Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: WhatsApp groupPolicy "allowlist" bypassed — agent replies in non-allowlisted group [1 pull requests, 3 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#52763Fetched 2026-04-08 01:19:47
View on GitHub
Comments
3
Participants
3
Timeline
6
Reactions
0
Author
henrikrexedhenrikrexed
Participants
henrikrexedhenrikrexedHollychou924Hollychou924joelnishanthjoelnishanth
Timeline (top)
commented ×3labeled ×2cross-referenced ×1

With groupPolicy: "allowlist" and zero groups in the allowlist, the agent processed a group message and sent a reply ("D'accord, je vous laisse avancer tranquillement ! 👋") directly into a private WhatsApp family group ([email protected] ⁠). The group was never allowlisted. Text replies in DM sessions work correctly — only group gating is broken.

Root Cause

With groupPolicy: "allowlist" and zero groups in the allowlist, the agent processed a group message and sent a reply ("D'accord, je vous laisse avancer tranquillement ! 👋") directly into a private WhatsApp family group ([email protected] ⁠). The group was never allowlisted. Text replies in DM sessions work correctly — only group gating is broken.

Fix Action

Fixed

PR fix notes

PR #53123: fix(whatsapp): add outbound guard for group allowlist policy

Description (problem / solution / changelog)

Summary

Fixes #52763

Adds an outbound guard that refuses to send replies to groups that are not in the allowlist, even if the message somehow passed inbound gating.

This is a defense-in-depth measure against race conditions or batching issues that might bypass the inbound group policy check in applyGroupGating.

Changes

  • Added outbound group policy check in deliver callback (process-message.ts)
  • Logs a warning when a reply is blocked
  • Added test coverage for the new guard

Root cause analysis

The bug reported in #52763 shows that with groupPolicy: "allowlist" and no groups allowlisted:

  1. Group messages were logged in applyGroupGating as "group mention debug" with correct gating
  2. After multiple messages, one message was forwarded to the agent (possible race/batching issue)
  3. The agent replied TO the group despite the policy

The inbound gating in applyGroupGating correctly returns { shouldProcess: false }, but this fix adds a second check at delivery time as insurance.

Test plan

  • Added test blocks outbound replies to non-allowlisted groups (defense in depth)
  • CI checks pass

Joel Nishanth · offlyn.AI

Changed files

  • extensions/whatsapp/src/auto-reply/monitor/process-message.inbound-context.test.ts (modified, +43/-0)
  • extensions/whatsapp/src/auto-reply/monitor/process-message.ts (modified, +14/-0)

Code Example

{
     "channels": {
       "whatsapp": {
         "enabled": true,
         "dmPolicy": "allowlist",
         "selfChatMode": true,
         "allowFrom": ["+33XXXXX", "+3367XXXX", "+336XXXXXXX"],
         "groupPolicy": "allowlist",
         "debounceMs": 0,
         "mediaMaxMb": 50
       }
     }
   }

---

{
  "correlationId": "3A056369862E1B4BFBC2",
  "to": "[email protected] ⁠",
  "from": "+3368XXXX",
  "text": "D'accord, je vous laisse avancer tranquillement ! 👋",
  "durationMs": 689
}

---

**Group messages correctly gated (debug log):**

"group mention debug" {
  "conversationId": "[email protected] ⁠",
  "wasMentioned": false,
  "body": "Je suis au lounge de Marseille"
}

Multiple messages went through this debug path: "Ok cool bon trajet", "vous êtes en route?", "Non pas encore", "mais ??".

**Message forwarded to agent despite gating:**

"Inbound message [email protected] -> +33687XXXXX (group, 622 chars)"


**Reply sent TO the group (the bug):**

{
  "module": "web-auto-reply",
  "correlationId": "3A056369862E1B4BFBC2",
  "to": "[email protected] ⁠",
  "from": "+336XXXXX",
  "text": "D'accord, je vous laisse avancer tranquillement ! 👋",
  "mediaUrl": null,
  "durationMs": 689
}

Timestamp: `2026-03-22T15:23:20.113Z`
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Summary

With groupPolicy: "allowlist" and zero groups in the allowlist, the agent processed a group message and sent a reply ("D'accord, je vous laisse avancer tranquillement ! 👋") directly into a private WhatsApp family group ([email protected] ⁠). The group was never allowlisted. Text replies in DM sessions work correctly — only group gating is broken.

Steps to reproduce

  1. Configure OpenClaw 2026.3.13 with WhatsApp channel:

    {
  "channels": {
    "whatsapp": {
      "enabled": true,
      "dmPolicy": "allowlist",
      "selfChatMode": true,
      "allowFrom": ["+33XXXXX", "+3367XXXX", "+336XXXXXXX"],
      "groupPolicy": "allowlist",
      "debounceMs": 0,
      "mediaMaxMb": 50
    }
  }
}

    Note: No groupsAllowFrom or equivalent field is set. No groups are allowlisted.

  2. Have multiple messages arrive in a WhatsApp group (e.g., family group chat) where the owner's number is a participant.

  3. Observe the gateway logs: applyGroupGating processes the messages with wasMentioned: false, logging them as "group mention debug".

  4. After several messages arrive in quick succession, one message is forwarded to the agent as an inbound message: "Inbound message [email protected] ⁠-> +336XXXXXX (group, 622 chars)".

  5. The agent processes the message and sends a reply TO the group: "to": "[email protected] ⁠".

Expected behavior

With groupPolicy: "allowlist" and no groups in the allowlist, ALL group messages should be silently dropped. No inbound processing, no agent turn, and no outbound reply should ever be sent to any group chat. This is the behavior implied by the config — an empty allowlist means "block everything."

