docs: clarify host-local text media boundary · openclaw/openclaw@9f7eaf0
2026-06-01
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -1775,7 +1775,7 @@ lives on the [Models FAQ](/help/faq-models).
|
1775 | 1775 | - The target channel supports outbound media and isn't blocked by allowlists. |
1776 | 1776 | - The file is within the provider's size limits (images are resized to max 2048px). |
1777 | 1777 | - `tools.fs.workspaceOnly=true` keeps local-path sends limited to workspace, temp/media-store, and sandbox-validated files. |
1778 | | -- `tools.fs.workspaceOnly=false` lets structured local media sends use host-local files the agent can already read, but only for media plus safe document types (images, audio, video, PDF, Office docs, and validated text documents such as TXT, JSON, YAML, and YML). Secret-like files are still blocked. |
| 1778 | +- `tools.fs.workspaceOnly=false` lets structured local media sends use host-local files the agent can already read, but only for media plus safe document types (images, audio, video, PDF, Office docs, and validated text documents such as TXT, JSON, YAML, and YML). This is not a secret scanner: an agent-readable `secret.txt` or `config.json` can be attached when the extension and content validation match. Keep sensitive files outside agent-readable paths, or keep `tools.fs.workspaceOnly=true` for stricter local-path sends. |
1779 | 1779 | |
1780 | 1780 | See [Images](/nodes/images). |
1781 | 1781 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -212,9 +212,9 @@ Local-path behavior follows the same file-read trust model as the agent:
|
212 | 212 | - If `tools.fs.workspaceOnly` is `true`, outbound local media paths stay restricted to the OpenClaw temp root, the media cache, agent workspace paths, and sandbox-generated files. |
213 | 213 | - If `tools.fs.workspaceOnly` is `false`, outbound local media can use host-local files the agent is already allowed to read. |
214 | 214 | - Local paths can be absolute, workspace-relative, or home-relative with `~/`. |
215 | | -- Host-local sends still only allow media and safe document types (images, audio, video, PDF, Office documents, and validated text documents such as TXT, JSON, YAML, and YML). Secret-like files are not treated as sendable media. |
| 215 | +- Host-local sends still only allow media and safe document types (images, audio, video, PDF, Office documents, and validated text documents such as TXT, JSON, YAML, and YML). This is an extension of the existing host-read trust boundary, not a secret scanner: if the agent can read a host-local `secret.txt` or `config.json`, it can attach that file when the extension and content validation match. |
216 | 216 | |
217 | | -That means generated images/files outside the workspace can now send when your fs policy already allows those reads, without reopening arbitrary host-text attachment exfiltration. |
| 217 | +That means generated images/files outside the workspace can now send when your fs policy already allows those reads, while arbitrary host-local text extensions remain blocked. Keep sensitive files outside the agent-readable filesystem, or keep `tools.fs.workspaceOnly=true` for stricter local-path sends. |
218 | 218 | |
219 | 219 | ## Operations checklist |
220 | 220 | |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。