v5.22 regressions: group-chat over-suppression + sticky image re-attachment in always-on Discord channels

[Trevorwelton]

Two v5.22 regressions affecting always-on Discord channels (group-chat over-suppression + sticky image re-attachment)

Summary

After upgrading from 2026.5.7 → 2026.5.22, two distinct regressions surfaced that together cause significant noise and reduced reliability in always-on Discord group-chat agents:

1. Group-chat over-suppression: the "Be extremely selective: reply only when directly addressed or clearly helpful." line is now injected for every silentReplyPolicy value except "disallow". In v5.7 it was gated to === "allow" only. This biases agents in always-on channels (where the user expects engagement on every message) toward NO_REPLY / non-substantive replies.

2. Sticky image re-attachment: an image attached once is silently re-attached to every subsequent prompt because the post-turn prompt-text regex re-extracts the persisted ~/.openclaw/workspace/.openclaw-cli-images/<sha256>.<ext> path from the conversation transcript. The model then receives unrelated images on every turn and starts treating them as context.

Both have been root-caused below.

---

Environment

• OpenClaw: 2026.5.22 (a374c3a) (current latest on npm)
• Install location: /opt/homebrew/lib/node_modules/openclaw/
• Platform: macOS (darwin 25.5.0)
• Affected: 9 always-on Discord agents (group-chat channels with single-user, single-agent expectation)

---

Regression 1 — group-chat "Be extremely selective" un-gated

Location

• File: dist/get-reply-DOTqK3jN.js
• Function: buildGroupChatContext() (line 596)
• Offending push: line 612 — lines.push("Be extremely selective: reply only when directly addressed or clearly helpful.")
• Gating predicate: line 608

Diff vs v5.7

// v5.7 (correct)
const canUseSilentReply = !messageToolOnly && params.silentToken && params.silentReplyPolicy === "allow";

// v5.22 (broken)
const canUseSilentReply = !messageToolOnly && params.silentToken && params.silentReplyPolicy !== "disallow";

The condition flipped from "only when policy is allow" to "for every policy except disallow". That means default/unset/empty silentReplyPolicy now triggers the line. In v5.7, the default did not.

Secondary change: the silentReplyRewrite === true escape hatch that previously also suppressed the line is no longer consulted at this site.

Impact

• Every always-on Discord agent (intended for direct 1:1 use) gets the "Be extremely selective" line injected on every turn.
• Agents start replying with NO_REPLY to direct user messages, or with terse non-engagement, breaking the user's expected single-human/single-agent contract.
• groupActivation: "always" does not rescue this — normalizeGroupActivation is only consulted at lines 634 (resolveGroupSilentReplyBehavior) and 2574 (shouldInjectGroupIntro). buildGroupChatContext never reads groupActivation, so setting it to "always" has zero effect on the selective-reply line.

Workaround in place

We applied channel-level systemPrompt overrides across all 9 agent channels that explicitly tell the agent to ignore the "Be extremely selective" instruction in that channel. This is counter-injection, not removal — the offending line is still in the assembled prompt, just contradicted later. It works but is brittle.

Requested fix

Either:

• (a) Restore the v5.7 gating: change line 608 back to === "allow".
• (b) Add a per-channel skip via groupActivation: "always" (wire groupActivation into buildGroupChatContext and skip the line when it's "always").

(a) is the minimal one-character-class diff and restores known-good behavior.

Plugin SDK note

The context-engine plugin SDK (dist/plugin-sdk/src/context-engine/types.d.ts:23) exposes systemPromptAddition (prepend-only). There is no transform/strip hook to remove a line from the assembled system prompt — so users cannot patch this from a plugin today. Either a built-in fix or a systemPromptTransform hook is needed.

---

Regression 2 — sticky image re-attachment

Symptom

User sends one image in a Discord message. On every subsequent turn — even ones with no new attachment — the model receives a <system-reminder> saying Called the Read tool with the following input: {"file_path":"/Users/trevor/.openclaw/workspace/.openclaw-cli-images/<sha256>.jpg"} and re-receives the image bytes. The agent treats it as user-supplied context and references it in replies. Over multiple turns the same image gets re-injected indefinitely.

Root cause

Confirmed via source read. No state file is involved — the stickiness lives entirely in the replayed prompt transcript.

