Skill catalog prompt injection ignores allowBundled / blockedByAllowlist filter

[shawnmandel]

Summary

The skill catalog injected into the agent's system prompt does not respect the skills.allowBundled config filter or the blockedByAllowlist flag computed by the CLI. As a result, blocked and removed skills still appear in the <available_skills> prompt section, consuming tokens on every request.

Reproduction

1. Set skills.allowBundled to a strict allowlist (e.g., ["healthcheck", "weather"])
2. Run openclaw skills check — correctly shows only eligible skills (e.g., 5 eligible, 50 blocked)
3. Run an agent turn and inspect meta.systemPromptReport.skills.entries in the JSON response
4. Result: the system prompt contains entries for skills NOT in the allowlist and NOT present in the workspace skills directory — including removed workspace skills and bundled skills not in allowBundled

Evidence (2026.4.11)

CLI output (openclaw skills check):

Total: 55
✓ Eligible: 5
🚫 Blocked by allowlist: 50

Ready to use:
  📦 healthcheck
  ☔ weather
  📦 Code
  📦 ddg-search
  📦 Git (Essentials + Workflows + Advanced)

System prompt report from the same session (meta.systemPromptReport.skills):

Skills catalog: 4635 chars (11 entries)
  healthcheck: 456 chars
  nano-banana-pro: 210 chars        ← NOT in allowBundled
  weather: 381 chars
  adaptive-reasoning: 410 chars     ← removed from workspace
  agent-team-orchestration: 594 chars  ← removed from workspace
  architecture-designer: 362 chars  ← removed from workspace
  Code: 234 chars
  Data Analysis: 258 chars          ← removed from workspace
  ddg-search: 481 chars
  deep-thinking: 569 chars          ← removed from workspace
  Git: 281 chars

6 of 11 entries should not be present — 5 were physically removed from the workspace skills directory, and 1 (nano-banana-pro) is a bundled skill not in allowBundled.

Impact

• 4,635 chars of unnecessary skill catalog injected into every system prompt
• At ~3.35 chars/token, that's ~1,400 wasted tokens per request
• On local models with limited context (e.g., Ollama with 32K context), this is significant — ~4% of the total context consumed by phantom skills
• The CLI's shouldIncludeSkill logic correctly filters; the prompt builder bypasses it

Code reference (from 2026.3.2 investigation)

The filter logic exists in /app/src/agents/skills/config.ts lines 55-68:

• shouldIncludeSkill(entry) checks isBundledSkill(entry) → if bundled, checks isBundledSkillAllowed(entry, allowBundled)
• Workspace skills (!isBundledSkill) return true unconditionally
• The CLI's openclaw skills check correctly uses this function
• The prompt builder's skill catalog injection appears to use a different code path that does not call shouldIncludeSkill

Expected behavior

The <available_skills> section in the system prompt should only include skills that pass shouldIncludeSkill — the same filter the CLI uses. Blocked, removed, and missing skills should never appear in the prompt.

Environment

• OpenClaw 2026.4.11 (also confirmed on 2026.3.2)
• Docker install (source-tree-in-image, not git checkout)
• skills.allowBundled: ["healthcheck", "weather"]
• Workspace skills directory: 3 active (code, ddg-web-search, git)

Workaround

None currently available. Moving workspace skill directories or tightening allowBundled correctly updates the CLI's eligibility check but does not affect the prompt builder's injection.

[xantorres]

PR #67401 addresses this from the invalidation side: the snapshot builder (shouldIncludeSkill in src/agents/skills/config.ts) already applies the allowBundled filter; what was missing was any signal to rebuild the cached snapshot when the allowlist changed. The PR bumps getSkillsSnapshotVersion on skills.* config writes so the existing sessions stop advertising the pre-change skill set.

[steipete]

Closing this as implemented after Codex review.

Current main already fixes this by invalidating cached session skill snapshots whenever skills.* config changes. The prompt path already respected shouldIncludeSkill; the stale entries came from reusing an old skillsSnapshot until #67401 added config-change invalidation.

What I checked:

• Prompt builder already filters with shouldIncludeSkill: filterSkillEntries() applies shouldIncludeSkill({ entry, config, eligibility }) before building the available-skills prompt, so bundled allowlist filtering was already in the prompt-building path. (src/agents/skills/workspace.ts:101, 1bdf5307d99d)
• Session snapshots are cached and reused until version changes: agent-command reuses sessionEntry.skillsSnapshot unless shouldRefreshSnapshotForVersion(...) says it is stale, which matches the issue's symptom of old skills persisting across turns. (src/agents/agent-command.ts:578, 1bdf5307d99d)
• Current main invalidates snapshots on any skills.* config change: config-reload.ts now treats any skills.* path, including skills.allowBundled, as a skills-snapshot invalidation trigger and calls bumpSkillsSnapshotVersion(...) so existing sessions rebuild on the next turn. (src/gateway/config-reload.ts:38, 1bdf5307d99d)
• Regression test covers skills.allowBundled specifically: There is a dedicated test asserting that changing skills.allowBundled bumps the skills snapshot version and logs the invalidation. (src/gateway/config-reload.test.ts:1140, 1bdf5307d99d)
• Changelog documents the fix in unreleased main under fix(stability): session skills snapshot, tool-loop guard, TUI watchdog, LM Studio preload backoff #67401: The unreleased 2026.4.24 changelog explicitly says OpenClaw now bumps the cached skills-snapshot version whenever a config write touches skills.*, including skills.allowBundled, to prevent stale session snapshots from advertising removed skills. (CHANGELOG.md:5, 1bdf5307d99d)
• Issue discussion matches the implemented root cause: The existing comment from @xantorres points to PR fix(stability): session skills snapshot, tool-loop guard, TUI watchdog, LM Studio preload backoff #67401 and explains that the missing piece was snapshot invalidation, not prompt-side filtering. Current main contains that invalidation logic and test coverage.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 1bdf5307d99d; fix evidence: commit 453789914bb7.