OpenClaw skills.status could leak secrets to operator.read clients

@@ -8,7 +8,6 @@ import {
   isConfigPathTruthy,
   loadWorkspaceSkillEntries,
   resolveBundledAllowlist,
-  resolveConfigPath,
   resolveSkillConfig,
   resolveSkillsInstallPreferences,
   type SkillEntry,

@@ -3,7 +3,7 @@ import type { OpenClawConfig } from "../config/config.js";
 import type { HookEligibilityContext, HookEntry, HookInstallSpec } from "./types.js";
 import { evaluateRequirementsFromMetadata } from "../shared/requirements.js";
 import { CONFIG_DIR } from "../utils.js";
-import { hasBinary, isConfigPathTruthy, resolveConfigPath, resolveHookConfig } from "./config.js";
+import { hasBinary, isConfigPathTruthy, resolveHookConfig } from "./config.js";
 import { loadWorkspaceHookEntries } from "./workspace.js";
 
 export type HookStatusConfigCheck = {

@@ -1,578 +1,160 @@
 ---
 name: discord
-description: Use when you need to control Discord from OpenClaw via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
-metadata: {"openclaw":{"emoji":"🎮","requires":{"config":["channels.discord"]}}}
+description: "Discord ops via the message tool (channel=discord)."
+metadata: { "openclaw": { "emoji": "🎮", "requires": { "config": ["channels.discord.token"] } } }
+allowed-tools: ["message"]
 ---
 
-# Discord Actions
+# Discord (Via `message`)
 
-## Overview
+Use the `message` tool. No provider-specific `discord` tool exposed to the agent.
 
-Use `discord` to manage messages, reactions, threads, polls, and moderation. You can disable groups via `discord.actions.*` (defaults to enabled, except roles/moderation). The tool uses the bot token configured for OpenClaw.
+## Musts
 
-## Inputs to collect
+- Always: `channel: "discord"`.
+- Respect gating: `channels.discord.actions.*` (some default off: `roles`, `moderation`, `presence`, `channels`).
+- Prefer explicit ids: `guildId`, `channelId`, `messageId`, `userId`.
+- Multi-account: optional `accountId`.
 
-- For reactions: `channelId`, `messageId`, and an `emoji`.
-- For fetchMessage: `guildId`, `channelId`, `messageId`, or a `messageLink` like `https://discord.com/channels/<guildId>/<channelId>/<messageId>`.
-- For stickers/polls/sendMessage: a `to` target (`channel:<id>` or `user:<id>`). Optional `content` text.
-- Polls also need a `question` plus 2–10 `answers`.
-- For media: `mediaUrl` with `file:///path` for local files or `https://...` for remote.
-- For emoji uploads: `guildId`, `name`, `mediaUrl`, optional `roleIds` (limit 256KB, PNG/JPG/GIF).
-- For sticker uploads: `guildId`, `name`, `description`, `tags`, `mediaUrl` (limit 512KB, PNG/APNG/Lottie JSON).
+## Targets
 
-Message context lines include `discord message id` and `channel` fields you can reuse directly.
+- Send-like actions: `to: "channel:<id>"` or `to: "user:<id>"`.
+- Message-specific actions: `channelId: "<id>"` (or `to`) + `messageId: "<id>"`.
 
-**Note:** `sendMessage` uses `to: "channel:<id>"` format, not `channelId`. Other actions like `react`, `readMessages`, `editMessage` use `channelId` directly.
-**Note:** `fetchMessage` accepts message IDs or full links like `https://discord.com/channels/<guildId>/<channelId>/<messageId>`.
+## Common Actions (Examples)
 
