Telegram subagent completion fallback can queue raw child/internal output after mediated announce failure

[EthanSK]

Summary

On OpenClaw 2026.5.5 (b1abf9d as reported by openclaw status), a sub-agent completion/announce failure path can queue or attempt to deliver raw child output to Telegram instead of a mediated, user-safe summary.

This appears distinct from the already-fixed updater/runtime-context leak: the remaining path is in sub-agent completion fallback / delivery recovery after the parent-agent mediated completion failed.

Related existing issues: #39032 and #25592.

Environment

• OpenClaw: 2026.5.5 (b1abf9d)
• Installed package: openclaw@2026.5.5
• npm latest at time checked: 2026.5.5
• OS/runtime: macOS 26.4.1 arm64, Node 25.6.1
• Gateway: LaunchAgent, /opt/homebrew/lib/node_modules/openclaw/dist/index.js gateway --port 18789
• Channel: Telegram direct message

Evidence observed locally (redacted)

A failed queued delivery existed at:

/Users/ethansk/.openclaw/delivery-queue/37bd4b88-388d-4270-8c5a-415f3e2e1b87.json

Metadata from that queued item:

• id: 37bd4b88-388d-4270-8c5a-415f3e2e1b87
• channel: telegram
• to: telegram:6164541473
• accountId: default
• session key: agent:main:telegram:default:direct:6164541473
• queued payload text length: 15962
• retryCount: 3
• lastError: Message must be non-empty for Telegram sends
• enqueuedAt: 2026-05-06T11:56:26.534Z
• lastAttemptAt: 2026-05-06T15:01:51.471Z

The queued payload contained raw/internal indicators including:

• sawTargetNormalizationGain
• target-normalization-gain-not-applied
• missing-in-memory-cache
• BEGIN_UNTRUSTED_CHILD_RESULT
• BEGIN_OPENCLAW_INTERNAL_CONTEXT

I am deliberately not pasting the raw payload here because it is exactly the material that should not be exposed to Telegram or GitHub.

Relevant log/run identifiers:

• Log: /tmp/openclaw/openclaw-2026-05-06.log
• Run/event id: announce:v1:agent:main:subagent:f5f3eaaf-58a2-4322-aa1b-06e588aed2a7:d1e6ffed-0974-41c8-839f-57b714fb7e88
• Provider failure seen near this path: service_unavailable_error / server_is_overloaded
• Raw error hash: sha256:115e5180d97d
• Raw error fingerprint: sha256:21e6e417518f

Likely failure path

From inspecting the installed dist files, the dangerous path appears to be:

1. A sub-agent completes and subagent-announce-delivery tries to wake or mediate the requester session.
2. The mediated parent-agent completion fails or is incomplete, e.g. due to provider overload.
3. The completion fallback path uses task completion event content directly.
4. The outbound delivery queue persists payloads before final Telegram/channel sanitization, so raw child/internal content can remain in the retry queue.
5. Delivery recovery later retries that queued item. In this case it failed with Message must be non-empty for Telegram sends, likely because a later sanitizer/renderer stripped enough content to empty it, but the unsafe payload was still persisted and retried.

Files inspected locally:

• /opt/homebrew/lib/node_modules/openclaw/dist/subagent-announce-delivery-De-sCDmZ.js
• /opt/homebrew/lib/node_modules/openclaw/dist/delivery-queue-CX8x6Ho_.js
• /opt/homebrew/lib/node_modules/openclaw/dist/send-C3qlmCZc.js
• /opt/homebrew/lib/node_modules/openclaw/dist/sanitize-text-IbfTPlxP.js

Local mitigation I applied

This was a local hotfix in the installed dist only, not an upstream PR.

1. Stop direct fallback from using raw child event.result

Patched:

/opt/homebrew/lib/node_modules/openclaw/dist/subagent-announce-delivery-De-sCDmZ.js

Changed extractTaskCompletionFallbackText(event) so it no longer returns event.result. It now emits only task/status metadata plus a safe notice:

The child result was withheld from direct delivery so it can be summarized safely in-session.

Verification after patch:

• safe notice present: yes
• event.result referenced inside extractTaskCompletionFallbackText: no
• backup created: subagent-announce-delivery-De-sCDmZ.js.bak-unsafe-child-fallback

2. Add outbound delimiter stripping for internal context / untrusted child result blocks

Patched:

/opt/homebrew/lib/node_modules/openclaw/dist/sanitize-text-IbfTPlxP.js

Added stripping for delimited blocks:

• <<<BEGIN_OPENCLAW_INTERNAL_CONTEXT>>> ... <<<END_OPENCLAW_INTERNAL_CONTEXT>>>
• <<<BEGIN_UNTRUSTED_CHILD_RESULT>>> ... <<<END_UNTRUSTED_CHILD_RESULT>>>

Verification after patch:

• BEGIN_OPENCLAW_INTERNAL_CONTEXT guard present: yes
• BEGIN_UNTRUSTED_CHILD_RESULT guard present: yes
• backup created: sanitize-text-IbfTPlxP.js.bak-runtime-delimiters

3. Quarantine the unsafe queued item

Moved the unsafe pending queue entry out of active retry path:

/Users/ethansk/.openclaw/delivery-queue/failed/37bd4b88-388d-4270-8c5a-415f3e2e1b87.quarantined-unsafe-child-result-20260506T151901Z.json

Verification after quarantine:

• pending /Users/ethansk/.openclaw/delivery-queue/*.json: empty
• matching quarantined file exists under delivery-queue/failed/

Expected upstream fix

OpenClaw should make this impossible in more than one layer:

1. Sub-agent completion fallback must never use raw child event.result for external channel delivery.
2. Outbound queue entries should store already-sanitized external-delivery payloads, or reject/quarantine entries that contain internal runtime context / untrusted child result delimiters.
3. Delivery recovery should fail closed for unsafe payloads instead of retrying them to Telegram/other channels.
4. Tests should cover provider-failure/incomplete-mediated-completion paths, not just successful mediated summaries.
5. Telegram/direct channel rendering should never receive BEGIN_OPENCLAW_INTERNAL_CONTEXT or BEGIN_UNTRUSTED_CHILD_RESULT blocks as sendable text.

