentary-only text
• raw tool-call traces
• to=functions.*
• analysis / wait
• malformed / garbage multilingual tokens

Actual behavior

Telegram received malformed internal-looking messages such as:

{"action":"poll","sessionId":"glow-mist","timeout":30000} to=functions.process 久久免费热在线精品functions.process კომენტary to=functions.process ,大香蕉analysis to=functions.process wait

Other similar leaked messages also included:

• to=functions.exec plus mixed-script garbage between tool-routing fragments
• another process poll leak with 平台总代理 and a different random multilingual token before analysis
• raw JSON tool arguments appearing as plain text immediately before a valid structured toolCall

Key evidence

The important part is that the malformed string was already present in the assistant message content, not in the tool result.

A simplified structure from the local transcript looked like this:

{
  "role": "assistant",
  "content": [
    {
      "type": "text",
      "text": "{\"action\":\"poll\",\"sessionId\":\"glow-mist\",\"timeout\":30000} to=functions.process 久久免费热在线精品functions.process კომენტary to=functions.process ,大香蕉analysis to=functions.process wait",
      "textSignature": "{\"v\":1,\"id\":\"...\",\"phase\":\"commentary\"}"
    },
    {
      "type": "toolCall",
      "name": "process",
      "arguments": {
        "action": "poll",
        "sessionId": "glow-mist",
        "timeout": 30000
      }
    }
  ]
}

Additional observations:

• the adjacent toolCall is valid and structured normally
• surrounding toolResult entries were clean
• the first malformed text blocks appeared before any suspicious tool output that could explain them
• the garbage tokens did not appear to come from the media being processed or the tool outputs themselves

Root cause hypothesis

This looks like two problems compounding:

1. Model/output-side failure

   • during tool-calling, the model sometimes emits malformed commentary text instead of staying purely in structured tool-call mode
   • the malformed commentary text can contain raw tool-call transcript fragments plus random multilingual junk tokens

2. OpenClaw delivery/sanitization failure

   • OpenClaw stores that malformed text as assistant text / phase: "commentary"
   • that commentary text is later forwarded to Telegram instead of being suppressed or sanitized

So this looks less like a compromised tool and more like:

• malformed model tool-call/commentary output
• plus a runtime/outbound filtering gap

Why this report may still be useful even if related issues exist

This report adds:

• Telegram confirmation for the same bug family
• 2026.3.13 confirmation that the issue is still present
• gpt-5.4 / Codex runtime confirmation
• direct evidence that the leaked payload is stored as assistant commentary text before delivery

Related issues

This seems related to:

• [Bug]: Codex subagent emits raw function-call syntax and hallucinated tokens to user chat #30441 — Codex subagent emits raw function-call syntax and hallucinated tokens to user chat
• [Bug]: Telegram stream + reasoning leaks toolUse intermediate status text into user-visible replies (regression) #24376 — Telegram stream + reasoning leaks toolUse intermediate status text into user-visible replies
• Text between tool calls leaks to messaging channels #25592 — Text between tool calls leaks to messaging channels
• Bug: Internal tool-call trace leaked into user-visible chat message (Olvid group) #30704 — Internal tool-call trace leaked into user-visible chat message
• [Bug]: OpenClaw may leak internal tool-call/commentary payload into user-visible Feishu DM messages #41435 — Internal tool-call/commentary payload leaked into user-visible Feishu DM messages
• Discord leaks internal tool-call traces (NO_REPLY, commentary, to=functions) to channel #44905 — Discord leaks internal tool-call traces (commentary, to=functions.*, raw JSON)
• [Bug]: Model does "tool calling narrations" since 2026.3.7 #45271 — Model does tool-calling narrations since 2026.3.7

If maintainers think this is a duplicate, happy to close it in favor of the best canonical issue.

Environment

• OpenClaw: 2026.3.13
• OS: macOS arm64
• Channel: Telegram DM
• Runtime model: openai-codex/gpt-5.4
• Trigger pattern: multi-step tool workflow with long-running exec + repeated process poll

(Deliberately omitting any personal paths, chat IDs, usernames, or private transcript locations from this public report.)