-## Actions
-
-### React to a message
+Send message:
 
 ```json
 {
-  "action": "react",
-  "channelId": "123",
-  "messageId": "456",
-  "emoji": "✅"
-}
-```
-
-### List reactions + users
-
-```json
-{
-  "action": "reactions",
-  "channelId": "123",
-  "messageId": "456",
-  "limit": 100
-}
-```
-
-### Send a sticker
-
-```json
-{
-  "action": "sticker",
+  "action": "send",
+  "channel": "discord",
   "to": "channel:123",
-  "stickerIds": ["9876543210"],
-  "content": "Nice work!"
-}
-```
-
-- Up to 3 sticker IDs per message.
-- `to` can be `user:<id>` for DMs.
-
-### Upload a custom emoji
-
-```json
-{
-  "action": "emojiUpload",
-  "guildId": "999",
-  "name": "party_blob",
-  "mediaUrl": "file:///tmp/party.png",
-  "roleIds": ["222"]
-}
-```
-
-- Emoji images must be PNG/JPG/GIF and <= 256KB.
-- `roleIds` is optional; omit to make the emoji available to everyone.
-
-### Upload a sticker
-
-```json
-{
-  "action": "stickerUpload",
-  "guildId": "999",
-  "name": "openclaw_wave",
-  "description": "OpenClaw waving hello",
-  "tags": "👋",
-  "mediaUrl": "file:///tmp/wave.png"
+  "message": "hello",
+  "silent": true
 }
 ```
 
-- Stickers require `name`, `description`, and `tags`.
-- Uploads must be PNG/APNG/Lottie JSON and <= 512KB.
-
-### Create a poll
+Send with media:
 
 ```json
 {
-  "action": "poll",
+  "action": "send",
+  "channel": "discord",
   "to": "channel:123",
-  "question": "Lunch?",
-  "answers": ["Pizza", "Sushi", "Salad"],
-  "allowMultiselect": false,
-  "durationHours": 24,
-  "content": "Vote now"
+  "message": "see attachment",
+  "media": "file:///tmp/example.png"
 }
 ```
 
-- `durationHours` defaults to 24; max 32 days (768 hours).
-
-### Check bot permissions for a channel
+React:
 
 ```json
 {
-  "action": "permissions",
-  "channelId": "123"
-}
-```
-
-## Ideas to try
-
-- React with ✅/⚠️ to mark status updates.
-- Post a quick poll for release decisions or meeting times.
-- Send celebratory stickers after successful deploys.
-- Upload new emojis/stickers for release moments.
-- Run weekly “priority check” polls in team channels.
-- DM stickers as acknowledgements when a user’s request is completed.
-
-## Action gating
-
-Use `discord.actions.*` to disable action groups:
-
-- `reactions` (react + reactions list + emojiList)
-- `stickers`, `polls`, `permissions`, `messages`, `threads`, `pins`, `search`
-- `emojiUploads`, `stickerUploads`
-- `memberInfo`, `roleInfo`, `channelInfo`, `voiceStatus`, `events`
-- `roles` (role add/remove, default `false`)
-- `channels` (channel/category create/edit/delete/move, default `false`)
-- `moderation` (timeout/kick/ban, default `false`)
-- `presence` (bot status/activity, default `false`)
-
-### Read recent messages
-
-```json
-{
-  "action": "readMessages",
-  "channelId": "123",
-  "limit": 20
-}
-```
-
-### Fetch a single message
-
-```json
-{
-  "action": "fetchMessage",
-  "guildId": "999",
+  "action": "react",
+  "channel": "discord",
   "channelId": "123",
-  "messageId": "456"
-}
-```
-
-```json
-{
-  "action": "fetchMessage",
-  "messageLink": "https://discord.com/channels/999/123/456"
-}
-```
-
-### Send/edit/delete a message
-
-```json
-{
-  "action": "sendMessage",
-  "to": "channel:123",
-  "content": "Hello from OpenClaw"
+  "messageId": "456",
+  "emoji": "✅"
 }
 ```
 
-**With media attachment:**
+Read:
 
 ```json
 {
-  "action": "sendMessage",
+  "action": "read",
+  "channel": "discord",
   "to": "channel:123",
-  "content": "Check out this audio!",
-  "mediaUrl": "file:///tmp/audio.mp3"
+  "limit": 20
 }
 ```
 
-- `to` uses format `channel:<id>` or `user:<id>` for DMs (not `channelId`!)
-- `mediaUrl` supports local files (`file:///path/to/file`) and remote URLs (`https://...`)
-- Optional `replyTo` with a message ID to reply to a specific message
+Edit / delete:
 
 ```json
 {
-  "action": "editMessage",
+  "action": "edit",
+  "channel": "discord",
   "channelId": "123",
   "messageId": "456",
-  "content": "Fixed typo"
+  "message": "fixed typo"
 }
 ```
 
 ```json
 {
-  "action": "deleteMessage",
+  "action": "delete",
+  "channel": "discord",
   "channelId": "123",
   "messageId": "456"
 }
 ```
 
-### Threads
+Poll:
 
 ```json
 {
-  "action": "threadCreate",
-  "channelId": "123",
-  "name": "Bug triage",
-  "messageId": "456"
-}
-```
-
-```json
-{
-  "action": "threadList",
-  "guildId": "999"
-}
-```
-
-```json
-{
-  "action": "threadReply",
-  "channelId": "777",
-  "content": "Replying in thread"
+  "action": "poll",
+  "channel": "discord",
+  "to": "channel:123",
+  "pollQuestion": "Lunch?",
+  "pollOption": ["Pizza", "Sushi", "Salad"],
+  "pollMulti": false,
+  "pollDurationHours": 24
 }
 ```
 
-### Pins
+Pins:
 
 ```json
 {
-  "action": "pinMessage",
+  "action": "pin",
+  "channel": "discord",
   "channelId": "123",
   "messageId": "456"
 }
 ```
 
-```json
-{
-  "action": "listPins",
-  "channelId": "123"
-}
-```
-
-### Search messages
-
-```json
-{
-  "action": "searchMessages",
-  "guildId": "999",
-  "content": "release notes",
-  "channelIds": ["123", "456"],
-  "limit": 10
-}
-```
-
-### Member + role info
-
-```json
-{
-  "action": "memberInfo",
-  "guildId": "999",
-  "userId": "111"
-}
-```
-
-```json
-{
-  "action": "roleInfo",
-  "guildId": "999"
-}
-```
-
-### List available custom emojis
-
-```json
-{
-  "action": "emojiList",
-  "guildId": "999"
-}
-```
-
-### Role changes (disabled by default)
-
-```json
-{
-  "action": "roleAdd",
-  "guildId": "999",
-  "userId": "111",
-  "roleId": "222"
-}
-```
-
-### Channel info
-
-```json
-{
-  "action": "channelInfo",
-  "channelId": "123"
-}
-```
-
-```json
-{
-  "action": "channelList",
-  "guildId": "999"
-}
-```
-
-### Channel management (disabled by default)
-
-Create, edit, delete, and move channels and categories. Enable via `discord.actions.channels: true`.
-
-**Create a text channel:**
-
-```json
-{
-  "action": "channelCreate",
-  "guildId": "999",
-  "name": "general-chat",
-  "type": 0,
-  "parentId": "888",
-  "topic": "General discussion"
-}
-```
-
-- `type`: Discord channel type integer (0 = text, 2 = voice, 4 = category; other values supported)
-- `parentId`: category ID to nest under (optional)
-- `topic`, `position`, `nsfw`: optional
-
-**Create a category:**
-
-```json
-{
-  "action": "categoryCreate",
-  "guildId": "999",
-  "name": "Projects"
-}
-```
-
-**Edit a channel:**
-
-```json
-{
-  "action": "channelEdit",
-  "channelId": "123",
-  "name": "new-name",
-  "topic": "Updated topic"
-}
-```
-
-- Supports `name`, `topic`, `position`, `parentId` (null to remove from category), `nsfw`, `rateLimitPerUser`
-
-**Move a channel:**
+Threads:
 
 ```json
 {
-  "action": "channelMove",
-  "guildId": "999",
+  "action": "thread-create",
+  "channel": "discord",
   "channelId": "123",
-  "parentId": "888",
-  "position": 2
-}
-```
-
-- `parentId`: target category (null to move to top level)
-
-**Delete a channel:**
-
-```json
-{
-  "action": "channelDelete",
-  "channelId": "123"
-}
-```
-
-**Edit/delete a category:**
-
-```json
-{
-  "action": "categoryEdit",
-  "categoryId": "888",
-  "name": "Renamed Category"
-}
-```
-
-```json
-{
-  "action": "categoryDelete",
-  "categoryId": "888"
-}
-```
-
-### Voice status
-
-```json
-{
-  "action": "voiceStatus",
-  "guildId": "999",
-  "userId": "111"
-}
-```
-
-### Scheduled events
-
-```json
-{
-  "action": "eventList",
-  "guildId": "999"
+  "messageId": "456",
+  "threadName": "bug triage"
 }
 ```
 
-### Moderation (disabled by default)
+Search:
 
 ```json
 {
-  "action": "timeout",
+  "action": "search",
+  "channel": "discord",
   "guildId": "999",
-  "userId": "111",
-  "durationMinutes": 10
-}
-```
-
-### Bot presence/activity (disabled by default)
-
-Set the bot's online status and activity. Enable via `discord.actions.presence: true`.
-
-Discord bots can only set `name`, `state`, `type`, and `url` on an activity. Other Activity fields (details, emoji, assets) are accepted by the gateway but silently ignored by Discord for bots.
-
-**How fields render by activity type:**
-
-- **playing, streaming, listening, watching, competing**: `activityName` is shown in the sidebar under the bot's name (e.g. "**with fire**" for type "playing" and name "with fire"). `activityState` is shown in the profile flyout.
-- **custom**: `activityName` is ignored. Only `activityState` is displayed as the status text in the sidebar.
-- **streaming**: `activityUrl` may be displayed or embedded by the client.
-
-**Set playing status:**
-
-```json
-{
-  "action": "setPresence",
-  "activityType": "playing",
-  "activityName": "with fire"
+  "query": "release notes",
+  "channelIds": ["123", "456"],
+  "limit": 10
 }
 ```
 
-Result in sidebar: "**with fire**". Flyout shows: "Playing: with fire"
-
-**With state (shown in flyout):**
+Presence (often gated):
 
 ```json
 {
-  "action": "setPresence",
+  "action": "set-presence",
+  "channel": "discord",
   "activityType": "playing",
-  "activityName": "My Game",
-  "activityState": "In the lobby"
-}
-```
-
-Result in sidebar: "**My Game**". Flyout shows: "Playing: My Game (newline) In the lobby".
-
-**Set streaming (optional URL, may not render for bots):**
-
-```json
-{
-  "action": "setPresence",
-  "activityType": "streaming",
-  "activityName": "Live coding",
-  "activityUrl": "https://twitch.tv/example"
-}
-```
-
-**Set listening/watching:**
-
-```json
-{
-  "action": "setPresence",
-  "activityType": "listening",
-  "activityName": "Spotify"
-}
-```
-
-```json
-{
-  "action": "setPresence",
-  "activityType": "watching",
-  "activityName": "the logs"
+  "activityName": "with fire",
+  "status": "online"
 }
 ```
 
-**Set a custom status (text in sidebar):**
+## Writing Style (Discord)
 
-```json
-{
-  "action": "setPresence",
-  "activityType": "custom",
-  "activityState": "Vibing"
-}
-```
-
-Result in sidebar: "Vibing". Note: `activityName` is ignored for custom type.
-
-**Set bot status only (no activity/clear status):**
-
-```json
-{
-  "action": "setPresence",
-  "status": "dnd"
-}
-```
-
-**Parameters:**
-
-- `activityType`: `playing`, `streaming`, `listening`, `watching`, `competing`, `custom`
-- `activityName`: text shown in the sidebar for non-custom types (ignored for `custom`)
-- `activityUrl`: Twitch or YouTube URL for streaming type (optional; may not render for bots)
-- `activityState`: for `custom` this is the status text; for other types it shows in the profile flyout
-- `status`: `online` (default), `dnd`, `idle`, `invisible`
-
-## Discord Writing Style Guide
-
-**Keep it conversational!** Discord is a chat platform, not documentation.
-
-### Do
-
-- Short, punchy messages (1-3 sentences ideal)
-- Multiple quick replies > one wall of text
-- Use emoji for tone/emphasis 🦞
-- Lowercase casual style is fine
-- Break up info into digestible chunks
-- Match the energy of the conversation
-
-### Don't
-
-- No markdown tables (Discord renders them as ugly raw `| text |`)
-- No `## Headers` for casual chat (use **bold** or CAPS for emphasis)
-- Avoid multi-paragraph essays
-- Don't over-explain simple things
-- Skip the "I'd be happy to help!" fluff
-
-### Formatting that works
-
-- **bold** for emphasis
-- `code` for technical terms
-- Lists for multiple items
-- > quotes for referencing
-- Wrap multiple links in `<>` to suppress embeds
-
-### Example transformations
-
-❌ Bad:
-
-```
-I'd be happy to help with that! Here's a comprehensive overview of the versioning strategies available:
-
-## Semantic Versioning
-Semver uses MAJOR.MINOR.PATCH format where...
-
-## Calendar Versioning
-CalVer uses date-based versions like...
-```
-
-✅ Good:
-
-```
-versioning options: semver (1.2.3), calver (2026.01.04), or yolo (`latest` forever). what fits your release cadence?
-```
+- Short, conversational, low ceremony.
+- No markdown tables.
+- Prefer multiple small replies over one wall of text.

