fix(media): align outbound sends with fs read capability

2026-05-04 06:30:23 +00:00 · 2026-04-01 00:07:38 +09:00
parent 56b5ba0dcb
commit 3bb02d3338
51 changed files with 375 additions and 25 deletions
--- a/docs/start/openclaw.md
+++ b/docs/start/openclaw.md
@@ -192,10 +192,13 @@ MEDIA:https://example.com/screenshot.png

 OpenClaw extracts these and sends them as media alongside the text.

-For local paths, the default allowlist is intentionally narrow: the OpenClaw temp
-root, the media cache, agent workspace paths, and sandbox-generated files. If you
-need broader local-file attachment roots, configure an explicit channel/plugin
-allowlist instead of relying on arbitrary host paths.
+Local-path behavior follows the same file-read trust model as the agent:
+
+- If `tools.fs.workspaceOnly` is `true`, outbound `MEDIA:` local paths stay restricted to the OpenClaw temp root, the media cache, agent workspace paths, and sandbox-generated files.
+- If `tools.fs.workspaceOnly` is `false`, outbound `MEDIA:` can use host-local files the agent is already allowed to read.
+- Host-local sends still only allow media and safe document types (images, audio, video, PDF, and Office documents). Plain text and secret-like files are not treated as sendable media.
+
+That means generated images/files outside the workspace can now send when your fs policy already allows those reads, without reopening arbitrary host-text attachment exfiltration.

 ## Operations checklist