OpenClaw’s latest trust-boundary reports are about tools, secrets, prompt leaks, and delivery jams
The most useful OpenClaw cluster after beta.6 is not a docs-only change; it is a set of trust-boundary reports that map directly to operator incidents. Issue #75124 says user-invocable `command-dispatch: tool` skill slash commands can create the raw OpenClaw tool set and apply only owner-only filtering, bypassing the normal effective policy pipeline for profiles, group/channel rules, sandbox state, and subagent depth. PR #75101 adds `tools.exec.denyPathPatterns` after a reported production incident where a sub-agent read `~/.openclaw/secrets/telegram-trader.env`, leaking two Telegram bot tokens into session JSONL and the next outbound LLM request. PR #75128 wraps BOOT.md in internal-runtime-context and strips it from message-tool arguments because fallback models could echo startup instructions to users. Issue #75131 shows Telegram delivery retries for overlong messages creating fresh queue UUIDs instead of idempotent retries, keeping permanent 400 errors alive and driving event-loop utilization from 0.996 until stuck items were archived. Issue #75134 reports raw `[OpenClaw heartbeat poll]` prompts appearing in Telegram DMs, while nearby #75126 and #75133 tighten strict tool-mode diagnostics and bundle activation metadata.
These are the unglamorous controls that decide whether a personal agent can be trusted with real channels. Tool policy must apply uniformly, secrets need runtime enforcement rather than instructions, internal boot text must stay internal even during fallback, and delivery queues must fail permanently on permanent platform errors. If any one of those boundaries fails, the model’s intelligence is beside the point.
- Issue #75124 says `command-dispatch: tool` skill slash commands call `createOpenClawTools(...)` and only apply owner-only filtering instead of the normal policy pipeline
- PR #75101 cites a production token leak caused by a sub-agent reading a Telegram trader env file, and adds a runtime-enforced `tools.exec.denyPathPatterns` gate before allowlist / approval / safeBins checks
- PR #75128 wraps BOOT.md content in internal-runtime-context, strips such blocks from visible message-tool fields, and suppresses substantial boot-prompt echoes during fallback
- Issue #75131 reports overlong Telegram messages creating multiple fresh queue UUIDs and permanent 400 errors being retried across restarts; archiving three stuck items reduced eventLoopUtilization from 0.996 to 0.264 in the incident
- Issue #75134 reports raw heartbeat poll prompts becoming visible in Telegram DMs even though HEARTBEAT_OK acknowledgements are suppressed
- Nearby PRs add strict tool-mode diagnostics/report contracts and preserve bundle activation metadata
- Several items are still open issues or PRs; check your installed OpenClaw build before assuming the protections exist
- Path-deny patterns must be maintained as secret locations change, and overly broad patterns can block legitimate operations
- Delivery-queue cleanup can lose pending outbound messages if done without inspecting payloads and platform error classes