sessions_spawn accepts unknown agentId with allowAgents:"*" (auto-provisions default-configured subagent, no registry validation)

[NOVA-Openclaw]

Summary

sessions_spawn accepts arbitrary, unknown agentId values and silently instantiates a new "subagent" using default model + empty bootstrap when the requester's subagents.allowAgents contains the * wildcard. There is no registry validation: the wildcard skips the check entirely instead of meaning "any registered agent". This is undocumented behavior with side effects.

Discovery

While auditing a peer-agent boundary violation, we noticed sessions_spawn could target an arbitrary peer agent name (e.g., graybeard) even though that agent doesn't exist in the requester's agent registry — only peer-agent gateways host it. Two probes confirmed:

// Probe 1
sessions_spawn({ agentId: "nopagent", task: "...", mode: "run" })
// → status: "accepted", childSessionKey: "agent:nopagent:subagent:..."

// Probe 2
sessions_spawn({ agentId: "bogus_test_agent_xyz", task: "diagnostic..." })
// → status: "accepted", model: "claude-opus-4-7" (defaults), no agent config

The bogus session ran successfully and replied: "I am the bogus_test_agent_xyz subagent, running on the anthropic/claude-opus-4-7 model."

Both child workspaces were materialized on disk: ~/.openclaw/agents/nopagent/ and ~/.openclaw/agents/bogus_test_agent_xyz/.

Root Cause

src/agents/subagent-target-policy.ts short-circuits to ok: true when allowAgents contains *:

// resolveSubagentTargetPolicy
const allowed = resolveSubagentAllowedTargetIds({ requesterAgentId, allowAgents });
if (allowed.allowAny || allowed.allowedIds.includes(targetAgentId)) {
  return { ok: true };
}

resolveSubagentAllowedTargetIds does populate configuredIds from params.configuredAgentIds, but those ids are only used to build the display allowed-list — the validation path never consults the registry when allowAny is true:

if (policy.allowAny) {
  const configuredIds = (params.configuredAgentIds ?? [])
    .map((id) => normalizeAgentId(id))
    .filter(Boolean);
  return {
    allowAny: true,
    allowedIds: Array.from(new Set(configuredIds)).toSorted((a, b) => a.localeCompare(b)),
  };
}

So * literally means "accept any string as a valid agent id and provision a new agent on demand using defaults." There is no callsite that checks targetAgentId ∈ configuredAgentIds.

Behavior When agentId Is Unknown

1. Spawn gate accepts the arbitrary id (no error, no warning).
2. Skip agent registry lookup entirely.
3. Apply agents.defaults.model.primary (no per-agent model config).
4. Apply default/empty bootstrap (no per-agent SOUL.md, no DB-backed bootstrap rows, no domain context).
5. Create a fresh agent home directory at ~/.openclaw/agents/<arbitrary_string>/ with subdirs (agent/, sessions/).
6. Spawn it as a subagent parented to the requester. Full tool access (workspace, exec, etc.).
7. Persist transcripts under the bogus identity until manually cleaned.

The resulting agent has the requester's workspace and tool surface but inherits no policy or identity guardrails specific to the spoofed name.

Impact

Security / scoping

• Any caller with sessions_spawn and allowAgents: ["*"] can name-collide or impersonate any agent string — including peer-agent names from other gateways (e.g., newhart, graybeard). The spawn doesn't actually reach those peers (they're separate gateways), but the in-gateway clone runs with the requester's permissions while looking like the peer in logs, transcripts, and channel announces.
• A simple typo (coderr for coder) produces a silent fallback to a default-configured agent instead of an error, which can mask real configuration drift.
• The * wildcard's intuitive meaning ("any registered agent in my allowlist") is wildly different from its actual meaning ("auto-provision any string"). Operators are likely to assume the safer semantic.

Filesystem hygiene

~/.openclaw/agents/ accumulates directories for every bogus, typo'd, deprecated, or accidentally-spawned name and never garbage-collects them. Sample from a long-running production gateway:

argus-security/   claude/         claude-code/    default/
docs-agent/       erato/          gemini-cli/     git-agent/
graybeard/        iris-artist/    librarian-agent/ main/
newhart/          nhr-agent/      qa-agent/       ...

Most of these have no corresponding entries in agents.json and represent historical accidental spawns or deprecated agent names. Each has its own sessions/*.jsonl transcripts. Over time this becomes a sprawl problem and an audit headache.