Open question

The local queue item may or may not have been fully delivered before being sanitized/retried; logs confirmed retry failures for this queue id, but the original Telegram-visible message report came from a user-observed message (8995). Either way, raw/internal content reached a send/retry path and should be treated as a privacy/safety bug.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still contains the reported unsafe source path, and the related reports do not cover the durable queue/retry angle with this release-specific Telegram evidence.

Reproducibility: yes. at source level: inject a task_completion event whose result contains internal delimiters, force the requester-agent announce to fail or return no visible output, and current main routes that raw result to direct fallback send. I did not run a live Telegram send in this read-only review.

Next step
Not a ClawSweeper repair-lane candidate because the remaining work is privacy-sensitive external-delivery hardening and should go through maintainer/security review before implementation.

Security
Needs attention: This issue reports a concrete privacy-sensitive leak path from internal subagent context into external channel delivery and durable retry storage.

Review details

Best possible solution:

Fail closed across layers: do not external-deliver raw event.result, add shared stripping/rejection for internal context and untrusted-child delimiters before queue persistence/recovery, and cover mediated-failure fallback paths with regression tests.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: inject a task_completion event whose result contains internal delimiters, force the requester-agent announce to fail or return no visible output, and current main routes that raw result to direct fallback send. I did not run a live Telegram send in this read-only review.

Is this the best way to solve the issue?

No: current main's direct fallback is not the best safe behavior because it bypasses the mediated summary boundary. The safer fix is shared fallback sanitization/fail-closed queue handling, not a Telegram-only patch.

Security concerns:

• [high] Raw internal context can reach external delivery fallback — src/agents/subagent-announce-delivery.ts:541
  Current main can send event.result directly when mediated completion fails or is incomplete, and that result may include untrusted child or internal runtime context delimiters.
  Confidence: 0.89
• [medium] Unsafe payloads can be persisted before sanitization — src/infra/outbound/deliver.ts:1092
  The write-ahead delivery queue stores raw payloads before channel normalization, so an unsafe fallback payload can remain on disk and be retried later.
  Confidence: 0.86

What I checked:

• Raw child result is still the completion fallback source: extractTaskCompletionFallbackText() returns event.result.trim() before falling back to task/status metadata. (src/agents/subagent-announce-delivery.ts:541, 99b17263a12d)
• Fallback delivery sends that extracted text after announce failure or empty output: completionFallbackText is passed to sendCompletionFallback() on requester wake failure, gateway announce failure, empty/incomplete announce output, and missing message-tool delivery evidence. (src/agents/subagent-announce-delivery.ts:896, 99b17263a12d)
• Current tests encode raw fallback delivery to Telegram: The Telegram DM completion fallback test expects sendMessage to receive content: "child completion output" when requester announce delivery fails. (src/agents/subagent-announce-delivery.test.ts:914, 99b17263a12d)
• Outbound queue persists payloads before delivery normalization: The write-ahead queue enqueues payloads before deliverOutboundPayloadsCore() performs payload normalization and channel sanitization. (src/infra/outbound/deliver.ts:1092, 99b17263a12d)
• Existing test confirms raw queue persistence: The regression test is explicitly named writes raw payloads to the queue before normalization and asserts unsanitized payloads are stored. (src/infra/outbound/deliver.test.ts:2305, 99b17263a12d)
• Plain-text sanitizer does not strip OpenClaw internal fences: The outbound sanitizer strips HTML-like runtime scaffolding tags, while internal context delimiters live in a separate runtime-context helper and are not handled here. (src/infra/outbound/sanitize-text.ts:14, 99b17263a12d)

Likely related people:

• vincentkoc: Current-line blame for the subagent fallback, outbound queue, sanitizer, and Telegram adapter points to Vincent Koc in the available local history, and the changelog credits @vincentkoc for the direct completion fallback work. (role: recent subagent/outbound fallback maintainer; confidence: high; commits: 5e218b402f83; files: src/agents/subagent-announce-delivery.ts, src/agents/subagent-announce-delivery.test.ts, src/infra/outbound/deliver.ts)
• nabbilkhan: The changelog credits @nabbilkhan on the write-ahead delivery queue with crash-recovery retries, which is the durable persistence path involved here. (role: delivery queue feature contributor; confidence: medium; files: CHANGELOG.md, src/infra/outbound/deliver.ts, src/infra/outbound/delivery-queue-storage.ts)
• thewilloftheshadow: The changelog credits @thewilloftheshadow on the same write-ahead delivery queue work that stores and retries outbound payloads. (role: delivery queue feature contributor; confidence: medium; files: CHANGELOG.md, src/infra/outbound/deliver.ts, src/infra/outbound/delivery-queue-storage.ts)

Remaining risk / open question:

• The reporter intentionally redacted the unsafe queued payload, so this review proves the current source-level unsafe send/queue path rather than the exact Telegram-visible message body from that local incident.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 99b17263a12d.