• File: dist/images-CHOq0BQv.js
• Function: detectImageReferences (lines 202–270)
• Offending pattern: the final catch-all PATH_PATTERN loop at line 269 matches any string ending in an image extension anywhere in the prompt — including text quoted from prior turns and synthetic <system-reminder> blocks describing past tool calls.

Contributing:

• dist/helpers-BpzSVpXp.js line 180–184 appendImagePathsToPrompt splices the absolute image path into the prompt text.
• dist/helpers-BpzSVpXp.js line 240–259 prepareCliPromptImagePayload — on every turn, when no fresh params.images is supplied, falls back to loadPromptRefImages(prompt), which feeds the entire prompt (history + system-reminders) back through detectImageReferences. That re-resolves the prior path, re-loads the bytes, re-writes to .openclaw-cli-images/, and re-appends. Sticky loop.
• dist/helpers-BpzSVpXp.js line 223 cleanup = async () => {} is a no-op, so .openclaw-cli-images/ grows unbounded.
• Backend default imagePathScope: "workspace" (cli-backend-*.js line ~52) places files at content-addressed ~/.openclaw/workspace/.openclaw-cli-images/<sha256>.<ext>. The digest is stable across turns and the directory never auto-cleans.

Impact

• Unrelated images leak into every subsequent conversation turn (information leakage + bias).
• Wasted model spend re-loading large image bytes on every turn.
• .openclaw-cli-images/ directory grows unbounded.

Requested fix

Ranked, lowest-risk first:

1. Skip self-written paths in detection — in dist/images-CHOq0BQv.js ~line 269, the final PATH_PATTERN loop should skip path matches that point inside any .openclaw-cli-images/ directory. These are sink files OpenClaw itself wrote — they are never user-authored references and should not be re-resolved.
2. Use a sentinel instead of a real path — appendImagePathsToPrompt (helpers line 180) could emit something like [openclaw-image-internal: <basename>] and resolve via a separate non-regex channel.
3. Wire real cleanup — replace the no-op at helpers line 223 with an unlink-after-turn so the directory doesn't grow unbounded.

(1) is the minimum hot-patch.

---

Combined ask

These two regressions interact badly: in an always-on Discord agent that received an image once, every subsequent turn now (a) carries the "Be extremely selective" suppression line and (b) re-attaches the old image, biasing the agent to under-engage on a turn that contains unrelated image context. The agent then often responds with irrelevant commentary on the sticky image instead of substantive engagement on the user's actual text.

If both fixes can land together in 2026.5.23 (or backport into the 5.24-beta line), it would fully resolve the always-on Discord experience.

Happy to test a beta build or pre-release patch and report back.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 25, 2026, 8:45 PM ET / 00:45 UTC.

Summary
Keep open: current main and the latest release still contain the two reported paths. The sticky image reattachment is source-proven; the group prompt behavior also exists, but changing it should get maintainer direction because current docs/tests define group silence as the default behavior.

Reproducibility: yes. at source level: current main still routes group prompts through the non-disallow silent policy gate and re-scans full prompts for generic image paths. I did not establish a live Discord reproduction in this read-only pass.

Next step
The sticky image loop is a narrow repair, but the group prompt change would alter current default group-silence behavior, so a maintainer should choose the policy or split the issue before repair.

Security
Needs attention: The sticky-image path can repeatedly feed stale user images into later model turns, so the issue should be handled as sensitive media/context behavior.

Review details

Best possible solution:

Land a focused fix that prevents OpenClaw-written image cache paths from being rehydrated as fresh prompt image refs, and make an explicit maintainer decision on whether default/always-on group prompts should keep or drop selective silent-token guidance.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main still routes group prompts through the non-disallow silent policy gate and re-scans full prompts for generic image paths. I did not establish a live Discord reproduction in this read-only pass.

Is this the best way to solve the issue?

Unclear for the group-prompt half because current docs/tests make group silence the default, so maintainers should choose the intended policy. The image half has a narrow maintainable fix: do not treat OpenClaw-written .openclaw-cli-images paths as user-authored prompt image references.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• I did not run a live Discord or CLI-agent repro in this read-only review; the failure is source-reproducible from current code paths.
• Changing the group prompt gate may conflict with the documented current default that groups/channels allow silence, so maintainers should choose the intended default behavior before an automated repair changes it.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c9364f03dcbb.