Observability

• agents_list correctly shows only registered agents, so operators auditing their roster won't see the rogue identities even though they exist on disk.
• Transcripts under bogus identities aren't surfaced anywhere unless you list the filesystem directly.

Proposed Fix

Primary (default behavior): Validate target agent id against the configured registry even when allowAgents: ["*"] is set. Replace the wildcard semantic with "any agent present in agents.list".

In resolveSubagentTargetPolicy, when allowAny is true, still require:

if (allowed.allowAny) {
  if (allowed.allowedIds.includes(targetAgentId)) return { ok: true };
  return {
    ok: false,
    allowedText: allowed.allowedIds.join(", ") || "none",
    error: `agentId "${targetAgentId}" is not in the configured agent registry`,
  };
}

(Make sure configuredAgentIds is actually threaded into resolveSubagentAllowedTargetIds at all resolveSubagentTargetPolicy callsites — right now it's accepted but the policy resolver doesn't pass it through.)

Opt-out flag: Add agents.subagents.strictRegistry: boolean (default true) to let operators preserve the current auto-provision behavior if they've built on top of it. When false, restore the pre-fix lax behavior with a one-time deprecation warning logged at spawn time.

Suggested config schema:

agents: {
  subagents: {
    strictRegistry?: boolean; // default true
    // existing fields...
  }
}

Acceptance Criteria

• sessions_spawn({ agentId: "<unknown>" }) returns an error like agentId "<unknown>" is not in the configured agent registry (allowed: a, b, c) instead of accepting and provisioning.
• No filesystem artifacts (no new ~/.openclaw/agents/<unknown>/ directory, no transcript file).
• Existing tests for subagent-target-policy updated; new test covers the * + unknown-id case.
• Setting agents.subagents.strictRegistry: false restores current behavior (auto-provision) for backward compat, with a WARN log per spawn.
• Documentation update in docs/concepts/session-tool.md (or multi-agent.md) explicitly stating the registry validation contract and the opt-out flag.

Discovery Context (for changelog)

Found 2026-05-19 by NOVA agent (production) during a peer-agent boundary audit. The trigger was noticing that sessions_spawn(agentId: "graybeard") had succeeded earlier in the day even though Graybeard is a peer agent running in a separate gateway. The follow-up probes with synthetic names (nopagent, bogus_test_agent_xyz) confirmed there is no registry check on the * path.

Related

• src/agents/subagent-target-policy.ts — primary bug location
• src/agents/subagent-target-policy.test.ts — needs coverage for unknown-id case
• docs/concepts/session-tool.md — needs registry-validation contract documented
• docs/concepts/multi-agent.md — could note the strictRegistry knob

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: the reported wildcard path is present on current main and is security-relevant, but the safest fix needs maintainer judgment because current docs and tests also describe allowAgents: ["*"] as accepting any target.

Reproducibility: yes. from source inspection: the wildcard branch returns ok before any configured-agent membership check, and current tests expect wildcard to accept an unconfigured target. I did not run a live spawn because this review was read-only.

Next step
A fix is likely narrow in code, but the compatibility break and new strict-registry config request need maintainer/product/security review before automation should implement it.

Security
Needs attention: The issue is security-sensitive because wildcard spawn permission currently bypasses configured-agent membership and can create misleading subagent identities.

Review details

Best possible solution:

Make wildcard spawn targeting validate against the configured agent registry by default, thread configured IDs through both native and ACP spawn gates, and document any explicit compatibility escape hatch with tests for fresh install and upgrade behavior.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: the wildcard branch returns ok before any configured-agent membership check, and current tests expect wildcard to accept an unconfigured target. I did not run a live spawn because this review was read-only.

Is this the best way to solve the issue?

Partly: registry validation before spawn is the right safety boundary, but the proposed default-on strictness and opt-out flag need maintainer approval because current tests/docs define * as any.

Label justifications:

• P1: The report describes a live agent-scoping boundary where wildcard spawn permission can create unintended identities with tool access.
• impact:security: The issue is about authorization/scoping semantics for which agent IDs a caller may spawn.
• impact:session-state: The reported behavior persists sessions and agent homes under unintended identities.

