openclaw - 💡(How to fix) Fix Sandboxed agents can't reply to channel DMs — message tool excluded from default sandbox allowlist; plain-text reply routes to internal webchat

StepCodex · 2026-05-30T06:07:52Z

[openclaw] A sandboxed agent sandbox: { mode: "all", scope: "agent" } receives a Telegram DM and generates a reply, but the reply never reaches the user. The s… A sandboxed agent (`sandbox: { mode: "all", scope: "agent" }`) receives a Telegram DM and generates a reply, but the reply never reaches the user. The same agent in host mode (`sandbox: off`) replies fine. ## Workaround Add `message` to the agent's sandbox allowlist: ```json5 "tools": { "sandbox": { "tools": { "alsoAllow": ["message"] } } } ``` The agent then uses the `message` tool → `message.action channel=telegram` → `outbound send ok`. Host-mode agents are unaffected (they reply via the native path). ### Summary A sandboxed agent (`sandbox: { mode: "all", scope: "agent" }`) receives a Telegram DM and generates a reply, but the reply never reaches the user. The same agent in host mode (`sandbox: off`) replies fine. ### Environment - OpenClaw 2026.5.27, model `openai-codex/gpt-5.5` - Linux (Ubuntu), Docker sandbox backend - One gateway hosting multiple agents, one Telegram bot per agent ### Symptom Inbound DM is received, the agent runs, then the reply is logged as: ``` [agent:nested] session=agent: :telegram:direct: channel=webchat ``` …and **never delivered** to the originating bot. The user sees "thinking…" then nothing. ### Root cause (two parts) 1. **`message` tool is excluded from the default sandbox allowlist.** `DEFAULT_TOOL_ALLOW` for sandboxes includes `sessions_send` but **not** `message`. The gateway logs it clearly: ``` [agents/tool-policy] tool policy removed N tool(s) via sandbox tools.allow: ..., message, ... ``` So a sandboxed agent's only messaging tool is `sessions_send`, which is dispatched with `deliver:false, channel:INTERNAL_MESSAGE_CHANNEL, lane:nested` → logged via the nested lane, never delivered to a real channel. 2. **The sandboxed plain-text auto-reply routes to the internal `webchat` channel** instead of the session's inbound channel, so even without an explicit tool call the reply is lost. ### Workaround Add `message` to the agent's sandbox allowlist: ```json5 "tools": { "sandbox": { "tools": { "alsoAllow": ["message"] } } } ``` The agent then uses the `message` tool → `message.action channel=telegram` → `outbound send ok`. Host-mode agents are unaffected (they reply via the native path). ### Suggested fixes - Include `message` in the default sandbox tool allowlist (or surface a clear hint when a channel-bound sandboxed agent has no deliverable messaging tool). - Route the sandboxed plain-text auto-reply to the session's inbound channel (`lastChannel`/`origin.provider`) instead of `webchat`.

openclaw2026-05-30 06:07:52

ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

GitHub issue URL

Helpful · Quick feedback

A sandboxed agent (sandbox: { mode: "all", scope: "agent" }) receives a Telegram DM and generates a reply, but the reply never reaches the user. The same agent in host mode (sandbox: off) replies fine.

Root Cause

Root cause (two parts)

message tool is excluded from the default sandbox allowlist. DEFAULT_TOOL_ALLOW for sandboxes includes sessions_send but not message. The gateway logs it clearly:
```
[agents/tool-policy] tool policy removed N tool(s) via sandbox tools.allow: ..., message, ...
```
So a sandboxed agent's only messaging tool is sessions_send, which is dispatched with deliver:false, channel:INTERNAL_MESSAGE_CHANNEL, lane:nested → logged via the nested lane, never delivered to a real channel.
The sandboxed plain-text auto-reply routes to the internal webchat channel instead of the session's inbound channel, so even without an explicit tool call the reply is lost.

Fix Action

Workaround

Add message to the agent's sandbox allowlist:

"tools": { "sandbox": { "tools": { "alsoAllow": ["message"] } } }

The agent then uses the message tool → message.action channel=telegram → outbound send ok. Host-mode agents are unaffected (they reply via the native path).

Code Example

[agent:nested] session=agent:<id>:telegram:direct:<uid> channel=webchat <reply text>

---

[agents/tool-policy] tool policy removed N tool(s) via sandbox tools.allow: ..., message, ...

---

"tools": { "sandbox": { "tools": { "alsoAllow": ["message"] } } }

RAW_BUFFERClick to expand / collapse

Summary

Environment

OpenClaw 2026.5.27, model openai-codex/gpt-5.5
Linux (Ubuntu), Docker sandbox backend
One gateway hosting multiple agents, one Telegram bot per agent

Symptom

Inbound DM is received, the agent runs, then the reply is logged as:

[agent:nested] session=agent:<id>:telegram:direct:<uid> channel=webchat <reply text>

…and never delivered to the originating bot. The user sees "thinking…" then nothing.

Root cause (two parts)

message tool is excluded from the default sandbox allowlist. DEFAULT_TOOL_ALLOW for sandboxes includes sessions_send but not message. The gateway logs it clearly:
```
[agents/tool-policy] tool policy removed N tool(s) via sandbox tools.allow: ..., message, ...
```
So a sandboxed agent's only messaging tool is sessions_send, which is dispatched with deliver:false, channel:INTERNAL_MESSAGE_CHANNEL, lane:nested → logged via the nested lane, never delivered to a real channel.
The sandboxed plain-text auto-reply routes to the internal webchat channel instead of the session's inbound channel, so even without an explicit tool call the reply is lost.

Workaround

Add message to the agent's sandbox allowlist:

"tools": { "sandbox": { "tools": { "alsoAllow": ["message"] } } }

The agent then uses the message tool → message.action channel=telegram → outbound send ok. Host-mode agents are unaffected (they reply via the native path).

Suggested fixes

Include message in the default sandbox tool allowlist (or surface a clear hint when a channel-bound sandboxed agent has no deliverable messaging tool).
Route the sandboxed plain-text auto-reply to the session's inbound channel (lastChannel/origin.provider) instead of webchat.

Vote matrix · Quick signals

Works

Did the solution work? Tap to confirm.

Easy Fix

Was it a quick fix?

Time Saver

Did it save you time?

Blocking

Was it severely blocking?

Common Issue

Are others likely hitting this too?

Flaky / Intermittent

Is it intermittent?

Verified / Reproducible

Can you reproduce it reliably?

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Data

Security

Network

Code

UI/UX

Text

System

Multimedia

Protocol

API

Engineering

openclaw - 💡(How to fix) Fix Sandboxed agents can't reply to channel DMs — message tool excluded from default sandbox allowlist; plain-text reply routes to internal webchat

Recommended Tools

GitHub issue graph ai analysis

Root Cause

Root cause (two parts)

Fix Action

Workaround

Code Example

Summary

Environment

Symptom

Root cause (two parts)

Workaround

Suggested fixes

Still need to ship something?

TRENDING