Slack: download-file results can leak into auto-reply media and duplicate final text

[shannon0430]

Summary

A Slack thread reply can be delivered multiple times after an agent uses the Slack message tool with action="download-file" on inbound attachments.

The issue appears to be a read/write media boundary problem: media returned by a read-only download/intake action can later be treated as outbound reply media, and the final text/media dedupe does not collapse the text-only fallback when media is present.

Security / privacy note

This report is intentionally sanitized:

• no workspace names
• no channel IDs or thread IDs
• no Slack file IDs
• no customer/user names
• no filenames from the original incident
• no message contents from the original incident
• no private URLs, tokens, logs, or screenshots

The observed behavior re-uploaded inbound private attachments back into the same Slack thread. I have not confirmed cross-channel or cross-workspace disclosure, but this is still privacy-sensitive because files downloaded for analysis should never become outbound attachments unless explicitly requested by the agent/user.

If maintainers prefer private handling for this class of issue, this can be moved to the repository's private security-reporting flow; the public issue should remain limited to sanitized reproduction details.

Impact

• Users can see duplicate Slack replies from the same assistant turn.
• Inbound private files can be re-uploaded back to the thread even though the agent only requested them for local analysis.
• The duplicate may affect any channel that shares the common auto-reply media merge/delivery pipeline, though the observed reproduction is Slack.

Observed environment

• OpenClaw: 2026.5.22 (a374c3a)
• Channel: Slack thread reply
• Trigger shape: user posted one or more attachments, the agent called message.download-file for analysis, then produced a normal final text response.

Sanitized reproduction outline

1. In a Slack thread, send a user message with one or more private file attachments.
2. Agent calls message({ action: "download-file", fileId: "<redacted>" }) to read the attachment.
3. Agent produces a normal final answer without an explicit MEDIA: directive and without asking to upload the downloaded files.
4. Observe Slack delivery.

Expected:

• exactly one final reply containing the final answer text
• no re-upload of inbound/downloaded files unless the agent explicitly sends/uploads them

Actual:

• final answer text can be posted twice via different delivery paths
• downloaded files can be uploaded back into the Slack thread, including file-only messages

Suspected cause

message.download-file returns a result shaped like media metadata/local file access. The auto-reply/final-delivery layer appears to merge tool-result media into outbound reply payloads, even when the tool action was read-only intake.

There is also a dedupe gap: text-only duplicate filtering appears to keep media-bearing payloads before checking duplicate text, so a media-bearing final payload and a text-only final payload with the same text can both be allowed through.

Proposed fix

1. Mark download-file outputs as non-outbound/read-only media, or strip them from auto-reply payload assembly.
2. Only explicit outbound intents should attach media:
   • MEDIA: directives
   • message.send / message.upload-file
   • generated media completion events that are explicitly delivery-scoped
3. Add same-turn final-answer dedupe across media and text-only routes:
   • if media-bearing and text-only payloads share the same normalized final text/signature, send only one user-visible text body
   • file-only messages should not be emitted from read-only tool results
4. Add a regression test covering Slack download-file followed by a plain final text answer.

Notes

This is not a model double-generation issue: the session had a single final answer. The duplicate appears at delivery time.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 24, 2026, 11:11 PM ET / 03:11 UTC.

Summary
Keep open: current main still has a source-level path from Slack downloadFile results into shared outbound tool-media delivery, and no merged canonical fix was found. Because the report is privacy-sensitive and an adjacent media-delivery PR is already open, this should get maintainer review before a repair branch is queued.

Reproducibility: yes. at source level, not via live Slack: current main returns Slack downloadFile paths as structured media, queues trusted message-tool media, and merges pending tool media into final replies. I did not execute a live Slack thread reproduction in this read-only review.

Next step
The bug is narrow and source-backed, but the privacy-sensitive Slack media boundary and adjacent open media-delivery PR need maintainer direction before ClawSweeper should queue an automated repair.

Security
Needs attention: The issue is privacy-sensitive because current source can turn read-only Slack file downloads into outbound attachments.

Review details

Best possible solution:

Add an explicit outbound-intent boundary for tool-result media so Slack download-file outputs remain readable by the agent but never become auto-reply attachments unless the agent uses message.send, message.upload-file, a MEDIA: directive, or an explicitly delivery-scoped generated-media event.

Do we have a high-confidence way to reproduce the issue?

Yes at source level, not via live Slack: current main returns Slack downloadFile paths as structured media, queues trusted message-tool media, and merges pending tool media into final replies. I did not execute a live Slack thread reproduction in this read-only review.