Label changes

Label changes:

• add P1: The report describes a current-release regression affecting always-on Discord agent replies and stale media context for real user channels.
• add impact:security: Repeatedly feeding an old user image into later turns is sensitive media handling and possible information leakage within the agent context.
• add impact:message-loss: The group prompt behavior can suppress expected channel replies through NO_REPLY or non-engagement in always-on Discord group/channel sessions.
• add impact:session-state: The image path loop can carry stale image context across later turns, causing transcript/context drift.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a current-release regression affecting always-on Discord agent replies and stale media context for real user channels.
• impact:message-loss: The group prompt behavior can suppress expected channel replies through NO_REPLY or non-engagement in always-on Discord group/channel sessions.
• impact:session-state: The image path loop can carry stale image context across later turns, causing transcript/context drift.
• impact:security: Repeatedly feeding an old user image into later turns is sensitive media handling and possible information leakage within the agent context.

Evidence reviewed

Security concerns:

• [medium] Stale image context can be reattached to later turns — src/agents/pi-embedded-runner/run/images.ts:409
  OpenClaw-written image cache paths are appended into prompts and later detected again as generic image references, which can expose old user media to unrelated model turns.
  Confidence: 0.84

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/cli-runner.helpers.test.ts src/agents/pi-embedded-runner/run/images.test.ts src/auto-reply/reply/groups.test.ts src/config/silent-reply.test.ts --reporter dot
• Add regression coverage showing .openclaw-cli-images paths from prior prompt text are not reloaded as fresh images.
• If maintainers choose to change group prompt policy, add coverage for default/unset group silent policy and always-on activation behavior.

What I checked:

• Current group prompt gating: buildGroupChatContext still enables silent-reply prompt guidance whenever a silent token exists and the policy is not disallow, which includes the default resolved allow policy for groups. (src/auto-reply/reply/groups.ts:254, c9364f03dcbb)
• Group activation not passed to persistent context: The call to buildGroupChatContext passes session context, delivery mode, silent policy, and silent token, but not groupActivation; activation is only used for intro/behavior resolution nearby. (src/auto-reply/reply/get-reply-run.ts:515, c9364f03dcbb)
• Default group silence contract: The current shared policy defaults group conversations to allow, and tests assert that default group policy resolves to allow; that makes the group prompt portion a policy-sensitive fix rather than a blind one-line restore. (src/shared/silent-reply-policy.ts:9, c9364f03dcbb)
• Image prompt re-scan path: When no explicit images are supplied, prepareCliPromptImagePayload calls loadPromptRefImages on the full prompt, and detectImageReferences then scans generic path references including .openclaw-cli-images paths appended on earlier turns. (src/agents/cli-runner/helpers.ts:335, c9364f03dcbb)
• Generic path matcher remains active: The final PATH_PATTERN loop still adds any absolute, relative, or home path ending in an image extension; there is no guard for OpenClaw's own .openclaw-cli-images sink directory. (src/agents/pi-embedded-runner/run/images.ts:409, c9364f03dcbb)
• CLI image paths are appended and retained: CLI image files are content-addressed, appended back into stdin/@ prompts, and their cleanup function is intentionally a no-op, so a later prompt transcript can expose the same path to image detection again. (src/agents/cli-runner/helpers.ts:294, c9364f03dcbb)

Likely related people:

• UB: Current blame for the group prompt helper, image reference detector, and CLI image helper points to commit 48adcb1 authored by UB. (role: current implementation author; confidence: medium; commits: 48adcb162c92; files: src/auto-reply/reply/groups.ts, src/agents/pi-embedded-runner/run/images.ts, src/agents/cli-runner/helpers.ts)
• steipete: git show --format=fuller --no-patch 48adcb162c92cf12dd7e50a15fca0d62a35d556c shows Peter Steinberger as the committer for the central current implementation commit. (role: committer/merger; confidence: medium; commits: 48adcb162c92; files: src/auto-reply/reply/groups.ts, src/agents/pi-embedded-runner/run/images.ts, src/agents/cli-runner/helpers.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.