[Bug]: Non-workspace skills are inaccessible to the agent when sandbox is in workspaceAccess: "rw" mode

[gbb-netizen]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

When the sandbox is configured with workspaceAccess: "rw", the agent inside the sandbox cannot read the SKILL.md files of managed skills (~/.openclaw/skills/) or bundled/plugin skills (/usr/lib/node_modules/openclaw/skills/, extensions/*/skills/). The sandbox has no access.

workspaceAccess: "rw" mode: Lacks an automatic visibility mechanism for non-workspace skills.

Steps to reproduce

Configure the sandbox with workspaceAccess: "rw".
Start a staff agent (which creates an independent workspace).
Have the agent use feishu-doc or any other managed/bundled skill.
Check the logs to see the "Path escapes sandbox root" error.

Expected behavior

When the sandbox is configured with workspaceAccess: "rw", the agent should still be able to access and read the system-level and managed skills provided in the system prompt. The environment should ensure these skill files are either mirrored into the workspace or correctly mapped within the sandbox boundary, allowing for multi-step tasks that rely on those skills.

Actual behavior

The agent fails to read the SKILL.md files for non-workspace skills. Any attempt to access paths outside the specific workspace directory (such as /usr/lib/node_modules/openclaw/... or ~/.openclaw/skills/...) is blocked by the path resolver, resulting in a "Path escapes sandbox root" error. This effectively breaks all core skills for agents running in rw mode unless those skills are manually copied into the workspace beforehand.

OpenClaw version

2026.6.1

Operating system

Ubuntu 24

Install method

npm

Model

chatgpt-5.5

Provider / routing chain

openclaw -> codex

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

Builtin skills are fully broken with sandbox RW mode. Further, all users of builtin skills that need read/write access are completely broken in sandbox mode. Workspaceacces "none" is also broken due to a separate bug that prevents write access, so there's no workaround for this bug.

Additional information

A prior filing of this bug was mistakenly closed due to hallucination of a PR as an issue tracker, and that PR was mistakenly closed due to hallucination of a separate PR as resolving the bug (it did not resolve the bug).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 4, 2026, 12:33 PM ET / 16:33 UTC.

Summary
Keep open: current main still source-proves the rw sandbox skill visibility gap, and the prior linked fix PR is closed unmerged, so there is no implemented or viable canonical fix to close against.

Reproducibility: yes. at source level. Current main keeps rw runs on the agent workspace, does not sync non-workspace skills into that root, and rejects unmapped host skill paths through the sandbox resolver; I did not run a live sandbox session.

Next step
Needs maintainer/security review before automation because the repair changes sandbox skill visibility and must choose the safe copy/mount/rewrite shape.

Security
Needs attention: This issue touches sandbox file visibility, so any fix needs security review to avoid broadening access beyond eligible read-only skill files.

Review details

Best possible solution:

Implement a sandbox-safe rw skill materialization or mapping path that exposes only eligible non-workspace skills at readable read-only in-sandbox locations while keeping the existing escape check strict.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main keeps rw runs on the agent workspace, does not sync non-workspace skills into that root, and rejects unmapped host skill paths through the sandbox resolver; I did not run a live sandbox session.

Is this the best way to solve the issue?

No current fix is present. The closed related PR attempted the right problem area but left the sync unreachable and was closed unmerged; the best path is a scoped maintainer-reviewed sandbox/skills fix rather than closing this issue again.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• I did not run a live sandbox/Codex turn, so the reproduction is source-level rather than end-to-end runtime proof.
• The fix changes sandbox skill visibility and must preserve strict path rejection, read-only skill exposure, and per-agent skill eligibility filtering.

Codex review notes: model gpt-5.5, reasoning high; reviewed against feb6dc6bb6ee.

