openclaw - 💡(How to fix) Fix Bug: Slack outbound reply fails to resolve SecretRef (exec provider) — "unresolved SecretRef" on final reply [1 comments, 2 participants]

Summary

When Slack is configured with an exec-provider SecretRef for botToken and appToken, inbound messages are received and processed correctly, but the outbound reply fails with:

[slack] final reply failed: Error: channels.slack.accounts.default.botToken: unresolved SecretRef "exec:keychain_slack_bot:value". Resolve this command against an active gateway runtime snapshot before reading it.

The socket connects, the agent runs, and the LLM produces a response — but the reply is never delivered to Slack.

Config (redacted)

{
  "channels": {
    "slack": {
      "mode": "socket",
      "botToken": {
        "source": "exec",
        "provider": "keychain_slack_bot",
        "id": "value"
      },
      "appToken": {
        "source": "exec",
        "provider": "keychain_slack_app",
        "id": "value"
      }
    }
  },
  "secrets": {
    "providers": {
      "keychain_slack_bot": {
        "source": "exec",
        "command": "/path/to/keychain-slack-bot"
      },
      "keychain_slack_app": {
        "source": "exec",
        "command": "/path/to/keychain-slack-app"
      }
    }
  }
}

The keychain scripts resolve correctly when run directly (tested).

Behavior

• Startup: Socket Mode connects fine. channel resolve and user resolve fail with missing_scope (unrelated noise), but socket connects.
• Inbound: Messages from Slack arrive and trigger the agent session (agent:main:slack:channel:...)
• LLM: Agent runs successfully, model produces a reply
• Outbound (broken): [slack] final reply failed: ... unresolved SecretRef

Additional observations

• The error references channels.slack.accounts.default.botToken even though no accounts.default exists in the config — OpenClaw appears to internally normalize the top-level Slack config into an accounts.default structure, but the resolved SecretRef is not carried through to the outbound send path.
• Telegram uses the same exec SecretRef pattern for botToken and works correctly — so the SecretRef provider itself is working.
• Workaround: Inlining the token as plaintext in the config (insecure but functional).
• The bug has been present since at least 2026-03-08 based on log history (first occurrence: Telegram, resolved differently there; Slack broken consistently since ~2026-04-03).

Steps to reproduce

1. Configure channels.slack.botToken and channels.slack.appToken as exec-provider SecretRefs
2. Configure matching secrets.providers entries with shell scripts that return the tokens
3. Start gateway — Socket Mode connects
4. Send a message in a Slack channel the bot is in
5. Observe: agent runs, reply is never sent, error in gateway.err.log

Environment

• OpenClaw: 2026.4.15 (041266a)
• OS: macOS 26.4.1 (arm64)
• Slack channel mode: Socket Mode