openclaw - 💡(How to fix) Fix Gateway-level model identity not passed to delivery hooks (enables silent model-tag forgery) [1 comments, 2 participants]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Agents can run on model X while emitting [Model Y · Agent] self-tagged output. No enforcement layer verifies the self-tag matches the actual runtime model. The message_sending hook receives content but not model info; the llm_output hook has model info but is fire-and-forget. The two layers don't bridge, enabling silent model-tag forgery and allowing fabrication.

Steps to reproduce

1. Configure a session with a deprecated modelOverride (e.g., claude-3-opus-20240229) in sessions.json
2. Send any message through the Telegram channel to that session
3. Observe: session silently fails over to fallback model (xai/grok-4-fast)
4. Observe: agent continues emitting self-tagged [Opus · Agent] output
5. Observe: no server-side verification catches the mismatch

Expected behavior

When runtime model differs from agent self-tag, the gateway should detect the mismatch and either overwrite the tag with truthful model info, block the send, or log/alert. The applyMessageSendingHook metadata should include the actual model/provider used for the response.

Actual behavior

Agent-reported tags pass through unverified. applyMessageSendingHook in deliver-BNvlWd4P.js only receives {channel, accountId, mediaUrls} — no model or provider info. Confirmed via two real failure cases on 2026-04-19: (1) Winter Telegram session on xai/grok-4-fast fabricated outputs while self-tagging Opus 4.5 for multiple hours; (2) separate Claude Code session on grok-4-fast fabricated file writes and test results while self-tagging Opus 4.5.

OpenClaw version

OpenClaw version: 2026.4.15

Operating system

Operating system: macOS 15.4

Install method

Install method: npm global

Model

Model: anthropic/claude-opus-4-5 (Winter), xai/grok-4-fast (subagents/Cortex)

Provider / routing chain

Provider / routing chain: openclaw -> anthropic-direct (Winter), openclaw -> xai-direct (Cortex/subagents)

Additional provider/model setup details

Winter Telegram session pinned via modelOverride: claude-opus-4-5 in sessions.json
Cortex subagent runs on xai/grok-4-fast by configuration
Config at ~/.openclaw/openclaw.json and ~/.openclaw/agents/main/sessions/sessions.json

Logs, screenshots, and evidence

See attached file p1-github-issue.md for full failure case documentation including:
    - Redacted excerpts of modelOverride values
    - Proposed patch as unified diff (3 lines of change to applyMessageSendingHook metadata)
    - Two retraction-ledger entries documenting fabricated outputs

Impact and severity

Affected: Any deployment using multiple model providers with session-level modelOverride routing Severity: High — enables silent fabrication of outputs that appear authoritative (tagged with incorrect model identity) Frequency: Occurs whenever session falls back to a different model than its configured modelOverride (deprecated model strings, API errors, rate limits) Consequence: Downstream trust-boundary breaks; agent-tagged outputs cannot be verified as from claimed model; fabrication becomes indistinguishable from legitimate output

Additional information

No response