Is this the best way to solve the issue?

Yes, the proposed read-only/outbound media split is the right maintainable direction. The repair should preserve explicit send/upload/generated-media behavior while filtering Slack download/intake artifacts and adding same-turn text/media dedupe coverage.

Remaining risk / open question:

• I did not run a live Slack repro in this read-only review; the failure is proven from current source, but live transport proof would still help the eventual fix.
• The open related PR fix(agent): keep tool media authoritative in replies #82870 changes tool-media semantics, so this fix should be coordinated to avoid conflicting delivery rules.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 3db1508f1ee7.

Label changes

Label changes:

• add P1: The current-main path can duplicate Slack replies and re-upload private inbound attachments in a real channel workflow.
• add impact:security: The report concerns private inbound Slack attachments being re-uploaded without explicit outbound intent.
• add impact:message-loss: The issue is about duplicated or unintended channel message/media delivery.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The current-main path can duplicate Slack replies and re-upload private inbound attachments in a real channel workflow.
• impact:message-loss: The issue is about duplicated or unintended channel message/media delivery.
• impact:security: The report concerns private inbound Slack attachments being re-uploaded without explicit outbound intent.

Evidence reviewed

Security concerns:

• [medium] Separate downloaded Slack files from outbound media — extensions/slack/src/action-runtime.ts:493
downloadFile returns a local path under details.media, and the shared trusted message-tool media path can queue that path for final delivery, which can re-upload private inbound files without explicit send/upload intent.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/slack/src/action-runtime.test.ts src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts src/agents/pi-embedded-runner/run/tool-media-payloads.test.ts src/auto-reply/reply/agent-runner-payloads.test.ts

What I checked:

• Slack download returns structured media: For non-image Slack downloads, downloadFile returns details.media.mediaUrl pointing at the downloaded local path, which gives a read-only intake action an outbound-shaped media field. (extensions/slack/src/action-runtime.ts:493, 3db1508f1ee7)
• Current test locks in media-shaped download output: The Slack action-runtime test asserts that non-image downloadFile results include details.media.mediaUrl, so current coverage does not treat this as read-only-only metadata. (extensions/slack/src/action-runtime.test.ts:421, 3db1508f1ee7)
• Message tool is trusted for local tool-result media: The shared tool-result media filter includes message in the trusted local-media tool set, so Slack message-tool local paths can pass filtering. (src/agents/pi-embedded-subscribe.tools.ts:280, 3db1508f1ee7)
• Structured media is queued for reply delivery: Tool execution end extracts details.media, filters it, and queues remaining media URLs into pending tool media without distinguishing read-only download-file from outbound send/upload actions. (src/agents/pi-embedded-subscribe.handlers.tools.ts:707, 3db1508f1ee7)
• Pending tool media is merged into final payloads: The runner merges pending tool media into the first visible reply, or creates a media-only reply if no visible reply exists, matching the reported leak and duplicate-delivery shape. (src/agents/pi-embedded-runner/run/tool-media-payloads.ts:10, 3db1508f1ee7)
• Adjacent but not canonical related work: GitHub search found open related media-delivery PR fix(agent): keep tool media authoritative in replies #82870, but its stated scope is preserving authoritative tool-produced media, not preventing read-only Slack downloads from becoming outbound attachments.

Likely related people:

• vincentkoc: Authored recent tool-media provenance and metadata-preservation commits that are directly adjacent to the pending tool-media merge path. (role: recent area contributor; confidence: high; commits: 310c8530eb81, e774b25b2fa5, f05f9f69d79a; files: src/agents/pi-embedded-runner/run/tool-media-payloads.ts, src/agents/pi-embedded-subscribe.tools.ts)
• steipete: Recent GitHub history shows multiple Slack action/runtime and structured message attachment changes in the same delivery surface. (role: recent Slack and message-delivery contributor; confidence: high; commits: 79220d78327d, 22963259c9db, 2dfa2663ecff; files: extensions/slack/src/action-runtime.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts)
• pgondhi987: Authored the recent Slack read target allowlist change touching extensions/slack/src/action-runtime.ts, including nearby read/download authorization behavior. (role: recent Slack read-target contributor; confidence: medium; commits: ea5f2abb4873; files: extensions/slack/src/action-runtime.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[neeravmakwana]

Opened a focused fix PR: #86318

The PR keeps Slack download-file results agent-readable while marking the downloaded media as non-outbound so it is not merged into auto-reply media.