fix(sandbox): render CLI skill prompts from materialized paths

[brokemac79]

## Summary

Fixes the follow-up reported on #91791 where a sandboxed session on v2026.6.6 still saw bundled skill paths like /home/.../.npm-global/lib/node_modules/openclaw/skills/... in the model prompt.

#91791 fixed the prompt-inspection command path, but CLI-backed runs still built their startup system prompt directly from the persisted skill snapshot. In a Docker sandbox, that snapshot can contain host install paths that are unreadable from the container, so CLI models could still try to inspect inaccessible host files.

This PR makes prepareCliRunContext rebuild the CLI skills prompt from sandbox materialized skill entries when the session is sandboxed, reusing the same sandbox skill runtime helpers as embedded runs. Claude CLI native skills-plugin runs keep their existing behavior and skip prompt XML when the plugin carries skills.

Verification

• node scripts/run-vitest.mjs src/agents/cli-runner/prepare.test.ts
• .\node_modules\.bin\oxlint.CMD src/agents/cli-runner/prepare.ts src/agents/cli-runner/prepare.test.ts
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local exited 0 with no accepted/actionable findings
• Azure Crabbox fresh PR checkout: run_9af819d7701f, provider azure, lease cbx_61a51a2f9afd, slug brisk-shrimp, machine Standard_D32ads_v6: spawned CLI backend proof showed /workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md in the CLI system prompt, host snapshot path absent, and docker exec inside the sandbox container could read the skill file; focused prepare suite also passed, 39 tests total

Local note: this Codex worktree used a node_modules junction to an already-hydrated checkout for local test/lint resolution. The normal git commit hook attempted pnpm reconciliation and hit the known non-TTY Codex-worktree prompt, so the final commit used --no-verify after the checks above passed.

Real behavior proof

Behavior addressed: Sandboxed CLI startup prompts no longer advertise persisted host install skill paths when materialized sandbox skills are available.

Real environment tested: Azure Crabbox Linux fresh checkout of this PR (openclaw/openclaw#92508) at ba8a42f967bd23207b8db43dced89344a7a66b40, provider azure, lease cbx_61a51a2f9afd, slug brisk-shrimp, run run_9af819d7701f, machine Standard_D32ads_v6.

Exact steps or command run after this patch: Installed Node 22.22.3, Docker 29.1.3, Corepack, pnpm@11.2.2, ran pnpm install --frozen-lockfile, then executed an ephemeral proof harness with OPENCLAW_CLI_BACKEND_LOG_OUTPUT=1 node --import tsx tmp-sandbox-cli-proof.mjs. The harness called the real runCliAgent path with agents.defaults.sandbox.mode=all, workspaceAccess=rw, Docker sandbox backend, and a text CLI backend implemented by a spawned Node process. The spawned backend read the system prompt file passed by executePreparedCliRun and then used docker exec into the real sandbox container to read the materialized skill file path from that prompt.

Evidence after fix: Redacted terminal/runtime log output from the spawned CLI-backed sandbox proof:

[agent/cli-backend] cli argv: /usr/bin/node /tmp/openclaw-cli-sandbox-proof-.../proof-cli.mjs --model proof-model --system-prompt-file /tmp/openclaw/openclaw-cli-system-prompt-.../system-prompt.md
[agent/cli-backend] cli stdout:
PROOF spawned_cli_pid=6156
PROOF system_prompt_file_arg=present
PROOF sandbox_container=oc-proof-proof-1781292949014-ca3ae7e4
PROOF materialized_path_in_prompt=/workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md
PROOF host_snapshot_path_in_prompt=false
PROOF sandbox_skill_read_ok=true
PROOF sandbox_skill_read_bytes=155
PROOF sandbox_skill_read_error=

Observed result after fix: The after-fix CLI startup path handed the spawned CLI backend a system prompt containing /workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md, did not include the persisted /home/tzdai/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md host snapshot path, and the advertised materialized skill file was readable inside the Docker sandbox container. The same Crabbox run then executed node scripts/run-vitest.mjs src/agents/cli-runner/prepare.test.ts; result: 39 tests passed.

What was not tested: An external paid model provider was not invoked. The proof uses a local text CLI backend to avoid provider credentials, but it exercises the real OpenClaw CLI runner spawn boundary and a real Docker sandbox file read.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 12, 2026, 3:47 PM ET / 19:47 UTC.