@@ -20,7 +20,6 @@ import { resolveBundledSkillsContext } from "./skills/bundled-context.js";
 
 export type SkillStatusConfigCheck = {
   path: string;
-  value: unknown;
   satisfied: boolean;
 };
 
@@ -216,7 +215,6 @@ function buildSkillStatus(
         skillConfig?.env?.[envName] ||
         (skillConfig?.apiKey && entry.metadata?.primaryEnv === envName),
       ),
-    resolveConfigValue: (pathStr) => resolveConfigPath(config, pathStr),
     isConfigSatisfied: (pathStr) => isConfigPathTruthy(config, pathStr),
   });
   const eligible = !disabled && !blockedByAllowlist && requirementsSatisfied;

@@ -0,0 +1,72 @@
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import {
+  connectOk,
+  installGatewayTestHooks,
+  rpcReq,
+  startServerWithClient,
+} from "./test-helpers.js";
+
+installGatewayTestHooks({ scope: "suite" });
+
+async function withServer<T>(
+  run: (ws: Awaited<ReturnType<typeof startServerWithClient>>["ws"]) => Promise<T>,
+) {
+  const { server, ws, prevToken } = await startServerWithClient("secret");
+  try {
+    return await run(ws);
+  } finally {
+    ws.close();
+    await server.close();
+    if (prevToken === undefined) {
+      delete process.env.OPENCLAW_GATEWAY_TOKEN;
+    } else {
+      process.env.OPENCLAW_GATEWAY_TOKEN = prevToken;
+    }
+  }
+}
+
+describe("gateway skills.status", () => {
+  it("does not expose raw config values to operator.read clients", async () => {
+    const prevBundledSkillsDir = process.env.OPENCLAW_BUNDLED_SKILLS_DIR;
+    process.env.OPENCLAW_BUNDLED_SKILLS_DIR = path.join(process.cwd(), "skills");
+    const secret = "discord-token-secret-abc";
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      session: { mainKey: "main-test" },
+      channels: {
+        discord: {
+          token: secret,
+        },
+      },
+    });
+
+    try {
+      await withServer(async (ws) => {
+        await connectOk(ws, { token: "secret", scopes: ["operator.read"] });
+        const res = await rpcReq<{
+          skills?: Array<{
+            name?: string;
+            configChecks?: Array<{ path?: string; satisfied?: boolean } & Record<string, unknown>>;
+          }>;
+        }>(ws, "skills.status", {});
+
+        expect(res.ok).toBe(true);
+        expect(JSON.stringify(res.payload)).not.toContain(secret);
+
+        const discord = res.payload?.skills?.find((s) => s.name === "discord");
+        expect(discord).toBeTruthy();
+        const check = discord?.configChecks?.find((c) => c.path === "channels.discord.token");
+        expect(check).toBeTruthy();
+        expect(check?.satisfied).toBe(true);
+        expect(check && "value" in check).toBe(false);
+      });
+    } finally {
+      if (prevBundledSkillsDir === undefined) {
+        delete process.env.OPENCLAW_BUNDLED_SKILLS_DIR;
+      } else {
+        process.env.OPENCLAW_BUNDLED_SKILLS_DIR = prevBundledSkillsDir;
+      }
+    }
+  });
+});

