[Bug]: Docker sandbox still tries host skill paths after v2026.6.5 sandbox skill materialization

[brokemac79]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Raised on behalf of @gbb-netizen from follow-up comments on #90798, following the OpenClaw contribution guidance for reporting a new regression/bug as a GitHub Issue before a follow-up fix PR: https://github.com/openclaw/openclaw/blob/main/CONTRIBUTING.md

On v2026.6.5, Docker sandbox skill files are materialized under the documented /workspace/.openclaw/sandbox-skills/skills/... path, but fresh sandboxed threads still appear to make the agent use host/npm skill paths such as ~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md.

Steps to reproduce

Based on the reporter's observed reproduction:

1. Install/update to OpenClaw v2026.6.5 via openclaw update in WSL using the npm-based install path.
2. Use a Docker sandbox with workspaceAccess: "rw".
3. Run openclaw sandbox recreate --all.
4. Restart the Gateway.
5. Start a fresh thread with /new.
6. Ask the agent to use a bundled/non-workspace skill, for example gog.
7. Observe the agent attempting to read/search host paths such as ~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md instead of using the sandbox materialized skill path.

Expected behavior

After #90798 in v2026.6.5, the sandbox startup/prompt context should advertise skill files under the sandbox-readable materialized path:

/workspace/.openclaw/sandbox-skills/skills/<skill-name>/SKILL.md

The agent should not be instructed to read host/npm/home paths that are outside the sandbox boundary.

Actual behavior

The reporter says the materialized skill files are present in the documented sandbox directory, but the agent still tries to use host paths such as:

~/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md

The agent then searches inaccessible locations, fails to locate the skill content, and falls back to doing the work from scratch.

The reporter could not easily capture the raw startup context, but observed the behavior by watching new-thread tool attempts and by asking the agent what was in its injected context.

OpenClaw version

v2026.6.5

Original report #90410 was on 2026.6.1; this follow-up reproduces after updating to v2026.6.5.

Operating system

Ubuntu 24 under WSL, carried forward from the original report #90410. Exact WSL distro/build details beyond Ubuntu 24 are not yet captured.

Install method

openclaw update; reporter believes this is the npm/global npm install path recommended around May 2026.

Original report #90410 listed install method as npm.

Model

chatgpt-5.5, carried forward from the original report #90410. The reporter has not explicitly reconfirmed the model for this follow-up after updating to v2026.6.5.

Provider / routing chain

openclaw -> codex, carried forward from the original report #90410. The reporter has not explicitly reconfirmed the provider/routing chain for this follow-up after updating to v2026.6.5.

Additional provider/model setup details

Original report #90410 had no additional provider/model setup details.

Logs, screenshots, and evidence

Reporter comments on the merged fix PR:

• fix(agents): materialize sandbox skills for rw sandboxes #90798 (comment)
• fix(agents): materialize sandbox skills for rw sandboxes #90798 (comment)

Relevant prior issue and fix PR:

• Prior bug: [Bug]: Non-workspace skills are inaccessible to the agent when sandbox is in workspaceAccess: "rw" mode #90410
• Fix PR: fix(agents): materialize sandbox skills for rw sandboxes #90798
• Merge commit: 3b6bcbf
• Release containing the fix: https://github.com/openclaw/openclaw/releases/tag/v2026.6.5

Evidence from release/PR state:

• fix(agents): materialize sandbox skills for rw sandboxes #90798 materialized eligible non-workspace skills into a sandbox-readable, read-only workspace for workspaceAccess: "rw".
• The reporter confirms the files are materialized as documented.
• The remaining reported failure is that the agent still appears to receive or act on host/npm skill paths in startup/injected context.

Remaining evidence gap:

• No direct redacted startup-context/log capture is available yet.
• The current report is grounded in user-observed new-thread tool behavior and the agent's own answer about its injected context.

Impact and severity

Affected: Docker sandbox users on v2026.6.5 relying on bundled/non-workspace skills in workspaceAccess: "rw" mode.

Severity: High, because skills can still be effectively unusable even though the materialized files exist.

Frequency: Reporter reproduced after openclaw sandbox recreate --all, Gateway restart, and a fresh /new thread.

Consequence: Sandboxed agents fail to load intended skill content and fall back to unskilled behavior.

Original #90410 impact was that builtin skills were fully broken with sandbox workspaceAccess: "rw"; this follow-up suggests #90798 fixed materialization/readability but not every prompt/startup-context path that tells the agent where to read skills.

Additional information

This should be treated as a follow-up to #90410/#90798, not a request for more user resets. The likely implementation hypothesis is that one startup prompt/context source still uses a host-path skill snapshot instead of the sandbox-rewritten materialized skill entries, but that needs code/repro confirmation before being treated as root cause.

This issue is intentionally scoped to the observed bug so a follow-up PR can remain focused, as requested by CONTRIBUTING.md.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as a duplicate: the earlier open report at #91761 covers the same v2026.6.5 Docker workspaceAccess: "rw" host skill path problem, has the original reporter’s details, and already carries the active P1/security/session-state follow-up.

Canonical path: Keep #91761 as the canonical open thread, and fix any remaining startup/context prompt path there by reusing the existing materialized sandbox skill runtime inputs.

So I’m closing this here and keeping the remaining discussion on #91761.

Review details

Best possible solution:

Keep #91761 as the canonical open thread, and fix any remaining startup/context prompt path there by reusing the existing materialized sandbox skill runtime inputs.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live Docker first-turn reproduction was established in this review. The remaining problem is source-reproducible for a likely command/context prompt surface: current main still builds a skills prompt from the host workspace snapshot while reporting sandboxed context.

Is this the best way to solve the issue?

Yes for cleanup: closing this duplicate is the best issue-tracker outcome because the earlier original-reporter thread already owns the same remaining work. The best code direction is to audit first-turn and command/context prompt surfaces and route them through the materialized sandbox skill path rather than adding another rewrite layer.

Security review:

Security review needs attention: The issue is security-sensitive because any follow-up fix controls which skill files become visible inside a writable sandbox and how those paths are advertised to the model.

• [medium] Preserve read-only sandbox skill boundaries — src/auto-reply/reply/commands-system-prompt.ts:61
  A follow-up in the canonical issue must not expose host skill roots directly or make materialized skill files writable through the rw workspace; coverage should include prompt paths, read access, and blocked writes.
  Confidence: 0.68

AGENTS.md: found and applied where relevant.

What I checked:

• Full repository policy read: Root AGENTS.md was read fully, and the scoped agent guides under src/agents were read; the review applied the sandbox/security and current-main evidence requirements. (AGENTS.md:1, a4e02cd1dd48)
• Vision fit checked: VISION.md lists security and safe defaults plus bug fixes/stability as current priorities, so the underlying sandbox regression belongs in the repo; the cleanup decision is only about duplicate tracking. (VISION.md:15, a4e02cd1dd48)
• Canonical issue is already open: The public GitHub API shows [Bug]: Docker sandbox still advertises host skill paths in startup context on v2026.6.5 #91761 is open, was created earlier by the original reporter, has the same v2026.6.5 sandbox skill path report, and already has P1, impact:security, and impact:session-state labels.
• Canonical comments include active review: The canonical issue has a ClawSweeper review keeping it open for the same remaining host-path prompt/context concern and requesting maintainer/security follow-up plus live repro proof.
• Reporter follow-up matches this issue: The two linked comments on the merged fix PR say the skills are now present but the sandboxed model still tries npm/home skill paths and appears to be fed wrong startup-context paths.
• Canonical search found this as duplicate: GitHub issue search for the core terms returns the earlier canonical issue first, this issue second, and the merged materialization PR third.

Likely related people:

• brokemac79: Authored and merged the referenced v2026.6.5 materialization fix that introduced the current sandbox skill runtime helper and touched the central sandbox, skill loading, and docs surfaces. (role: prior sandbox-skills fix author; confidence: high; commits: 3b6bcbfb5045; files: src/agents/embedded-agent-runner/sandbox-skills.ts, src/agents/sandbox/context.ts, src/skills/loading/workspace.ts)
• vincentkoc: Current checkout blame for the command/context prompt path and sandbox-skill helper points at the grafted current-main snapshot authored by Vincent Koc, and release prep for v2026.6.5 is also in this area. (role: current-main provenance and release-area contributor; confidence: medium; commits: 25160515e05e, 5181e4f7c82b; files: src/auto-reply/reply/commands-system-prompt.ts, src/agents/embedded-agent-runner/sandbox-skills.ts, docs/gateway/sandboxing.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4e02cd1dd48.