Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Feature]: Expose channel user identity (SenderId) to skill/tool execution environment [1 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#73343Fetched 2026-04-29 06:20:45
View on GitHub
Comments
1
Participants
2
Timeline
1
Reactions
0
Author
eightHundredseightHundreds
Participants
clawsweeper[bot]clawsweeper[bot]eightHundredseightHundreds
Timeline (top)
commented ×1

Allow plugins/skills to access the channel user's identity (SenderId) during tool/script execution, so downstream APIs can identify which user triggered the action.

Root Cause

Allow plugins/skills to access the channel user's identity (SenderId) during tool/script execution, so downstream APIs can identify which user triggered the action.

Fix Action

Fix / Workaround

  1. Extend before_tool_call hook result — add an optional env?: Record<string, string> field to PluginHookBeforeToolCallResult, merged into the exec environment in bash-tools.exec.ts.
  2. New dedicated hook (e.g. exec_env_provider) — fires during environment construction in the exec pipeline, allowing plugins to contribute env vars based on the current message context.
  3. Built-in injection — core automatically injects a set of OPENCLAW_* identity env vars when MsgContext is available, with an opt-in config flag for security.
  • Affected: Any enterprise deployment where OpenClaw calls internal APIs that require user attribution
  • Severity: Blocks workflow — without this, companies cannot meet audit/compliance requirements when using OpenClaw as an agent gateway
  • Frequency: Every skill/tool invocation that hits an authenticated company API
  • Consequence: Teams must build custom forks or workarounds to inject identity, or abandon OpenClaw for this use case entirely
RAW_BUFFERClick to expand / collapse

Summary

Allow plugins/skills to access the channel user's identity (SenderId) during tool/script execution, so downstream APIs can identify which user triggered the action.

Problem to solve

When OpenClaw calls external company APIs on behalf of a user (via skills or tools that execute shell scripts), the downstream service has no way to know which channel user initiated the request. This blocks common enterprise requirements like:

  • Per-user audit logging on the API side
  • User-level rate limiting or access control
  • Compliance tracing (who triggered what action, when)

Currently, SenderId exists in MsgContext for routing/auth/templating, but it is not passed into the exec environment. The before_tool_call hook only allows modifying tool parameters, not injecting environment variables. There is no plugin-level extension point to bridge this gap.

Proposed solution

Expose the channel user identity as an environment variable (e.g. OPENCLAW_SENDER_ID, OPENCLAW_CHANNEL_ID, OPENCLAW_CHANNEL_TYPE) during tool/skill shell execution. Possible implementation paths:

  1. Extend before_tool_call hook result — add an optional env?: Record<string, string> field to PluginHookBeforeToolCallResult, merged into the exec environment in bash-tools.exec.ts.
  2. New dedicated hook (e.g. exec_env_provider) — fires during environment construction in the exec pipeline, allowing plugins to contribute env vars based on the current message context.
  3. Built-in injection — core automatically injects a set of OPENCLAW_* identity env vars when MsgContext is available, with an opt-in config flag for security.

Preferred: option 1 or 2, as they keep the mechanism plugin-driven and opt-in.

Alternatives considered

  • Template interpolation in skill commands — only works for skills that support templates; doesn't cover arbitrary shell scripts or MCP tool calls.
  • Passing via tool parameters — requires each tool to explicitly declare and forward the user ID; not scalable and breaks existing tools.
  • Reading from a file/socket at runtime — fragile, race-prone, and breaks the stateless exec model.

Impact

  • Affected: Any enterprise deployment where OpenClaw calls internal APIs that require user attribution
  • Severity: Blocks workflow — without this, companies cannot meet audit/compliance requirements when using OpenClaw as an agent gateway
  • Frequency: Every skill/tool invocation that hits an authenticated company API
  • Consequence: Teams must build custom forks or workarounds to inject identity, or abandon OpenClaw for this use case entirely

Evidence/examples

  • The exec environment is built in src/agents/bash-tools.exec.ts (lines ~1509-1579) with no plugin hook.
  • before_tool_call hook (src/plugins/hooks.ts, lines ~778-811) only exposes params modification, not env.
  • MsgContext.SenderId is available at the routing layer (src/auto-reply/templating.ts) but never flows into exec.

Additional information

  • Must respect the existing security model — env injection should be opt-in and auditable.
  • Should not break sandboxed execution or leak identity to tools that don't need it.
  • Consider allowing plugins to declare which env vars they inject (manifest-level declaration for transparency).

extent analysis

TL;DR

Expose the channel user identity as an environment variable during tool/skill shell execution to enable downstream APIs to identify the user who triggered the action.

Guidance

  • Extend the before_tool_call hook result to include an optional env field, allowing plugins to inject environment variables into the exec environment.
  • Introduce a new dedicated hook, such as exec_env_provider, to enable plugins to contribute environment variables based on the current message context.
  • Ensure that any solution respects the existing security model, with opt-in and auditable env injection, and does not break sandboxed execution or leak identity to unnecessary tools.
  • Consider adding a manifest-level declaration for plugins to declare which environment variables they inject, promoting transparency.

Example

// Example of extended before_tool_call hook result
interface PluginHookBeforeToolCallResult {
  // ...
  env?: Record<string, string>;
}

// Example of new exec_env_provider hook
interface PluginHookExecEnvProviderResult {
  env: Record<string, string>;
}

Notes

The solution should be designed to work within the existing security model, ensuring that environment variable injection is opt-in and auditable. It's also crucial to prevent breaking sandboxed execution or leaking user identity to tools that don't require it.

Recommendation

Apply a workaround by extending the before_tool_call hook result to include an optional env field, as this approach keeps the mechanism plugin-driven and opt-in, aligning with the preferred solution paths outlined in the issue.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#environment variable#parallel task#integration issue#index setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING