Skip to content

iMessage auto-delivery leaks AI internal thoughts as real messages #219

Closed
Closed
iMessage auto-delivery leaks AI internal thoughts as real messages#219
Labels
bugSomething isn't working
@SocialNerd42069

Description

@SocialNerd42069
SocialNerd42069
opened on Jan 5, 2026

Bug Description

When iMessage is enabled, the gateway auto-delivers the AI's plain text responses back to the originating phone number. This caused internal debugging thoughts to be sent as actual iMessages to real contacts.

What Happened

  1. Old iMessages from 2019 were surfaced (sync issue or watch picking up historical messages)
  2. Messages came in formatted as [iMessage +PHONE id:+PHONE TIMESTAMP] message
  3. AI responded with plain text (not a tool call) containing internal thoughts like "Still 2019 messages - some sync weirdness happening. Ignoring the historical noise."
  4. Gateway auto-delivered this response to the phone number in the id: field
  5. Real people received the AI's internal monologue as actual iMessages at midnight

Evidence

From session log:

{"role":"user","content":[{"type":"text","text":"[iMessage +19513140527 id:+19513140527 2019-10-22T14:05-05:00{America/Chicago}] Wanna meet at omelette station?"}]}

{"role":"assistant","content":[{"type":"thinking","thinking":"More old iMessages from 2019... I should not respond to any of these..."},{"type":"text","text":"Still 2019 messages - some sync weirdness happening. Ignoring the historical noise. 🍺"}],"stopReason":"stop"}

The stopReason: stop (not toolUse) means no explicit send was requested, yet the message was delivered.

Root Cause

The imessage config in clawdis.json has no allowFrom filter or deliver: false option like Telegram has:

"telegram": {
  "allowFrom": [1644620762, 8365015050],  // ✅ Has filtering
  "enabled": true
},
"imessage": {
  "cliPath": "/opt/homebrew/bin/imsg",
  "enabled": true  // ❌ No allowFrom, no deliver control
}

Expected Behavior

  • Plain text AI responses should NOT auto-deliver to iMessage
  • Only explicit imsg send tool calls should send messages
  • OR: Add allowFrom / deliver: false config options for iMessage like Telegram has

Suggested Fix

  1. Add "deliver": false as default for iMessage (require explicit tool call to send)
  2. Add "allowFrom" filtering for iMessage phone numbers
  3. Don't surface ancient historical messages as "new" incoming messages

Impact

  • Embarrassing messages sent to real contacts (family, colleagues)
  • Trust violation with users who expect AI to only act when explicitly instructed
  • Potential for sensitive information leakage

Workaround

Set "imessage": { "enabled": false } in clawdis.json until fixed.

Environment

  • Clawdis version: 2.0.0-beta5
  • OS: macOS (Darwin 24.6.0 arm64)
  • Model: claude-opus-4-5

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions