fix(slack): keep downloaded files out of reply media

[neeravmakwana]

Summary

• Fixes Slack: download-file results can leak into auto-reply media and duplicate final text #86300 by marking Slack download-file media as read-only/non-outbound while preserving the downloaded path and metadata for agent analysis.
• Teaches the shared tool-media extractor to skip structured media with outbound: false, including Slack image downloads that would otherwise fall back through details.path.
• Adds focused regressions for non-outbound structured media and image fallback suppression.

Root Cause

Slack download-file is a read/intake action, but its tool result was shaped like outbound media: details.media.mediaUrl pointed at the downloaded local file. The shared tool-media path trusts the built-in message tool for local media, so it extracted that local downloaded file and merged it into the final visible reply payload. That could re-upload an inbound private Slack attachment even when the agent only downloaded it for analysis.

Why This Fix Is Safe

The fix preserves the agent-readable file metadata (path, contentType, placeholder text, and details.media.mediaUrl) but adds an explicit runtime marker: outbound: false. The delivery pipeline now treats that marker as authoritative and refuses to queue it for auto-reply media. Explicit outbound flows remain unchanged: MEDIA: directives, generated media tools, TTS trusted media, and Slack send/upload actions still use the existing delivery paths.

Security/runtime controls unchanged: Slack read-target authorization, token selection, channel allowlist checks, max download size, local-media trust for explicit trusted tools, MCP/external local-media blocking, and outbound media loading policy are unchanged. This patch adds a runtime-enforced boundary; it does not rely on prompt text or model behavior.

Verification

• pnpm test extensions/slack/src/action-runtime.test.ts src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts src/agents/pi-embedded-runner/run/tool-media-payloads.test.ts
  • Passed: 3 Vitest shards, 91 tests.
• git diff --check
  • Passed.
• pnpm check:changed
  • Passed: changed core/extension typecheck and lint lanes completed cleanly.

Real behavior proof

• Behavior addressed: Slack message.download-file results remain readable by the agent but no longer become auto-reply outbound media for a plain final answer.
• Real environment tested: Local macOS source checkout at 9db04a27eb20 plus this patch, Node v24.8.0, Slack channel C0B5897MA0M, Slack bot token loaded from .env as SLACK_BOT_TOKEN_1. Token values, team/user/bot ids, and file ids are redacted below.
• Exact steps or command run after this patch:
  1. Ran the local live Slack proof script from the patched checkout: OPENCLAW_BEHAVIOR_HEAD="$(git rev-parse --short=12 HEAD)" node --import tsx .artifacts/behavior-86300/slack-download-current-head-proof.mjs.
  2. The probe posted seed message OpenClaw #86300 live proof seed 86300-20260525T035423Z to Slack channel C0B5897MA0M.
  3. The probe uploaded harmless file 86300-20260525T035423Z-seed.txt in that Slack thread.
  4. The probe re-read the Slack thread and file metadata using the Slack Web API.
  5. The probe called OpenClaw Slack downloadFile for the real Slack file id, then ran the resulting tool result through extractToolResultMediaArtifact, filterToolResultMediaUrls("message", ...), and mergeAttemptToolMediaPayloads with a plain final text reply.
• Evidence after fix: Redacted local proof artifacts recorded the following after-fix values:

{
  "runId": "86300-20260525T035423Z",
  "env": {
    "tokenSourceKey": "SLACK_BOT_TOKEN_1",
    "channelId": "C0B5897MA0M",
    "node": "v24.8.0",
    "platform": "darwin"
  },
  "slack": {
    "auth": {
      "ok": true,
      "teamId": "T0B6...53NU",
      "userId": "U0B5...Q75Z",
      "botId": "B0B5...7LEB"
    },
    "seedMessageTs": "1779681264.262699",
    "uploadedFileId": "F0B5...SGM9"
  },
  "openclawDownloadFileResult": {
    "ok": true,
    "contentTypes": ["text"],
    "hasDetailsPath": true,
    "hasDetailsMedia": true,
    "detailsMedia": {
      "mediaUrl": "/Users/<redacted>/.openclaw/media/inbound/dbf0d310-464b-4beb-a41b-65fb8bb3ce14",
      "outbound": false,
      "contentType": "application/force-download"
    },
    "contentType": "application/force-download",
    "placeholder": "[Slack file: 86300-20260525T035423Z-seed.txt (fileId: F0B5...SGM9)]"
  },
  "toolMediaPipelineCurrentHead": {
    "extractedMediaUrls": [],
    "filteredMessageToolMediaUrls": [],
    "mergedPayloads": [
      {
        "text": "Plain final answer for 86300-20260525T035423Z"
      }
    ],
    "wouldAttachDownloadedFileToPlainFinalReply": false
  }
}

