[Bug]: Streaming repairJson injects control chars into unescaped Windows paths in tool-call arguments

[yetval]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

repairJson in the streaming JSON parser silently injects control characters (0x08, 0x09, 0x0A, 0x0C, 0x0D) into tool-call string arguments that contain an unescaped Windows path — so an exec/read/write/edit tool call for C:\bin\app.exe is executed against a corrupted path. Verified by running the real module on main (2026.5.31).

Steps to reproduce

The defect is in src/llm/utils/json-parse.ts, reached whenever a model streams tool-call arguments where a JSON.parse fails and repairJson runs (an unescaped backslash, which weaker / local OpenAI- and Anthropic-compatible models routinely emit). All streaming providers feed args through parseStreamingJson (src/llm/providers/{anthropic,openai-completions,mistral,openai-responses-shared}.ts, src/agents/{anthropic,openai}-transport-stream.ts).

Minimal deterministic repro against the real code:

import { parseStreamingJson } from "./src/llm/utils/json-parse.ts";

// Model streams tool args with an unescaped Windows path (invalid JSON -> repair runs):
console.log(parseStreamingJson('{"path":"C:\\bin\\app.exe"}'));

$ node --import tsx repro.mjs
{ path: 'C:\binu0008in\app.exe' }   // the "b" became 0x08 (backspace)

Full matrix (real module output, char codes shown):

Streamed args (raw)	Expected path	Actual path
{"path":"C:\bin\app.exe"}	C:\bin\app.exe	C:<0x08>in\app.exe
{"path":"C:\temp\x"}	C:\temp\x	C:<0x09>emp\x
{"path":"C:\new\file"}	C:\new\file	C:<0x0A>ew<0x0C>ile
{"path":"D:\reports\q"}	D:\reports\q	D:<0x0D>eports\q
{"path":"C:\users\bob"}	C:\users\bob	C:\users<0x08>ob

Expected behavior

repairJson already special-cases an invalid \u so that an unescaped Windows path round-trips to the literal backslash — this is the documented test contract in src/llm/utils/json-parse.test.ts:5-10 ({"path":"C:\users"} must parse to the literal string C:\users). The same repair must apply to \b \f \n \r \t: a backslash followed by these letters in a not-otherwise-valid JSON string came from a model that meant a literal backslash, and must be doubled (\\), not passed through as a control-char escape.

Actual behavior

src/llm/utils/json-parse.ts:3 lists b f n r t u in VALID_JSON_ESCAPES. The \u invalid case is handled separately (it doubles the backslash), but b f n r t fall into the pass-through branch at src/llm/utils/json-parse.ts:75-79:

if (VALID_JSON_ESCAPES.has(nextChar)) {
  repaired += `\\${nextChar}`;   // re-emits \b \f \n \r \t
  index += 1;
  continue;
}

JSON.parse then decodes \b→0x08, \t→0x09, \n→0x0A, \f→0x0C, \r→0x0D. The control char silently replaces the path separator + first letter of the next segment, and the corrupted string is assigned to block.arguments and handed to the executing tool.

OpenClaw version

2026.5.31-beta.4 (verified on main @ commit ec6ad88)

Operating system

Reproduced on Ubuntu 24.04 (defect is platform-independent; the corrupted data is Windows-path content emitted by the model, not the host OS).

Install method

pnpm dev (source checkout)

Model

Any model emitting unescaped backslashes in tool-call args (weaker/local OpenAI- and Anthropic-compatible models). Provider-independent.

