[Bug]: Docker sandbox still advertises host skill paths in startup context on v2026.6.5

[gbb-netizen]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

after updating openclaw, workspaceaccess "rw" sandbox in docker still tries to access skills from directories it doesn't have access to despite making a new sandbox and creating a new thread with /new

Steps to reproduce

Reset/repro attempted:
openclaw sandbox recreate --all
gateway restart
new thread via /new

Expected behavior

Startup context should point skills at /workspace/.openclaw/sandbox-skills/skills/...

Actual behavior

Skills are materialized in that directory, but the model is still instructed to read host paths such as ~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md

OpenClaw version

v2026.6.5

Operating system

WSL Ubuntu

Install method

npm global

Model

chatgpt-5.5 codex

Provider / routing chain

openclaw -> chatgpt-5.5

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

prevents openclaw from using bundled skills automatically in the "rw" sandbox

Additional information

Follow-up from #90410 and #90798
#90798 fixed materialization/readability, but this report suggests a remaining prompt/startup-context rewrite path is still using host skill paths

[gbb-netizen]

sandbox config:

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 10, 2026, 1:24 AM ET / 05:24 UTC.

Summary
Keep open. Current main and the latest release still have a command/context prompt path that builds skills from the host workspace snapshot, and the linked closing PR is still open rather than merged.

Reproducibility: yes. at source level: current main still builds one command/context skills prompt from the host reusable snapshot while sandbox runtime info is active. I did not run the live Docker/WSL reproduction in this read-only review.

Next step
An open linked PR already owns the fix attempt, and the remaining blocker is maintainer/security review rather than a new automated repair job.

Security
Needs attention: The issue is security-sensitive because the affected prompt path controls what filesystem locations a sandboxed agent is instructed to read.

Review details

Best possible solution:

Review #91791 for sandbox/security acceptance and land it if the fail-closed behavior is approved; otherwise keep this issue as the canonical bug until a replacement fix is chosen.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main still builds one command/context skills prompt from the host reusable snapshot while sandbox runtime info is active. I did not run the live Docker/WSL reproduction in this read-only review.

Is this the best way to solve the issue?

Yes: the best fix path is to reuse the materialized sandbox skill runtime inputs for startup/command prompt surfaces rather than adding another host-path rewrite. The linked PR appears to take that direction, but it still needs maintainer/security review before this issue can close.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The exact reporter WSL/npm-global /new thread was not live-reproduced in this read-only review.
• The linked fix changes sandbox prompt fallback behavior when sandbox metadata is missing, so maintainer/security owner acceptance remains part of the merge path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 69a73b6278b5.

Label changes

Label changes:

• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P1: A released Docker workspaceAccess: "rw" sandbox workflow can still lose automatic bundled-skill usability in fresh sessions.
• impact:security: The report concerns sandbox boundary prompts advertising host/global paths instead of sandbox-readable skill paths.
• impact:session-state: The affected startup/context prompt can carry wrong skill locations into fresh sandboxed session context.

Evidence reviewed

Security concerns:

• [medium] Preserve sandbox skill path boundaries — src/auto-reply/reply/commands-system-prompt.ts:61
  A fix must not expose host skill roots directly or make materialized skill files writable through the rw workspace; it should keep prompt locations aligned with sandbox-readable materialized paths.
  Confidence: 0.78

Acceptance criteria:

• Review the linked PR proof for rendered sandbox prompt paths and Docker readability.
• Verify focused sandbox prompt tests before landing any fix.
• Require sandbox/security owner acceptance for fail-closed missing-metadata behavior.

What I checked:

• Live issue state: The issue is still open, unassigned, and the discussion says materialization works but startup/context can still advertise host npm paths after sandbox recreation, Gateway restart, and a fresh /new thread.
• Documented expected behavior: The sandbox docs say workspaceAccess: "rw" should keep workspace skills at /workspace/skills and materialize eligible managed, bundled, or plugin skills under /workspace/.openclaw/sandbox-skills/skills. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:321, 69a73b6278b5)
• Current main still has the suspect command prompt path: resolveCommandsSystemPromptBundle still resolves a reusable workspace skill snapshot from workspaceDir and uses its prompt directly, which is the host-snapshot path implicated by the report. (src/auto-reply/reply/commands-system-prompt.ts:61, 69a73b6278b5)
• Current main command sandbox metadata is incomplete: The command/context sandbox workspace helper returns only workspaceDir and containerWorkdir, so this path does not expose the materialized skills workspace needed to rewrite skill locations. (src/agents/sandbox/context.ts:300, 69a73b6278b5)
• Existing correct runtime helper is separate: The embedded run path already uses resolveSandboxSkillRuntimeInputs, reloads materialized workspace-only skill entries, maps prompt locations, and renders from the sandbox prompt workspace. (src/agents/embedded-agent-runner/run/attempt.ts:1042, 69a73b6278b5)
• Release check: v2026.6.5 is the latest published release and its tagged source still shows the same command prompt snapshot path while the release notes mention writable-sandbox skill readability, matching the reporter's follow-up after that release. (src/auto-reply/reply/commands-system-prompt.ts:61, 5181e4f7c82b)

Likely related people:

• brokemac79: Authored the merged writable-sandbox skill materialization fix and the current open PR that targets this exact startup/context prompt remainder. (role: recent feature contributor; confidence: high; commits: 3b6bcbfb5045, 801d8125773d; files: src/agents/embedded-agent-runner/sandbox-skills.ts, src/agents/sandbox/context.ts, src/auto-reply/reply/commands-system-prompt.ts)
• Dallin Romney: Current shallow blame attributes the affected command prompt snapshot path, sandbox prompt helper, and sandbox workspace helper lines to commit 370cef2e3b; the grafted history makes this a routing hint rather than definitive ownership. (role: current-main history contributor; confidence: low; commits: 370cef2e3bdc; files: src/auto-reply/reply/commands-system-prompt.ts, src/agents/embedded-agent-runner/sandbox-skills.ts, src/agents/sandbox/context.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

Additional maintainer context from the #90410/#90798 follow-up thread:

• This is the canonical follow-up issue; [Bug]: Docker sandbox still tries host skill paths after v2026.6.5 sandbox skill materialization #91764 was opened while coordinating the report and has now been closed as a duplicate of this issue.
• Original reporter and original bug context: [Bug]: Non-workspace skills are inaccessible to the agent when sandbox is in workspaceAccess: "rw" mode #90410 was filed by @gbb-netizen on 2026.6.1, Ubuntu 24, npm install, chatgpt-5.5, provider/routing openclaw -> codex.
• Release containment: fix(agents): materialize sandbox skills for rw sandboxes #90798 merged as 3b6bcbf and is included in v2026.6.5.
• The reporter confirmed the follow-up reproduces on v2026.6.5 after openclaw sandbox recreate --all, Gateway restart, and a fresh /new thread, with Docker sandbox and workspaceAccess: "rw".
• The important split is: materialization appears to work, but at least one prompt/startup/context surface still appears to advertise or cause reads from host npm paths such as ~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md instead of /workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md.
• The reporter does not currently have a raw startup-context log; their evidence is from watching the agent try the wrong directories in fresh threads and asking the agent what was in its injected context.

This matches ClawSweeper's source-level suspect: audit first-turn and command/context prompt surfaces, especially any path that rebuilds a skills prompt from the host workspace snapshot while presenting sandbox context. A follow-up fix should reuse the existing materialized sandbox skill runtime inputs and preserve the read-only sandbox skill boundary rather than exposing host skill roots directly.

[brokemac79]

pls no one start work on PR for this item. I will start work on it now. i worked on the original issue so have the original context