Summary
Agents running through OpenAB can receive images/files from users, but have no native path to send files back to Discord. The only workaround is agents calling the Discord REST API directly with the bot token, which breaks session/thread management and requires exposing credentials to the agent.
PR #300 proposed a solution using markdown  extraction, but was deferred due to security concerns. This issue tracks the feature with the required security hardening.
Prior Art
See PR #300 for detailed research on OpenClaw (MEDIA: directive + CVE), Hermes Agent, and cross-agent testing with Claude Code, Codex, Cursor, and Copilot.
Security Requirements
The following must be addressed before this feature can ship:
-
Symlink resolution — Use std::fs::canonicalize() before checking path prefixes. Without this, ln -s /etc/passwd /tmp/innocent.txt bypasses the allowlist.
-
Path traversal —  must be blocked. canonicalize() resolves .. components, covering this case.
-
Configurable allowlist — Hardcoded /tmp/ and /var/folders/ does not work for containerized deployments. Add outbound.allowed_dirs to config.toml:
[outbound]
enabled = false
allowed_dirs = ["/tmp/", "/home/agent/output/"]
max_file_size_mb = 25
-
Opt-in by default — Feature must be disabled unless outbound.enabled = true is explicitly set. Operators should consciously allow filesystem → Discord uploads.
-
Rate limiting — Cap outbound attachments per message or per minute to prevent channel flooding.
Implementation Notes
The core implementation from PR #300 is solid and reusable:
- Regex extraction of
 markers
serenity::CreateAttachment::path() for upload- Marker stripping from text response
- 5 unit tests covering extraction, allowlist blocking, missing files, and multi-file
Related
Summary
Agents running through OpenAB can receive images/files from users, but have no native path to send files back to Discord. The only workaround is agents calling the Discord REST API directly with the bot token, which breaks session/thread management and requires exposing credentials to the agent.
PR #300 proposed a solution using markdown
extraction, but was deferred due to security concerns. This issue tracks the feature with the required security hardening.Prior Art
See PR #300 for detailed research on OpenClaw (
MEDIA:directive + CVE), Hermes Agent, and cross-agent testing with Claude Code, Codex, Cursor, and Copilot.Security Requirements
The following must be addressed before this feature can ship:
Symlink resolution — Use
std::fs::canonicalize()before checking path prefixes. Without this,ln -s /etc/passwd /tmp/innocent.txtbypasses the allowlist.Path traversal —
must be blocked.canonicalize()resolves..components, covering this case.Configurable allowlist — Hardcoded
/tmp/and/var/folders/does not work for containerized deployments. Addoutbound.allowed_dirstoconfig.toml:Opt-in by default — Feature must be disabled unless
outbound.enabled = trueis explicitly set. Operators should consciously allow filesystem → Discord uploads.Rate limiting — Cap outbound attachments per message or per minute to prevent channel flooding.
Implementation Notes
The core implementation from PR #300 is solid and reusable:
markersserenity::CreateAttachment::path()for uploadRelated