@@ -8,7 +8,6 @@ import { loadWorkspaceHookEntries } from "./workspace.js";
 
 export type HookStatusConfigCheck = {
   path: string;
-  value: unknown;
   satisfied: boolean;
 };
 
@@ -124,7 +123,6 @@ function buildHookStatus(
     localPlatform: process.platform,
     remotePlatforms: eligibility?.remote?.platforms,
     isEnvSatisfied: (envName) => Boolean(process.env[envName] || hookConfig?.env?.[envName]),
-    resolveConfigValue: (pathStr) => resolveConfigPath(config, pathStr),
     isConfigSatisfied: (pathStr) => isConfigPathTruthy(config, pathStr),
   });
 

@@ -52,14 +52,13 @@ describe("requirements helpers", () => {
     ).toEqual(["A"]);
   });
 
-  it("buildConfigChecks includes value+status", () => {
+  it("buildConfigChecks includes status", () => {
     expect(
       buildConfigChecks({
         required: ["a.b"],
-        resolveValue: (p) => (p === "a.b" ? 1 : null),
         isSatisfied: (p) => p === "a.b",
       }),
-    ).toEqual([{ path: "a.b", value: 1, satisfied: true }]);
+    ).toEqual([{ path: "a.b", satisfied: true }]);
   });
 
   it("evaluateRequirementsFromMetadata derives required+missing", () => {
@@ -72,7 +71,6 @@ describe("requirements helpers", () => {
       hasLocalBin: (bin) => bin === "a",
       localPlatform: "linux",
       isEnvSatisfied: (name) => name === "E",
-      resolveConfigValue: () => "x",
       isConfigSatisfied: () => false,
     });
 

@@ -8,7 +8,6 @@ export type Requirements = {
 
 export type RequirementConfigCheck = {
   path: string;
-  value: unknown;
   satisfied: boolean;
 };
 
@@ -84,13 +83,11 @@ export function resolveMissingEnv(params: {
 
 export function buildConfigChecks(params: {
   required: string[];
-  resolveValue: (pathStr: string) => unknown;
   isSatisfied: (pathStr: string) => boolean;
 }): RequirementConfigCheck[] {
   return params.required.map((pathStr) => {
-    const value = params.resolveValue(pathStr);
     const satisfied = params.isSatisfied(pathStr);
-    return { path: pathStr, value, satisfied };
+    return { path: pathStr, satisfied };
   });
 }
 
@@ -103,7 +100,6 @@ export function evaluateRequirements(params: {
   localPlatform: string;
   remotePlatforms?: string[];
   isEnvSatisfied: (envName: string) => boolean;
-  resolveConfigValue: (pathStr: string) => unknown;
   isConfigSatisfied: (pathStr: string) => boolean;
 }): { missing: Requirements; eligible: boolean; configChecks: RequirementConfigCheck[] } {
   const missingBins = resolveMissingBins({
@@ -127,7 +123,6 @@ export function evaluateRequirements(params: {
   });
   const configChecks = buildConfigChecks({
     required: params.required.config,
-    resolveValue: params.resolveConfigValue,
     isSatisfied: params.isConfigSatisfied,
   });
   const missingConfig = configChecks.filter((check) => !check.satisfied).map((check) => check.path);
@@ -162,7 +157,6 @@ export function evaluateRequirementsFromMetadata(params: {
   localPlatform: string;
   remotePlatforms?: string[];
   isEnvSatisfied: (envName: string) => boolean;
-  resolveConfigValue: (pathStr: string) => unknown;
   isConfigSatisfied: (pathStr: string) => boolean;
 }): {
   required: Requirements;
@@ -187,7 +181,6 @@ export function evaluateRequirementsFromMetadata(params: {
     localPlatform: params.localPlatform,
     remotePlatforms: params.remotePlatforms,
     isEnvSatisfied: params.isEnvSatisfied,
-    resolveConfigValue: params.resolveConfigValue,
     isConfigSatisfied: params.isConfigSatisfied,
   });
   return { required, ...result };

@@ -710,7 +710,6 @@ export type CronRunLogEntry = {
 
 export type SkillsStatusConfigCheck = {
   path: string;
-  value: unknown;
   satisfied: boolean;
 };