[Ryce]

Excellent bug report — the transcript evidence that the malformed commentary text is already stored as assistant phase: "commentary" before delivery is the most useful piece here. That rules out the tool output as the injection point and points squarely at the commentary-to-delivery boundary.\n\nThe compound failure you identified is well-reasoned:\n1. Model emits malformed commentary text alongside structured tool calls\n2. OpenClaw stores the commentary text with phase: "commentary"\n3. The Telegram delivery path treats phase: "commentary" as user-facing content instead of suppressing it\n\nA few diagnostic vectors worth isolating:\n\nIs the leak consistently tied to process poll calls? Your reproduction involves repeated process poll in a background-exec workflow. The to=functions.process fragments in the leaked text suggest the model may be reflecting on the pending tool call itself during commentary generation — as if the "I am about to poll" thought process is leaking rather than the poll result.\n\nDoes the leak correlate with commentary-phase token budget pressure? If the model is mid-stream on a long tool-call sequence and approaches a context boundary, it may be generating malformed commentary transitions rather than clean tool-call transitions. A boundary snapshot capturing the model output state at the exact moment the commentary text is first stored would show whether the corruption happens during generation vs. during storage.\n\nTelegram delivery path vs. other channels: You note this reproduces on Telegram DM but not exclusively on Discord/Feishu. The Telegram channel adapter may have a different sanitization filter than other channels — specifically whether phase: "commentary" is treated as deliverable on Telegram vs. suppressed elsewhere. A snapshot of what the Telegram adapter receives at handoff vs. what the Control UI transcript shows would confirm whether the divergence is at the channel-adapter or the store level.\n\nKeepMyClaw (keepmyclaw.com) snapshots boundary state at moment of delivery — which in this case would show exactly what text the Telegram adapter was handed vs. what was stored in the transcript, helping isolate whether the bug is at the storage or delivery layer.

[Ryce]

The core problem you've described is a state-divergence at the channel-adapter delivery handoff: the commentary-phase text gets stored in one state, but what actually gets forwarded to Telegram reflects a different (earlier or intermediate) processing stage. Without a ground-truth snapshot at the exact moment of Telegram delivery, there is no way to determine whether the leak originated from the storage layer, the commentary-injection layer, or the Telegram adapter's formatting pass.

Where a snapshot would isolate the gap:

The Telegram adapter's send hook is the last place where you can capture both:

1. What the agent's commentary phase actually produced (stored message state at that point)
2. What the Telegram channel adapter received and is about to forward

If those two differ, the divergence happened somewhere in between — and the snapshot gives you a byte-exact record of both states at the same moment in time.

How KeepMyClaw handles this:

KeepMyClaw (keepmyclaw.com) snapshots are boundary captures — they record effective state at a specific moment, independent of any single subsystem's self-reported status. For this class of bug, that means you can run a snapshot targeting the Telegram channel-adapter send hook, get a verifiable record of what was delivered vs what was stored, and use that as a reproducible baseline to verify any fix.

Diagnostic to try right now:

If you can trigger the bug once more and capture a snapshot immediately after, compare:

• The stored message content in the agent's session history
• The raw payload the Telegram adapter received at send time

The delta between those two is your leak point.

[ckonline24]

I can confirm this is still happening for me on Telegram.

Observed behavior:
Internal-looking English commentary / tool-prelude style messages are sometimes sent visibly to the Telegram user chat before the actual final reply. These are not intentional user-facing messages and should stay internal.

What I see is closer to commentary/tool-trace leakage than normal assistant output. It happens intermittently and looks like internal work/status text is being forwarded to Telegram instead of being filtered out.

Expected behavior:
Only the intended final user-facing reply should be visible in Telegram.
No internal commentary, tool trace, planning text, or intermediate status text should ever be sent to the user.

Environment:

• OpenClaw v2026.3.24
• Telegram direct chat
• Reasoning not intentionally enabled for user-facing output

This still appears reproducible in current usage.

[gniting]

And it only happens when Codex is used. Other models don't exhibit this behavior.

[mbelinky]

Potentially fixed by #61282, which is now merged on main in commit 4175cae.

What landed:

• OpenClaw now suppresses assistant text tagged phase:"commentary" at the shared embedded subscribe delivery boundary before it can become a user-visible partial or final reply.
• The fix explicitly covers the textSignature-only commentary shape described in this issue, where malformed text is already stored as assistant text adjacent to a valid structured toolCall.

Why I am closing this issue:

• The key evidence in this report was that the leaked payload was already preserved as assistant commentary text before delivery.
• That is the exact boundary bug fixed by fix(agents): suppress commentary-phase output leaks #61282.

If you still reproduce this on a current build after #61282, please reopen with fresh evidence. That would indicate a second bug beyond commentary-phase delivery suppression, for example malformed non-commentary text being emitted upstream.