Summary

Discord image attachments are not correctly delivered to the LLM when running behind Clash Verge Rev TUN mode. Two related issues:

1. SSRF block: cdn.discordapp.com resolves to Clash fake-ip (198.18.x.x), which OpenClaw SSRF protection classifies as "private/internal/special-use IP address" and blocks the download.
2. Stale/wrong image after DNS fix: Even after adding cdn.discordapp.com to Clash fake-ip-filter (so DNS returns real IP 104.23.x.x), the model still receives incorrect image content (e.g., describes a cat when the actual image is a door with Chinese New Year couplets). The local file at ~/.openclaw/media/inbound/<uuid>.jpg contains the correct image, but the model sees something different.

Environment

• OpenClaw: 2026.2.25
• OS: macOS 15.7.4 (Intel x64)
• Node: v22.22.0
• Channel: Discord (DM)
• Proxy: Clash Verge Rev v2.4.5 (TUN mode + Service Mode)
• Model: yunyi-claude/claude-opus-4-6 (also tested with openai/gpt-4o and kimi-coding/k2p5 — same result)

Steps to Reproduce

1. Run OpenClaw behind Clash TUN mode (fake-ip enabled, range 198.18.0.1/16)
2. Send an image via Discord DM to the bot
3. Model either cannot see the image or describes completely wrong content

Log Evidence

blocked URL fetch (url-fetch) target=https://cdn.discordapp.com/attachments/...
reason=Blocked: resolves to private/internal/special-use IP address

Multiple occurrences in /tmp/openclaw/openclaw-*.log with subsystem security.

Workaround (partial)

Adding cdn.discordapp.com and media.discordapp.net to Clash fake-ip-filter stops the SSRF block. However, the model still receives incorrect image content in some cases, suggesting the image may be cached or the URL-to-base64 conversion has issues.

Reading the local file directly via the read tool (~/.openclaw/media/inbound/<uuid>.jpg) shows the correct image.

Expected Behavior

Images sent via Discord should be correctly downloaded and passed to the model, regardless of proxy/VPN configuration.

Suggested Fix

1. Short-term: When downloading Discord CDN images, if the URL fetch is blocked by SSRF, fall back to the already-downloaded local file in ~/.openclaw/media/inbound/.
2. Long-term: Always convert images to base64 from the local cached file before sending to the model API, rather than passing the CDN URL (which may be inaccessible from the model provider side, especially for China-based proxies like yunyi-claude).

Related

• The SSRF protection (198.18.0.0/15 = IETF benchmark range) is correct in general, but Clash TUN fake-ip uses this range, creating a conflict for legitimate external domains.
• This affects any user running OpenClaw behind Clash/Mihomo TUN mode with fake-ip enabled.