diff --git a/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift b/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift
index 009266b2ecc..ab1d0bb6cea 100644
--- a/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift
+++ b/apps/macos/Sources/OpenClawProtocol/GatewayModels.swift
@@ -594,7 +594,6 @@ public struct AgentParams: Codable, Sendable {
     public let timeout: Int?
     public let besteffortdeliver: Bool?
     public let lane: String?
-    public let cleanupbundlemcponrunend: Bool?
     public let extrasystemprompt: String?
     public let bootstrapcontextmode: AnyCodable?
     public let bootstrapcontextrunkind: AnyCodable?
@@ -626,7 +625,6 @@ public struct AgentParams: Codable, Sendable {
         timeout: Int?,
         besteffortdeliver: Bool?,
         lane: String?,
-        cleanupbundlemcponrunend: Bool?,
         extrasystemprompt: String?,
         bootstrapcontextmode: AnyCodable?,
         bootstrapcontextrunkind: AnyCodable?,
@@ -657,7 +655,6 @@ public struct AgentParams: Codable, Sendable {
         self.timeout = timeout
         self.besteffortdeliver = besteffortdeliver
         self.lane = lane
-        self.cleanupbundlemcponrunend = cleanupbundlemcponrunend
         self.extrasystemprompt = extrasystemprompt
         self.bootstrapcontextmode = bootstrapcontextmode
         self.bootstrapcontextrunkind = bootstrapcontextrunkind
@@ -690,7 +687,6 @@ public struct AgentParams: Codable, Sendable {
         case timeout
         case besteffortdeliver = "bestEffortDeliver"
         case lane
-        case cleanupbundlemcponrunend = "cleanupBundleMcpOnRunEnd"
         case extrasystemprompt = "extraSystemPrompt"
         case bootstrapcontextmode = "bootstrapContextMode"
         case bootstrapcontextrunkind = "bootstrapContextRunKind"
diff --git a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
index 009266b2ecc..ab1d0bb6cea 100644
--- a/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawProtocol/GatewayModels.swift
@@ -594,7 +594,6 @@ public struct AgentParams: Codable, Sendable {
     public let timeout: Int?
     public let besteffortdeliver: Bool?
     public let lane: String?
-    public let cleanupbundlemcponrunend: Bool?
     public let extrasystemprompt: String?
     public let bootstrapcontextmode: AnyCodable?
     public let bootstrapcontextrunkind: AnyCodable?
@@ -626,7 +625,6 @@ public struct AgentParams: Codable, Sendable {
         timeout: Int?,
         besteffortdeliver: Bool?,
         lane: String?,
-        cleanupbundlemcponrunend: Bool?,
         extrasystemprompt: String?,
         bootstrapcontextmode: AnyCodable?,
         bootstrapcontextrunkind: AnyCodable?,
@@ -657,7 +655,6 @@ public struct AgentParams: Codable, Sendable {
         self.timeout = timeout
         self.besteffortdeliver = besteffortdeliver
         self.lane = lane
-        self.cleanupbundlemcponrunend = cleanupbundlemcponrunend
         self.extrasystemprompt = extrasystemprompt
         self.bootstrapcontextmode = bootstrapcontextmode
         self.bootstrapcontextrunkind = bootstrapcontextrunkind
@@ -690,7 +687,6 @@ public struct AgentParams: Codable, Sendable {
         case timeout
         case besteffortdeliver = "bestEffortDeliver"
         case lane
-        case cleanupbundlemcponrunend = "cleanupBundleMcpOnRunEnd"
         case extrasystemprompt = "extraSystemPrompt"
         case bootstrapcontextmode = "bootstrapContextMode"
         case bootstrapcontextrunkind = "bootstrapContextRunKind"
diff --git a/src/gateway/protocol/schema/agent.ts b/src/gateway/protocol/schema/agent.ts
index 6c70b7a87c2..d4277becfd1 100644
--- a/src/gateway/protocol/schema/agent.ts
+++ b/src/gateway/protocol/schema/agent.ts
@@ -152,7 +152,6 @@ export const AgentParamsSchema = Type.Object(
     timeout: Type.Optional(Type.Integer({ minimum: 0 })),
     bestEffortDeliver: Type.Optional(Type.Boolean()),
     lane: Type.Optional(Type.String()),
-    cleanupBundleMcpOnRunEnd: Type.Optional(Type.Boolean()),
     extraSystemPrompt: Type.Optional(Type.String()),
     bootstrapContextMode: Type.Optional(
       Type.Union([Type.Literal("full"), Type.Literal("lightweight")]),
diff --git a/src/security/skill-scanner.test.ts b/src/security/skill-scanner.test.ts
index 524f6783fb2..b960e8997e4 100644
--- a/src/security/skill-scanner.test.ts
+++ b/src/security/skill-scanner.test.ts
@@ -241,32 +241,6 @@ const options: ExecOptions = { timeout: 5000 };
     expect(findings.some((f) => f.ruleId === "dangerous-exec")).toBe(false);
   });
 
-  it("does not flag the qa-matrix argv-only self-reexec as shell command execution", () => {
-    const source = `
-import { spawn } from "node:child_process";
-const child = spawn(process.execPath, [distEntryPath, ...params.args], {
-  stdio: ["pipe", "pipe", "pipe"],
-});
-`;
-    const findings = scanSource(
-      source,
-      path.resolve(
-        process.cwd(),
-        "extensions/qa-matrix/src/runners/contract/scenario-runtime-cli.ts",
-      ),
-    );
-    expect(findings.some((f) => f.ruleId === "dangerous-exec")).toBe(false);
-  });
-
-  it("still flags plugin self-reexec as shell command execution", () => {
-    const source = `
-import { spawn } from "node:child_process";
-const child = spawn(process.execPath, userControlledArgs, { shell: true });
-`;
-    const findings = scanSource(source, "plugin.ts");
-    expect(findings.some((f) => f.ruleId === "dangerous-exec")).toBe(true);
-  });
-
   it("returns empty array for clean plugin code", () => {
     const source = `
 export function greet(name: string): string {
diff --git a/src/security/skill-scanner.ts b/src/security/skill-scanner.ts
index ccb95a1bfa9..2e2ffd14d2b 100644
--- a/src/security/skill-scanner.ts
+++ b/src/security/skill-scanner.ts
@@ -216,28 +216,6 @@ function truncateEvidence(evidence: string, maxLen = 120): string {
   return `${evidence.slice(0, maxLen)}…`;
 }
 
-function isAllowedNodeSelfReexec(filePath: string, line: string): boolean {
-  if (
-    path.resolve(filePath) !==
-    path.resolve(
-      process.cwd(),
-      "extensions",
-      "qa-matrix",
-      "src",
-      "runners",
-      "contract",
-      "scenario-runtime-cli.ts",
-    )
-  ) {
-    return false;
-  }
-  // Spawning the current Node executable with an argv array is not shell
-  // execution. Keep direct shell/process launches blocked below.
-  return /\bspawn\s*\(\s*process\.execPath\s*,\s*\[\s*distEntryPath\s*,\s*\.{3}params\.args\s*\]/.test(
-    line,
-  );
-}
-
 export function scanSource(source: string, filePath: string): SkillScanFinding[] {
   const findings: SkillScanFinding[] = [];
   const lines = source.split("\n");
@@ -260,9 +238,6 @@ export function scanSource(source: string, filePath: string): SkillScanFinding[]
       if (!match) {
         continue;
       }
-      if (rule.ruleId === "dangerous-exec" && isAllowedNodeSelfReexec(filePath, line)) {
-        continue;
-      }
 
       // Special handling for suspicious-network: check port
       if (rule.ruleId === "suspicious-network") {