Follow-up Slack readback for the same run:

{
  "channel": "C0B5897MA0M",
  "seedMessageTs": "1779681264.262699",
  "fileId": "F0B5...SGM9",
  "repliesCount": 2,
  "repliesSawFile": true,
  "historyCount": 1,
  "historySawSeed": true,
  "historySawFile": false,
  "fileInfoOk": true,
  "fileName": "86300-20260525T035423Z-seed.txt",
  "fileMimetype": "text/plain",
  "fileSharesKeys": ["public"]
}

• Observed result after fix: Slack contained the real seed message and uploaded thread attachment, downloadFile succeeded and still returned agent-readable downloaded-file metadata, but outbound: false caused the shared media extractor to return no media URLs and the final plain reply payload stayed text-only (wouldAttachDownloadedFileToPlainFinalReply: false).
• What was not tested: No cross-workspace Slack scenario, private-channel invite flow, or full end-to-end model-generated assistant turn was run. The proof uses the real Slack Web API plus the exact OpenClaw Slack downloadFile and shared tool-media pipeline implicated by the issue.
• Proof limitations or environment constraints: Screenshots are intentionally not included in this PR body; the Slack-side screenshot will be uploaded manually. Redacted local artifact paths are not committed.

Out of scope

• Changing Slack upload/send semantics.
• Reworking same-text final-answer dedupe across unrelated delivery routes.
• Changing trusted local-media behavior for explicit generated media, TTS, or MEDIA: directives.
• Adding new Slack scopes or changing channel setup/onboarding behavior.

Made with Cursor

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 4:49 AM ET / 08:49 UTC.

Summary
The PR marks Slack download-file media results as outbound: false, teaches shared tool-result media extraction to skip that marker, and adds focused Slack/shared media regressions.

PR surface: Source +9, Tests +56. Total +65 across 4 files.

Reproducibility: yes. Current main shows the implicated Slack result shape and shared extractor path, and the linked issue provides a concrete Slack thread reproduction outline; I did not run the live Slack scenario locally in this read-only review.

Review metrics: 1 noteworthy metric.

• Media-boundary files changed: 2 production files and 2 test files. The diff crosses Slack intake and shared agent reply-media delivery, so maintainers should review both sides of the boundary before merge.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Mantis proof suggestion
A Slack smoke proof would give maintainers visible confirmation that download-file no longer re-uploads attachments while intentional Slack media sends still work. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

slack desktop smoke: verify Slack download-file remains readable but a plain final reply does not re-upload the downloaded attachment.

Risk before merge

• This changes a shared tool-result media boundary: a legitimate outbound producer that incorrectly sets outbound: false would have reply media suppressed, while any Slack download-file path missing the marker could still leak inbound files into outbound replies.

Maintainer options:

1. Land after maintainer boundary review (recommended)
   Maintain the explicit outbound: false contract and land once maintainers are satisfied the shared extractor guard only suppresses read-only intake media.
2. Add one explicit outbound smoke before landing
   If maintainers want more confidence, require proof that Slack sendMessage or upload-file still sends intentional media while download-file stays text-only.
3. Pause for a different media contract
   If outbound is not the desired long-term marker, pause this branch and replace it with the maintainer-approved tool-result media contract.

Next step before merge
No repair branch is needed; maintainer review should decide whether to land or pause this privacy-sensitive shared media-boundary change.

Security
Cleared: No supply-chain or credential-handling regression was found; the patch narrows a privacy-sensitive outbound media boundary.

