Summary

• Problem: child shell/exec processes had no stable env marker to identify OpenClaw-originated invocations across host exec helpers, node-host system.run, and sandboxed command surfaces.
• Why it matters: downstream tools cannot reliably strip OpenClaw-specific token spam or adjust behavior only when launched by OpenClaw.
• What changed: added a shared OPENCLAW_CLI=1 marker helper and applied it at CLI startup, host exec env sanitization, generic runCommandWithTimeout env resolution, and sandbox Docker env injection, plus focused regression tests.
• What did NOT change (scope boundary): no command output shaping or token filtering logic was added in this PR; this only establishes the marker consistently.
• AI-assisted: yes. Testing: focused tests run locally.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• Child processes launched by OpenClaw now receive OPENCLAW_CLI=1, including host exec flows and Docker sandboxes.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:
  This changes child-process environment contents by adding a single non-secret marker variable. Risk is limited to tooling that reacts to the presence of OPENCLAW_CLI; mitigation is the value is explicit, stable, and covered by focused tests on host env sanitization, generic exec env resolution, and sandbox env creation.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 / pnpm workspace
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): default local dev config

Steps

1. Launch OpenClaw CLI or any flow that reaches runCommandWithTimeout, node-host system.run, or sandbox container creation.
2. Inspect the child environment or sandbox create args.
3. Verify OPENCLAW_CLI=1 is present.

Expected

• OpenClaw-launched child commands and sandbox containers carry a stable OPENCLAW_CLI=1 marker.

Actual

• Before this change, no general-purpose marker was injected consistently across those execution paths.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: ran pnpm test src/process/exec.test.ts src/infra/host-env-security.test.ts src/agents/sandbox-create-args.test.ts in the PR worktree; all passed.
• Edge cases checked: host env sanitization still blocks dangerous overrides while preserving the marker; sandbox env creation still sanitizes env vars and now includes the marker.
• What you did not verify: full-repo test suite, live downstream consumer logic that strips spam based on the marker.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) Yes
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit 536a572
• Files/config to restore: exec env helper wiring in src/entry.ts, src/infra/host-env-security.ts, src/process/exec.ts, and src/agents/sandbox/docker.ts
• Known bad symptoms reviewers should watch for: downstream tooling unexpectedly changing behavior whenever OPENCLAW_CLI is present.

Risks and Mitigations

• Risk: some downstream command/tooling may already use OPENCLAW_CLI for an unrelated purpose.
  • Mitigation: the variable name is explicit to OpenClaw and is now documented in the PR body; if collision appears, the wiring is isolated and easy to rename.