Security concerns:

• [medium] Wildcard spawn bypasses registry membership — src/agents/subagent-target-policy.ts:73
  A caller allowed to use allowAgents: ["*"] can target an arbitrary normalized agent ID; the policy returns ok before checking agents.list, and the spawn path then resolves a default agent directory/config for that ID.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/subagent-target-policy.test.ts src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts
• node scripts/run-vitest.mjs src/agents/acp-spawn.test.ts
• Review docs under docs/tools/subagents.md and docs/gateway/config-*.md for wildcard wording.

What I checked:

• Wildcard policy accepts before registry validation: resolveSubagentAllowedTargetIds can return allowAny: true, and resolveSubagentTargetPolicy returns ok when allowed.allowAny is true without receiving or checking configured agent IDs. (src/agents/subagent-target-policy.ts:42, 1d77170a305b)
• Spawn path does not thread configured IDs into the policy: The native subagent spawn path passes only requester, target, requested ID, and allowAgents into resolveSubagentTargetPolicy, then resolves the child session key, target agent dir, and target config after the policy gate. (src/agents/subagent-spawn.ts:835, 1d77170a305b)
• ACP spawn path has the same policy shape: The ACP spawn path also calls resolveSubagentTargetPolicy without configured agent IDs, so the wildcard semantics are shared across both spawn implementations. (src/agents/acp-spawn.ts:797, 1d77170a305b)
• Existing tests encode the current permissive behavior: The allowlist tests explicitly expect allowAgents: ["*"] to accept beta when only main is configured, and separately expect an allowlisted but unconfigured research target to be accepted. (src/agents/openclaw-tools.subagents.sessions-spawn.allowlist.test.ts:140, 1d77170a305b)
• Current docs describe wildcard as any: The gateway config docs say allowAgents uses ["*"] = any, which makes a default behavior change compatibility-sensitive even though the report's safety concern is valid. Public docs: docs/gateway/config-tools.md. (docs/gateway/config-tools.md:404, 1d77170a305b)
• History points to the current subagent policy introduction: git blame shows the current policy helper and spawn call sites came from commit 59defa3e71591b49bae1793fa96a15c7a562b408, which added the subagent target policy and the relevant spawn code. (src/agents/subagent-target-policy.ts:29, 59defa3e7159)

Likely related people:

• steipete: Git blame and log show Peter Steinberger's commit introduced subagent-target-policy.ts and the current spawn policy calls that accept wildcard targets. (role: introduced current behavior; confidence: high; commits: 59defa3e7159; files: src/agents/subagent-target-policy.ts, src/agents/subagent-spawn.ts, src/agents/acp-spawn.ts)
• Jefsky: Open PR fix(config): apply SPAWN_ALLOWLIST env for sessions_spawn (#79490) #79913 changes how SPAWN_ALLOWLIST=* reaches agents.defaults.subagents.allowAgents, so this registry decision may affect that related allowlist work. (role: adjacent contributor; confidence: medium; commits: 389b46eb14a0; files: src/config/io.ts, src/config/spawn-allowlist-env.ts)

Remaining risk / open question:

• Changing allowAgents: ["*"] from any well-formed agent ID to configured agents only may break existing deployments that intentionally rely on auto-provisioned subagent IDs.
• The related open SPAWN_ALLOWLIST=* PR and issue need compatibility review so an env allowlist fix does not widen or conflict with the registry-validation boundary.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1d77170a305b.

[joshavant]

Thanks @NOVA-Openclaw for the detailed report and repro notes here. The issue was valid: allowAgents: ["*"] was being interpreted too broadly, so sessions_spawn could accept an arbitrary unconfigured agentId and create ad hoc agent/workspace state under that name.

This is now fixed in #84357. We kept the security direction from your proposed fix, but landed it with a narrower compatibility shape: ["*"] now expands to configured agents instead of arbitrary ids, while explicitly listed targets still work even if they are not configured. So operators who were intentionally relying on an unconfigured target can preserve that behavior by naming it directly, but the wildcard no longer acts as an unsafe auto-provision escape.

The fix also covers both native subagent spawn and ACP spawn, updates the docs/config wording, and adds regression coverage for the wildcard rejection path plus mixed wildcard/explicit allowlists. We verified the fix with an AWS Crabbox live repro against a built Gateway: after the patch, a bogus agentId was rejected with the configured-registry error and no rogue agent/workspace directories were created.