iMessage attachments blocked by local media path allowlist

[Cuttingwater]

Summary

When an iMessage includes an image attachment, the agent attempts to analyze it via the image tool. The attachment path points to ~/Library/Messages/Attachments/..., which is not in the hardcoded media local roots. This causes a LocalMediaAccessError: path-not-allowed and the agent cannot process any iMessage image attachments.

Environment

• OpenClaw version: 2026.4.1 (da64a97)
• Channel: iMessage
• OS: macOS (Darwin 25.4.0 arm64)

Error

[tools] image failed: Local media path is not under an allowed directory: 
/Users/.../Library/Messages/Attachments/.../file.pluginPayloadAttachment

Root Cause

buildMediaLocalRoots() in web-media-CkaAIY0r.js only allows:

• Preferred tmp dir
• ~/.openclaw/media
• ~/.openclaw/workspace
• ~/.openclaw/sandboxes

There is no config option to add additional allowed paths, and the iMessage channel plugin does not copy attachments into an allowed directory before passing them to tools.

Suggested Fix

Either:

1. Config option: Add a tools.media.localRoots (or similar) config key to allow users to add custom allowed directories
2. Channel-level fix: Have the iMessage channel plugin copy attachments into ~/.openclaw/media/ before passing them to tools
3. Automatic widening: When a channel plugin provides an attachment path, automatically add that path's parent to the allowed roots for that tool invocation

Option 2 seems safest - the channel plugin already knows about the attachment and can stage it.

Version

OpenClaw 2026.4.1 (commit da64a97)

[steipete]

Closing this as implemented after Codex review.

Current main already routes inbound attachment reads through channel-specific allowed roots, and the iMessage plugin now publishes /Users/*/Library/Messages/Attachments as its default inbound attachment root with configurable overrides. The same implementation is present in release v2026.4.23, so this issue is already covered by shipped code.

What I checked:

• Media understanding now merges channel attachment roots into the local-media allowlist: resolveMediaAttachmentLocalRoots() merges the default media roots with resolveChannelInboundAttachmentRoots(params), so inbound attachment reads are no longer limited to the generic ~/.openclaw/... roots. (src/media-understanding/runner.ts:188, a155b84cdade)
• Core loads per-channel inbound attachment roots from the bundled plugin public surface: resolveChannelInboundAttachmentRoots() looks up a channel's media-contract-api.js and returns its resolveInboundAttachmentRoots() result for the current context/account. (src/media/channel-inbound-roots.ts:68, a155b84cdade)
• iMessage declares the Messages attachments directory as an allowed inbound root: The iMessage media contract exports DEFAULT_IMESSAGE_ATTACHMENT_ROOTS = ["/Users/*/Library/Messages/Attachments"] and merges account/global overrides for both local and remote attachment roots. (extensions/imessage/src/media-contract.ts:5, a155b84cdade)
• Config/docs/tests all expose and validate the iMessage attachment-root contract: The public config type includes channels.imessage.attachmentRoots / remoteAttachmentRoots; docs document the same default root; and the contract test covers default + override resolution. (src/config/types.imessage.ts:61, a155b84cdade)
• The fix is already in the latest release: git show a9797214338ba31c52c796adbb75afb16e0684a9:src/media-understanding/runner.ts and git show a9797214338ba31c52c796adbb75afb16e0684a9:extensions/imessage/src/media-contract.ts show the same channel-root merge and iMessage default attachment-root implementation in v2026.4.23. (a9797214338b)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against a155b84cdade; fix evidence: release v2026.4.23, commit a9797214338b.