[Bug]: image/video provider inventory leaks into Discord group channels as visible tool output

[leoge007]

Summary

image_generate / video_generate provider inventory output can be delivered into Discord group channels as user-visible tool output, leaking internal provider/model/configured/auth-hint information.

This is not an API-key leak, but it exposes operator environment details that should stay internal, especially on group surfaces.

Affected versions

Confirmed by inspecting npm package dist:

• 2026.4.24: affected
• 2026.4.27: affected
• 2026.4.29-beta.1: affected

The behavior appears to have been introduced in 2026.4.5 by commit 932194b (feat(video): add provider support and discord fallback), which added compact provider inventory emission for image_generate / video_generate.

Environment where observed

• OpenClaw app: 2026.4.24
• Channel: Discord
• Surface: group/channel
• Tool profile: full/coding-capable agent with image_generate

Repro

1. In a Discord channel, ask the agent to perform an image generation/editing task where it decides to inspect available image-generation providers first.
2. The agent calls:
   • image_generate with action: "list"
3. The provider inventory output is posted into Discord as visible text, e.g. lines containing:
   • provider ids
   • model names
   • configured: yes/no
   • auth hints such as required env var names
   • capabilities / supported sizes / aspect ratios

Expected

Provider inventory should be available to the agent internally, but it should not be emitted to external chat surfaces by default.

For group channels, this kind of runtime/environment inventory should be treated as diagnostic/internal data unless the operator explicitly asks to display it.

Actual

The compact provider inventory is emitted to Discord as user-visible tool output.

Code pointer

Current dist/source contains this logic in src/agents/pi-embedded-subscribe.handlers.tools.ts:

const COMPACT_PROVIDER_INVENTORY_TOOLS = new Set(["image_generate", "video_generate"]);

function shouldEmitCompactToolOutput(params: {
  toolName: string;
  result: unknown;
  outputText?: string;
}): boolean {
  if (!COMPACT_PROVIDER_INVENTORY_TOOLS.has(params.toolName)) {
    return false;
  }
  if (!hasProviderInventoryDetails(params.result)) {
    return false;
  }
  return Boolean(params.outputText?.trim());
}

Then tool output emission uses:

ctx.shouldEmitToolOutput() || shouldEmitCompactToolOutput({ toolName, result, outputText })

So provider inventory can bypass the normal tool-output visibility decision.

Why this matters

This is similar in class to previous group-surface internal trace leaks such as #70912, though the data here is provider inventory rather than Working… tool traces.

Impact:

• Reveals which providers/models are installed or configured.
• Reveals auth mechanism hints / env var names.
• Creates noisy, surprising messages in group channels.
• Makes operators less likely to trust media-generation tools in shared spaces.

Suggested fix direction

Prefer not to emit compact provider inventory to external chat surfaces by default.

Possible approaches:

1. Remove image_generate / video_generate from compact tool-output emission entirely.
2. Gate it on direct/private surfaces only.
3. Gate it on explicit verbose/debug mode only.
4. Redact provider inventory before external delivery, while keeping the full result in the agent/tool context.

The generated media delivery path should remain unchanged; only the action=list inventory output needs suppression or stricter gating.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has the media provider-inventory compact-output bypass, the focused test still asserts that hidden video inventory emits, and open closing PRs #75550 and #75728 are already tracking candidate fixes.

Reproducibility: yes. A source-level reproduction is high-confidence: pass an image_generate or video_generate list result with details.providers through handleToolExecutionEnd while shouldEmitToolOutput() is false, and current main still calls emitToolOutput.

Next step
No separate repair job should be queued because open closing PRs #75550 and #75728 already target the same issue.

Security
Needs attention: This issue describes a current-main information-disclosure path for operator provider inventory on shared chat surfaces.

Review details

Best possible solution:

Review and land one canonical fix that keeps provider inventory internal by default on shared surfaces while preserving structured tool results and generated media delivery.

Do we have a high-confidence way to reproduce the issue?

Yes. A source-level reproduction is high-confidence: pass an image_generate or video_generate list result with details.providers through handleToolExecutionEnd while shouldEmitToolOutput() is false, and current main still calls emitToolOutput.

Is this the best way to solve the issue?

Yes. Suppressing or strictly gating provider-inventory text is the right solution class; maintainers should choose the narrower handler-only fix or the broader dispatcher tagging approach from the open PRs.

Security concerns:

• [medium] Provider inventory can reach shared Discord channels — src/agents/pi-embedded-subscribe.handlers.tools.ts:564
  Current main can emit image/video provider inventory text despite hidden tool-output policy, and Discord guild messages are ChatType: "channel", so non-Slack channel tool summaries remain deliverable.
  Confidence: 0.93

What I checked:

• Compact provider-inventory bypass remains: Current main still treats image_generate and video_generate as compact provider-inventory tools and emits their text when details.providers exists, even if ctx.shouldEmitToolOutput() is false. (src/agents/pi-embedded-subscribe.handlers.tools.ts:364, a53be2d2ce8c)
• Emission gate still ORs the bypass with normal visibility: The handler computes shouldEmitOutput with ctx.shouldEmitToolOutput() || shouldEmitCompactToolOutput(...), so provider inventory can bypass the normal hidden-output decision. (src/agents/pi-embedded-subscribe.handlers.tools.ts:556, a53be2d2ce8c)
• Regression test still asserts current leak path: The media handler test sets shouldEmitToolOutput: false for a video_generate result with details.providers and expects emitToolOutput to be called. (src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts:427, a53be2d2ce8c)
• Image inventory includes operational details: image_generate action=list builds provider entries containing ids, models, configured state, auth env vars, and capabilities before returning text plus details.providers. (src/agents/tools/image-generate-tool.ts:605, a53be2d2ce8c)
• Video inventory includes auth hints and provider details: The shared media list helper formats provider ids, models, capabilities, auth env var hints, and structured details.providers. (src/agents/tools/media-generate-tool-actions-shared.ts:18, a53be2d2ce8c)
• Discord guild turns are channel turns: Discord inbound context sets ChatType to direct only for DMs and otherwise to channel, which is not suppressed by the generic group-only tool-summary gate. (extensions/discord/src/monitor/message-handler.context.ts:320, a53be2d2ce8c)

Likely related people:

• Peter Steinberger: The report-identified provider-support commit is present locally as 932194b7d58c under Peter Steinberger and is the clearest available provenance for the media-provider/Discord fallback behavior. (role: introduced behavior; confidence: high; commits: 932194b7d58c; files: src/agents/pi-embedded-subscribe.handlers.tools.ts, src/agents/tools/video-generate-tool.actions.ts, src/agents/tools/media-generate-tool-actions-shared.ts)
• Vincent Koc: Current main and current blame in this grafted checkout attribute the affected handler, tests, media-list helper, and Discord context lines to recent Vincent Koc commits, though the grafted history makes exact authorship less precise. (role: recent maintainer; confidence: medium; commits: a53be2d2ce8c, bc0f89074f85; files: src/agents/pi-embedded-subscribe.handlers.tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts, src/agents/tools/image-generate-tool.ts)

Remaining risk / open question:

• I did not run a live Discord guild reproduction; the verdict is based on current source, focused tests, dispatch logic, and the open linked fix PRs.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a53be2d2ce8c.