Label changes

Label changes:

• add P1: The issue reports a regression that breaks advertised skill usage for sandboxed rw agent workflows in the latest release.
• add impact:security: The affected behavior is directly about sandbox filesystem visibility and path-boundary enforcement for skill files.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The issue reports a regression that breaks advertised skill usage for sandboxed rw agent workflows in the latest release.
• impact:security: The affected behavior is directly about sandbox filesystem visibility and path-boundary enforcement for skill files.

Evidence reviewed

Security concerns:

• [medium] Preserve sandbox boundary while exposing skills — src/agents/sandbox/context.ts:50
  A fix must not loosen Path escapes sandbox root behavior or mount broad host/package directories; it should expose only eligible skill files through a narrow read-only in-sandbox path.
  Confidence: 0.86

Acceptance criteria:

• Add a focused regression test proving a rw sandboxed run sees managed, bundled, and plugin skills at readable in-sandbox paths.
• Add/adjust sandbox mount or filesystem bridge tests proving non-workspace skill files are read-only and unrelated host paths still fail with Path escapes sandbox root.
• Run the nearest sandbox/skills tests for src/agents/sandbox/context.ts, src/agents/sandbox/workspace-mounts.ts, and src/skills/loading/workspace.ts.

What I checked:

• Current rw layout skips skill sync: Current main selects the real agent workspace as the active workspace for workspaceAccess: "rw", then only runs syncSkillsToWorkspace inside the sandbox-workspace branch and behind a workspaceAccess !== "rw" guard. (src/agents/sandbox/context.ts:50, feb6dc6bb6ee)
• Sandboxed read does not get host skill roots: When a sandbox root exists, skillReadRoots is disabled and the read tool is created against the sandbox root, so host-side managed or bundled skill paths are not allowed through the normal read path. (src/agents/agent-tools.ts:713, feb6dc6bb6ee)
• RW mounts only cover workspace-local skill roots: The rw mount helper overlays only <workspace>/skills and <workspace>/.agents/skills as read-only protected skill mounts; it does not map managed, bundled, or plugin skill roots into the sandbox. (src/agents/sandbox/workspace-mounts.ts:65, feb6dc6bb6ee)
• Escaped paths are rejected by the sandbox resolver: Sandbox filesystem path resolution builds a mount table and throws Path escapes sandbox root when a requested path is outside the mounted workspace/bind roots. (src/agents/sandbox/fs-paths.ts:69, feb6dc6bb6ee)
• Skill contract expects readable SKILL.md paths: OpenClaw and Codex prompt contracts tell the model to read the full skill file at the listed location when a skill applies, so advertising host-only paths inside a sandbox breaks the intended skill workflow. (packages/agent-core/src/harness/system-prompt.ts:14, feb6dc6bb6ee)
• Existing sync mechanism can copy non-workspace skills: syncSkillsToWorkspace already accepts managed, bundled, and plugin skill directories and copies eligible entries into a target workspace skills directory, but it early-returns when source and target workspaces are the same. (src/skills/loading/workspace.ts:1520, feb6dc6bb6ee)

Likely related people:

• steipete: Current blame for the central sandbox layout and rw workspace branch points to Peter Steinberger, and remote history shows refactor(sandbox): share workspace layout setup touched src/agents/sandbox/context.ts. (role: feature owner and recent adjacent owner; confidence: high; commits: 69c27677f663, 182afe9f594d; files: src/agents/sandbox/context.ts, src/agents/sandbox/workspace-mounts.ts, src/agents/agent-tools.ts)
• gumadeiras: Remote commit history shows Gustavo Madeira Santana added inherited agent skill allowlists and preserved remote skill sync eligibility in the same skills/sandbox selection path. (role: recent skills/sandbox contributor; confidence: medium; commits: ddd250d13075, 5e365a8ec4a5; files: src/skills/loading/workspace.ts, src/agents/sandbox/context.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

I’m working on a scoped sandbox/skills fix for this: materialize eligible non-workspace skills into a narrow read-only in-sandbox path for workspaceAccess: "rw", while preserving strict sandbox path rejection. I’ll keep this as a maintainer/security-review PR and won’t merge or enable automerge.