Provider / routing chain

openclaw -> streaming tool-call parser (parseStreamingJson) -> tool executor

Logs, screenshots, and evidence

in={"path":"C:\bin\app.exe"} expected="C:\bin\app.exe" got="C:\binu0008in\app.exe" codes=[67,58,8,105,110,92,97,112,112,46,101,120,101]
in={"path":"C:\temp\x"}      expected="C:\temp\x"      got="C:u0009emp\x"           codes=[67,58,9,101,109,112,92,120]
in={"path":"C:\new\file"}    expected="C:\new\file"    got="C:u000Aewu000Cile"       codes=[67,58,10,101,119,12,105,108,101]
in={"path":"D:\reports\q"}   expected="D:\reports\q"   got="D:u000Deports\q"          codes=[68,58,13,101,112,111,114,116,115,92,113]
in={"path":"C:\users\bob"}   expected="C:\users\bob"   got="C:\usersu0008ob"          codes=[67,58,92,117,115,101,114,115,8,111,98]

Impact and severity

• Affected: any user whose model streams a tool-call string argument containing an unescaped Windows path segment beginning with b/f/n/r/t — extremely common (\bin, \temp/\tmp, \new, \reports, \build, \foo after a prior \f, etc.). Provider-independent.
• Severity: High. Silent data corruption of file/exec/read/write/edit tool arguments — the tool operates on the wrong path (wrong file, or a path containing a backspace/newline) with no error surfaced to the user.
• Frequency: Deterministic for the affected input shape (5/5 cases above), gated on the model emitting unescaped backslashes (well-behaved models that emit \\ succeed in JSON.parse first and never hit repairJson).
• Consequence: wrong-target or failed file operations; the user sees a correct path requested by the model but a corrupted path acted upon.

Additional information

Suggested fix: handle b f n r t the same way the invalid \u case is already handled — when the backslash is an unescaped-path indicator, double it (repaired += "\\\\") instead of passing the escape through. Equivalently, restrict the VALID_JSON_ESCAPES pass-through to ", \, / and double-escape the control-letter forms. Add the path cases (\bin, \temp, \new, \reports) to src/llm/utils/json-parse.test.ts, which currently only covers the \u case.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 1, 2026, 1:00 AM ET / 05:00 UTC.

Summary
Keep open: current main still has the shared streaming JSON parser behavior that can turn unescaped Windows path segments into control characters before tool execution, and no related merged fix or canonical duplicate was present in the provided context.

Reproducibility: yes. Source inspection gives a high-confidence reproduction path: feed parseStreamingJson a streamed tool-argument object containing unescaped Windows path segments like C:\new\file or C:\bin\app.exe and the current parser can return decoded control characters instead of literal separators.

Next step
This is a narrow, source-backed core parser bug with clear likely files and a focused regression-test path, so it is suitable for a repair PR.

Review details

Best possible solution:

Implement a shared streaming JSON/tool-argument parser fix with regression tests for control-letter Windows path segments, while preserving legitimate JSON escapes in non-path/freeform values.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection gives a high-confidence reproduction path: feed parseStreamingJson a streamed tool-argument object containing unescaped Windows path segments like C:\new\file or C:\bin\app.exe and the current parser can return decoded control characters instead of literal separators.

Is this the best way to solve the issue?

The issue direction is right, but a repairJson-only fix is too narrow because parseJsonWithRepair can return after an initially successful JSON.parse; the best fix should cover both direct-parse and repair-fallback paths without changing legitimate escaped text values.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• A naive parser change that treats every \n, \t, or similar JSON escape as a literal path separator would break legitimate escaped content; the fix needs path/tool-argument-aware regression coverage.

Codex review notes: model gpt-5.5, reasoning high; reviewed against abe2145153f0.

Label changes

Label changes:

• add P1: The issue describes a provider-independent agent/tool workflow bug where streamed tool-call arguments can silently target corrupted paths.
• add impact:data-loss: Wrong-path read/write/edit/exec arguments can make tools operate on unintended files, creating a concrete user-data corruption risk.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The issue describes a provider-independent agent/tool workflow bug where streamed tool-call arguments can silently target corrupted paths.
• impact:data-loss: Wrong-path read/write/edit/exec arguments can make tools operate on unintended files, creating a concrete user-data corruption risk.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/llm/utils/json-parse.test.ts
• If provider or transport code changes, also run the nearest affected stream tests such as node scripts/run-vitest.mjs src/agents/openai-transport-stream.test.ts or the relevant src/llm/providers/*.test.ts file.

What I checked:

• Current parser passes control-letter escapes through repair: VALID_JSON_ESCAPES includes b, f, n, r, and t, and the repair branch re-emits those escapes rather than doubling the backslash, so a later JSON parse decodes them as control characters. (src/llm/utils/json-parse.ts:3, abe2145153f0)
• Direct parse can corrupt path-like strings before repair runs: parseJsonWithRepair first returns JSON.parse(json) on success, so syntactically valid strings such as a path containing \n and \f can decode to newline/form-feed without ever reaching repairJson. (src/llm/utils/json-parse.ts:91, abe2145153f0)
• Existing tests cover only invalid unicode-style Windows paths: The adjacent regression test proves C:\users with invalid \u is preserved, but there is no coverage for \bin, \temp, \new, \reports, or similar control-letter segments. (src/llm/utils/json-parse.test.ts:4, abe2145153f0)
• Streaming callers hand parsed arguments to tool-call blocks: Provider and transport stream code assigns parseStreamingJson(...) directly to block.arguments or currentBlock.arguments, including Anthropic, OpenAI completions/responses, Mistral, and agent transport paths. (src/llm/providers/anthropic.ts:621, abe2145153f0)
• Adjacent malformed-argument wrapper does not cover this central case: The embedded-runner repair first treats a successfully parsed object as preserved, and it is only enabled for selected model APIs, so it does not replace a shared parseStreamingJson fix for valid JSON control escapes in path arguments. (src/agents/embedded-agent-runner/run/attempt.tool-call-argument-repair.ts:552, abe2145153f0)
• Latest release contains the same broad escape pass-through: v2026.5.28 has the same VALID_JSON_ESCAPES control-letter entries and pass-through branch; current main adds an invalid-\u repair/test but not the reported control-letter Windows path coverage. (src/llm/utils/json-parse.ts:3, e93216080aa1)

Likely related people:

• vincentkoc: Current blame for src/llm/utils/json-parse.ts and the visible parseStreamingJson call sites points to c5eddadd9d, and recent provider-stream history includes related OpenAI/OpenRouter parsing work. (role: current parser and provider-stream contributor; confidence: high; commits: c5eddadd9d3b, 68502c90d1fb; files: src/llm/utils/json-parse.ts, src/llm/utils/json-parse.test.ts, src/llm/providers/anthropic.ts)
• steipete: Recent history on the same provider and transport parsing surface includes multiple OpenAI/Anthropic stream normalization and replay hardening commits, plus the latest release tag that still carries the affected parser. (role: adjacent provider/runtime contributor; confidence: medium; commits: e93216080aa1, 87abcfd6a6b8; files: src/llm/utils/json-parse.ts, src/agents/openai-transport-stream.ts, src/llm/providers/openai-responses-shared.ts)
• vignesh07: The nearby malformed tool-call argument repair path has prior history under commit a2e4707cfe, which is relevant context if maintainers choose to reuse or avoid that narrower wrapper. (role: adjacent malformed tool-call repair contributor; confidence: medium; commits: a2e4707cfe4c; files: src/agents/embedded-agent-runner/run/attempt.tool-call-argument-repair.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Fixed in PR #88946 with a narrow shared parser repair.

What changed:

• parseJsonWithRepair now applies repair before the first JSON.parse, so syntactically valid-but-corrupting \n / \t / \b path segments cannot decode to control characters first
• JSON control escapes are preserved for normal text values
• inside a Windows-drive path prefix, \b, \f, \n, \r, and \t are treated as literal path separators from model-emitted tool-call args
• existing valid Unicode escapes still parse normally

Proof on inference at bb4ae914da:

• node scripts/run-vitest.mjs src/llm/utils/json-parse.test.ts -> 1 file passed, 9 tests passed
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/llm/utils/json-parse.ts src/llm/utils/json-parse.test.ts -> passed
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false -> passed
• git diff --check -> passed

Leaving this open until #88946 lands.