Review details

Best possible solution:

Land the narrow non-outbound media boundary for Slack downloads, with maintainer review confirming explicit outbound media flows remain unchanged.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main shows the implicated Slack result shape and shared extractor path, and the linked issue provides a concrete Slack thread reproduction outline; I did not run the live Slack scenario locally in this read-only review.

Is this the best way to solve the issue?

Yes. The patch is the narrow maintainable fix: make Slack read-only downloads explicit non-outbound media and enforce that marker in the shared tool-media extractor without changing explicit send/upload or generated-media paths.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c791e4242bc8.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted live Slack/API and OpenClaw media-pipeline output showing after-fix downloadFile metadata remained readable but was not attached to a plain final reply.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P1: The linked Slack bug can duplicate replies and re-upload inbound private files during a live channel workflow.
• merge-risk: 🚨 message-delivery: The patch changes which tool-result media is eligible for final outbound replies, so a bad boundary could suppress intended attachments or allow unintended ones.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes redacted live Slack/API and OpenClaw media-pipeline output showing after-fix downloadFile metadata remained readable but was not attached to a plain final reply.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted live Slack/API and OpenClaw media-pipeline output showing after-fix downloadFile metadata remained readable but was not attached to a plain final reply.

Evidence reviewed

PR surface:

Source +9, Tests +56. Total +65 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	9	0	+9
Tests	2	56	0	+56
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	65	0	+65

What I checked:

• Repository policy read: Read the full root AGENTS.md and the scoped guides for extensions/ and src/agents/; the Slack plugin boundary, shared agent media, real-proof, and message-delivery merge-risk guidance affected this review. (AGENTS.md:1, c791e4242bc8)
• Current main lacks the non-outbound marker: On current main, Slack downloadFile returns non-image downloads with details.media.mediaUrl and image downloads with details.path/generated media, but neither path marks the result as non-outbound. (extensions/slack/src/action-runtime.ts:493, c791e4242bc8)
• Current main extracts that media for replies: On current main, extractToolResultMediaArtifact trusts structured details.media first and falls back to details.path for image content, so Slack download results can become pending reply media. (src/agents/pi-embedded-subscribe.tools.ts:511, c791e4242bc8)
• PR patch adds the intended boundary: The PR diff adds outbound: false to Slack download-file results and returns no media artifact when structured tool-result media has that marker. (src/agents/pi-embedded-subscribe.tools.ts:514, 8b261073432e)
• Regression coverage is focused: The diff adds regressions for non-outbound structured media and image fallback suppression, and updates the Slack download-file metadata expectation. (src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts:667, 8b261073432e)
• Patch hygiene check: The PR diff is limited to four files and git diff --check reported no whitespace errors for the branch delta. (8b261073432e)

Likely related people:

• steipete: Peter Steinberger authored the unified tool media reply delivery work and has repeated adjacent agent/Slack media history in the paths this PR changes. (role: shared media feature-history owner; confidence: high; commits: 3cd4978fc212, 825028289b06; files: src/agents/pi-embedded-subscribe.tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts, extensions/slack/src/action-runtime.test.ts)
• Devin Robison: Devin Robison authored the trusted tool media passthrough hardening that changed the same shared extraction/filtering path and related tests. (role: shared media boundary contributor; confidence: high; commits: 52ef42302ead; files: src/agents/pi-embedded-subscribe.tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.ts, src/agents/pi-embedded-subscribe.handlers.tools.media.test.ts)
• gumadeiras: Gustavo Madeira Santana moved Slack action runtime into the extension, including the local downloadFile action surface this PR changes. (role: Slack action runtime introducer; confidence: medium; commits: b3ae50c71cb8; files: extensions/slack/src/action-runtime.ts, extensions/slack/src/action-runtime.test.ts)
• martingarramon: Martin Garramon authored the resolved-token Slack download-file change that directly touched downloadSlackFile call behavior in this runtime. (role: Slack download-file contributor; confidence: medium; commits: fd68c2816494; files: extensions/slack/src/action-runtime.ts, extensions/slack/src/action-runtime.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Mossy Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: finds missing screenshots.
Image traits: location status garden; accessory CI status badge; palette coral, mint, and warm cream; mood watchful; pose peeking out from the egg shell; shell smooth pearl shell; lighting moonlit rim light; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.