openclaw - 💡(How to fix) Fix Telegram exec approval inline buttons fail when channels.telegram.botToken uses env SecretRef [1 participants]

Summary

Telegram exec approval prompts can be delivered successfully and inline buttons render in DM, but pressing the approval button fails server-side and the command never executes.

The callback handler crashes with:

channels.telegram.botToken: unresolved SecretRef "env:default:TELEGRAM_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.

This appears to be a Telegram exec-approval callback/runtime bug when channels.telegram.botToken is configured as an env-backed SecretRef instead of a plain string.

Related but distinct from:

• #33070
• #34292
• #37909

Those issues cover status/tool-call SecretRef resolution failures. This report is specifically about Telegram inline exec approval button callbacks.

Environment

• OpenClaw: 2026.4.1
• Host: Linux x86_64
• Telegram enabled
• Telegram exec approvals enabled
• channels.telegram.execApprovals.target = "dm"
• channels.telegram.capabilities.inlineButtons = "dm"
• channels.telegram.botToken = "env:default:TELEGRAM_BOT_TOKEN"

Expected behavior

When Telegram exec approvals are enabled and inline buttons are shown in DM:

• approval prompt arrives in Telegram DM
• inline buttons render
• pressing Approve completes the callback
• approved command runs
• follow-up result is delivered normally

Actual behavior

• approval prompt arrives in Telegram DM
• inline buttons render
• pressing Approve appears to do nothing from the user perspective
• command never runs
• gateway logs show callback failure due to unresolved Telegram bot token SecretRef

Manual approval via /approve <id> allow-once still works, so the issue appears specific to the inline button callback path.

Reproduction

Config conditions

Telegram is configured with:

{
  "channels": {
    "telegram": {
      "enabled": true,
      "botToken": "env:default:TELEGRAM_BOT_TOKEN",
      "capabilities": { "inlineButtons": "dm" },
      "execApprovals": {
        "enabled": true,
        "target": "dm",
        "approvers": ["507915654"]
      }
    }
  }
}

Steps

1. Start OpenClaw with Telegram enabled.
2. Trigger any approval-required exec command, for example:

printf 'telegram inline approval test %s\n' "$(date -Is)" > /tmp/telegram-inline-approval-test.txt

1. Receive the approval prompt in Telegram DM.
2. Press the inline Approve button.

Result

The command does not run, and the approval callback fails.

Log evidence

Observed error:

2026-04-02T17:22:38.364+08:00 [telegram] callback handler failed: Error: channels.telegram.botToken: unresolved SecretRef "env:default:TELEGRAM_BOT_TOKEN". Resolve this command against an active gateway runtime snapshot before reading it.

Why this looks like a bug instead of misconfiguration

• Telegram itself works normally
• approval prompts are delivered successfully
• inline buttons render successfully
• failure only happens after button press, in the callback handling path
• config is valid and uses SecretRef-backed token storage
• manual /approve ... remains a viable workaround

This suggests the Telegram callback/approval path is re-reading raw config and touching channels.telegram.botToken before it has been resolved from SecretRef to actual token.

Likely root cause / fix direction

A Telegram callback or approval handler path appears to load config from disk (or otherwise operate on unresolved config state) instead of using the already-resolved runtime snapshot/token.

Please ensure Telegram callback handling uses the resolved runtime bot token / account credentials instead of unresolved raw config values.

For example:

• resolve SecretRef-backed Telegram token before callback auth/approval handling, or
• use active runtime snapshot/credential state rather than fresh disk config in callback path