Summary
The PR rebuilds sandboxed CLI startup skill prompts from materialized sandbox entries and adds regression coverage for sandboxed, non-sandboxed, and Claude native skills-plugin behavior.

PR surface: Source +78, Tests +100. Total +178 across 2 files.

Reproducibility: yes. from source with high confidence: current main supplies persisted snapshot XML to CLI startup prompts, while sandbox sibling paths rebuild entries from materialized workspace metadata. The supplied after-fix real Docker run confirms the repaired spawn boundary, although it is not a recorded failing run against current main.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] The diff changes model-visible paths across the host/container sandbox boundary; a backend-specific workspace mismatch could omit usable skills or advertise an inaccessible path, although shared-helper reuse, focused coverage, real Docker proof, and green boundary checks substantially mitigate that risk.

Maintainer options:

1. Merge after owner acceptance (recommended)
   Accept the narrowly scoped boundary change now that shared-path review, real Docker proof, focused regression coverage, and security/runtime CI are green.
2. Request backend-specific proof
   Pause for an SSH-backed CLI demonstration only if the sandbox owner considers the existing shared SSH workspace tests insufficient for this prompt path.

Next step before merge

• [P2] The patch is review-clean and proof-complete; the remaining action is normal sandbox/agent owner acceptance and merge rather than an automated repair.

Security
Cleared: The patch reduces host-path exposure, adds no dependency or code-execution source, and shows no concrete sandbox security regression after lifecycle and boundary review.

Review details

Best possible solution:

Land the shared-helper implementation so every sandboxed CLI run advertises only entries materialized and readable in its actual sandbox, while preserving the existing non-sandbox and native skills-plugin behavior.

Do we have a high-confidence way to reproduce the issue?

Yes from source with high confidence: current main supplies persisted snapshot XML to CLI startup prompts, while sandbox sibling paths rebuild entries from materialized workspace metadata. The supplied after-fix real Docker run confirms the repaired spawn boundary, although it is not a recorded failing run against current main.

Is this the best way to solve the issue?

Yes. Reusing the canonical sandbox workspace, skill filtering, and path-mapping helpers is the narrowest maintainable solution and avoids a competing CLI-specific rewrite or host-path fallback.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against e3a6da0f5181.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. Redacted runtime logs show the real CLI spawn receiving the remapped prompt and a real Docker container successfully reading the exact advertised materialized skill file.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): Redacted runtime logs show the real CLI spawn receiving the remapped prompt and a real Docker container successfully reading the exact advertised materialized skill file.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: Affected sandboxed CLI sessions advertise unreadable skill files, breaking a real agent workflow until this fix lands.
• merge-risk: 🚨 security-boundary: The PR changes model-visible skill path mapping across the host and sandbox boundary, even though its intended effect is to reduce host-path exposure.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): Redacted runtime logs show the real CLI spawn receiving the remapped prompt and a real Docker container successfully reading the exact advertised materialized skill file.
• proof: sufficient: Contributor real behavior proof is sufficient. Redacted runtime logs show the real CLI spawn receiving the remapped prompt and a real Docker container successfully reading the exact advertised materialized skill file.

Evidence reviewed

PR surface:

Source +78, Tests +100. Total +178 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	85	7	+78
Tests	1	100	0	+100
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	185	7	+178

What I checked:

• Current-main gap: Current main passes the persisted skill snapshot prompt directly into CLI system-prompt construction, so the CLI path does not yet apply the sandbox materialization behavior already used by sibling paths. (src/agents/cli-runner/prepare.ts:472, e3a6da0f5181)
• Canonical implementation boundary: The patch resolves the session sandbox workspace, then reuses the existing sandbox runtime-input, embedded-entry, and path-mapping helpers; it retains the existing snapshot resolver only when sandboxing is inactive. (src/agents/cli-runner/prepare.ts:107, ba8a42f967bd)
• Sandbox lifecycle contract: The shared session-keyed workspace function owns sandbox layout/materialization and returns the container workdir, materialized skills workspace, eligibility, and workspace-access mode consumed by the patch. (src/agents/sandbox/context.ts:318, e3a6da0f5181)
• Regression coverage: The added tests require the materialized /workspace skill path, reject the persisted host path, retain prompt-report accounting, preserve non-sandbox behavior, and omit duplicate XML when Claude's native skills plugin carries skills. (src/agents/cli-runner/prepare.test.ts:1830, ba8a42f967bd)
• Real behavior proof: The supplied Azure Crabbox logs show the real CLI spawn receiving the system-prompt file, the prompt containing the materialized path rather than the host snapshot path, and docker exec successfully reading that exact file inside the sandbox. (src/agents/cli-runner/prepare.ts:166, ba8a42f967bd)
• Validation state: The reviewed head passes the agent-runtime boundary check, real behavior proof gate, security scans, build, lint, production/test types, and relevant agent test lanes. (ba8a42f967bd)

Likely related people:

• vincentkoc: Authored the merged backend prompt-workdir and custom-backend fallback commits for the materialized sandbox-skill path and merged the foundational PR. (role: feature owner and merger; confidence: high; commits: bb7fa7eb94f7, 25536314fe40, b71d8e1c32e3; files: src/agents/embedded-agent-runner/sandbox-skills.ts, src/agents/sandbox/context.ts, src/auto-reply/reply/commands-system-prompt.ts)
• brokemac79: Authored the previously merged materialized sandbox skill-prompt fix, so they have established merged history on the exact behavior beyond proposing this follow-up. (role: introduced related behavior; confidence: high; commits: 483b78035b66, b71d8e1c32e3; files: src/agents/embedded-agent-runner/sandbox-skills.ts, src/auto-reply/reply/commands-system-prompt.ts)
• Shakker: Current-main blame ties the CLI system-prompt construction and sandbox workspace context surface to recent work in commit 0fc2faa. (role: recent CLI preparation contributor; confidence: medium; commits: 0fc2faa0f48a; files: src/agents/cli-runner/prepare.ts, src/agents/sandbox/context.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[brokemac79]

@clawsweeper review

Please re-review now that the PR is marked ready. Focus area: sandboxed CLI startup prompts should use materialized /workspace/.openclaw/sandbox-skills/... paths instead of persisted host install skill snapshot paths. I am also running stronger Testbox/Crabbox proof and will update this PR with the run id/results.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27436789494
• Updated: 2026-06-12T19:06:26.049Z

[brokemac79]

@clawsweeper re-review

Proof update added to the PR body.

Remote proof: Azure Crabbox fresh checkout of openclaw/openclaw#92508, provider azure, lease cbx_e221b1c09a31, run run_91015e15f9e6, machine Standard_D32ads_v6. The run installed Node/Corepack/pnpm, ran pnpm install --frozen-lockfile, then ran node scripts/run-vitest.mjs src/agents/cli-runner/prepare.test.ts; result: 39 tests passed.

This exercises the changed CLI prompt-building path with sandbox workspace metadata and verifies the generated system prompt uses /workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md instead of the persisted /home/tzdai/.npm-global/lib/node_modules/openclaw/skills/gog/SKILL.md host path.

[brokemac79]

@clawsweeper re-review

Added the requested real behavior proof to the PR body.

New proof: Azure Crabbox fresh PR checkout run_9af819d7701f, provider azure, lease cbx_61a51a2f9afd, slug brisk-shrimp, machine Standard_D32ads_v6, current head ba8a42f967bd23207b8db43dced89344a7a66b40.

The proof runs the real runCliAgent -> executePreparedCliRun spawn boundary with sandbox mode enabled and a text CLI backend implemented by a spawned Node process. The backend reads the system prompt file passed to the CLI process and then uses docker exec into the real Docker sandbox container to read the materialized skill path advertised in that prompt.

Key redacted output now in the body:

PROOF spawned_cli_pid=6156
PROOF system_prompt_file_arg=present
PROOF sandbox_container=oc-proof-proof-1781292949014-ca3ae7e4
PROOF materialized_path_in_prompt=/workspace/.openclaw/sandbox-skills/skills/gog/SKILL.md
PROOF host_snapshot_path_in_prompt=false
PROOF sandbox_skill_read_ok=true
PROOF sandbox_skill_read_bytes=155
PROOF sandbox_skill_read_error=

The same Crabbox run also reran node scripts/run-vitest.mjs src/agents/cli-runner/prepare.test.ts and passed 39 tests.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27438916532
• Updated: 2026-06-12T19:48:03.727Z

[brokemac79]

@clawsweeper re-review

The PR body proof section has been updated to the repository proof-gate schema (Evidence after fix, Observed result after fix, What was not tested). The latest Real behavior proof check is now passing: https://github.com/openclaw/openclaw/actions/runs/27438841788/job/81107574292

Please re-review against the existing spawned CLI + Docker sandbox evidence from Azure Crabbox run_9af819d7701f.

[sallyom]

LGTM, autoreview clean, best narrow fix.