Actual behavior

  1. The applyGroupGating function logged group messages as "group mention debug" with wasMentioned: false (correctly identifying them as group messages).
  2. Despite this, after multiple messages arrived, one was forwarded to the agent as an inbound message (622 chars — possibly batched/accumulated).
  3. The agent processed it and sent a reply directly into the group chat.

Gateway log confirming the outbound message to the group:

{
  "correlationId": "3A056369862E1B4BFBC2",
  "to": "[email protected] ⁠",
  "from": "+3368XXXX",
  "text": "D'accord, je vous laisse avancer tranquillement ! 👋",
  "durationMs": 689
}

Log entry: "auto-reply sent (text)" at 2026-03-22T15:23:20.113Z via deliverWebReply.

OpenClaw version

2026.3.13 (61d171a)

Operating system

Linux 6.8.0-106-generic (x64) — Ubuntu 24.04

Install method

npm global

Model

anthropic/claude-opus-4-6

Provider / routing chain

openclaw -> anthropic (direct, token auth)

Additional provider/model setup details

Standard Anthropic token auth via auth.profiles.anthropic:default. No routing proxies. selfChatMode: true is enabled — the owner chats with the agent in their own WhatsApp self-chat. The group where the leak occurred contains numbers that are in the DM allowFrom list (+33XXXXXXX), which may be relevant to the bypass.

Logs, screenshots, and evidence

**Group messages correctly gated (debug log):**

"group mention debug" {
  "conversationId": "[email protected] ⁠",
  "wasMentioned": false,
  "body": "Je suis au lounge de Marseille"
}

Multiple messages went through this debug path: "Ok cool bon trajet", "vous êtes en route?", "Non pas encore", "mais ??".

**Message forwarded to agent despite gating:**

"Inbound message [email protected] -> +33687XXXXX (group, 622 chars)"


**Reply sent TO the group (the bug):**

{
  "module": "web-auto-reply",
  "correlationId": "3A056369862E1B4BFBC2",
  "to": "[email protected] ⁠",
  "from": "+336XXXXX",
  "text": "D'accord, je vous laisse avancer tranquillement ! 👋",
  "mediaUrl": null,
  "durationMs": 689
}

Timestamp: `2026-03-22T15:23:20.113Z`

Impact and severity

  • Affected: Any WhatsApp group where the owner is a participant, even with groupPolicy: "allowlist" and no groups allowlisted
  • Severity: High — privacy breach. The agent spoke in a private family group that was never authorized. Agent responses could leak context from the owner's private DM session into group chats.
  • Frequency: Observed once, triggered after multiple group messages arrived in quick succession (~5 messages over 40 minutes). May be timing-dependent or related to message batching.
  • Consequence: Unauthorized message sent to a private group. Loss of trust in the group gating mechanism.

Additional information

Possible contributing factors:

  1. selfChatMode: true may interact with group messages in unexpected ways — the group contains +3363XXXXX which is in the DM allowFrom list.
  2. Message accumulation: The first 4 group messages were correctly gated (debug only). The 5th triggered a 622-char inbound message. This may indicate a race condition or batching issue in applyGroupGating.
  3. Missing outbound guard: Even if a group message passes inbound gating, the outbound delivery path (deliverWebReply) should independently verify the target is not a non-allowlisted group before sending.

Suggested fix: Add a double-check on the outbound path — deliverWebReply should refuse to send to group IDs (*@g.us) that are not in the allowlist, regardless of how the inbound message was classified.

extent analysis

Fix Plan

To address the issue, we need to add an additional check in the deliverWebReply function to ensure that messages are not sent to non-allowlisted groups. Here are the steps:

  • Modify the deliverWebReply function to check if the target is a group ID (*@g.us) and if it is in the allowlist.
  • If the target is a group ID and not in the allowlist, refuse to send the message.

Example code:

function deliverWebReply(message) {
  // ... existing code ...

  // Check if the target is a group ID and if it is in the allowlist
  if (message.to.endsWith('@g.us') && !isGroupAllowlisted(message.to)) {
    // Refuse to send the message if the group is not allowlisted
    console.log(`Refusing to send message to non-allowlisted group: ${message.to}`);
    return;
  }

  // ... existing code ...
}

function isGroupAllowlisted(groupId) {
  // Check if the group ID is in the allowlist
  // This function should be implemented based on the actual allowlist configuration
  // For example:
  const allowlistedGroups = getConfig().groupsAllowFrom;
  return allowlistedGroups.includes(groupId);
}

Verification

To verify that the fix worked, you can test the following scenarios:

  • Send a message to a non-allowlisted group and verify that the message is not sent.
  • Send a message to an allowlisted group and verify that the message is sent.
  • Test the selfChatMode: true scenario to ensure that the fix does not introduce any regressions.

Extra Tips

  • Make sure to thoroughly test the fix to ensure that it does not introduce any new issues.
  • Consider adding additional logging to help diagnose any future issues related to group messaging.
  • Review the applyGroupGating function to ensure that it is correctly gating group messages and not introducing any race conditions or batching issues.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

With groupPolicy: "allowlist" and no groups in the allowlist, ALL group messages should be silently dropped. No inbound processing, no agent turn, and no outbound reply should ever be sent to any group chat. This is the behavior implied by the config — an empty allowlist means "block everything."

#model download#tokenizer error#prompt formatting#chain error#conversation history

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING