Skip to content

[NemoClaw][Brev][Agent] checkMessagingBridgeHealth() passes sandbox name as positional arg to openshell exec, silently failing #2018

@hulynn

Description

@hulynn

Description

[Description]
The checkMessagingBridgeHealth() function in nemoclaw.ts calls openshell sandbox exec <sandboxName> sh -c <script> with the sandbox name as a positional argument. However, openshell sandbox exec requires the --name/-n flag for the sandbox name. The positional name is interpreted as the command to execute, causing exit code 127. The catch block silently swallows this error, so the "degraded" warning for Telegram 409 conflicts is never shown in nemoclaw <sandbox> status output.

[Environment]
Device: Ubuntu 22.04.5 LTS
Node.js: v22.22.2
npm: 10.9.7
Docker: Docker version 28.2.2, build 28.2.2-0ubuntu1~22.04.1
OpenShell CLI: openshell 0.0.26
NemoClaw: nemoclaw v0.0.18
OpenClaw: OpenClaw 2026.4.2 (d74a122)

[Steps to Reproduce]

  1. Have a sandbox with Telegram enabled and messagingChannels: ["telegram"] in registry
  2. Start a competing Telegram consumer to generate 409 errors:
    TOKEN=$(python3 -c "import json; print(json.load(open('$HOME/.nemoclaw/credentials.json'))['TELEGRAM_BOT_TOKEN'])")
    while true; do curl -s "https://api.telegram.org/bot${TOKEN}/getUpdates?timeout=30&offset=-1" > /dev/null; sleep 2; done &
  3. Wait 60 seconds for 409 errors to accumulate in /tmp/gateway.log
  4. Verify errors exist: openshell sandbox exec -n -- sh -c 'tail -n 200 /tmp/gateway.log | grep -cE "getUpdates conflict|409[[:space:]:]+Conflict"'
    → Returns 32+ (errors present)
  5. Run: nemoclaw status
  6. Observe: no degraded warning appears despite 409 errors in log

[Expected Result]
Status output should include:
⚠ telegram bridge: degraded (32 conflict errors in /tmp/gateway.log)
Another sandbox is likely polling with the same bot token. See docs/reference/troubleshooting.md.

[Actual Result]
Status output shows normal sandbox info with no degraded warning. The health check
silently fails and returns an empty array.

Manual reproduction of the bug:
$ openshell sandbox exec tele-brev sh -c 'echo hello'
→ Exit code 127: /bin/bash: line 1: tele-brev: command not found

$ openshell sandbox exec -n tele-brev -- sh -c 'echo hello'
→ hello (works correctly with -n flag)

[Root Cause Analysis]

  • File: /home/ubuntu/.nemoclaw/source/src/nemoclaw.ts:1046-1049

  • Code:
    const result = spawnSync(
    getOpenshellBinary(),
    ["sandbox", "exec", sandboxName, "sh", "-c", script],
    { encoding: "utf-8", timeout: 3000, stdio: ["ignore", "pipe", "pipe"] },
    );

  • Why: The arguments array passes sandboxName as the 3rd positional element after
    "sandbox" and "exec". The openshell sandbox exec command expects:
    openshell sandbox exec --name -- ...
    or:
    openshell sandbox exec -n -- ...
    Without the --name flag, sandboxName is parsed as the first word of the command
    to execute inside the sandbox. This causes /bin/bash: tele-brev: command not found.

    Note: openshell sandbox connect accepts positional [NAME] (line 1161 works fine),
    but openshell sandbox exec does NOT — this is an inconsistency in the openshell CLI
    argument parsing between subcommands.

  • Suggested fix: Change line 1048 from:
    ["sandbox", "exec", sandboxName, "sh", "-c", script],
    to:
    ["sandbox", "exec", "-n", sandboxName, "--", "sh", "-c", script],

Bug Details

Field Value
Priority Unprioritized
Action Dev - Open - To fix
Disposition Open issue
Module Machine Learning - NemoClaw
Keyword NemoClaw, NemoClaw_Agent&Skills, NEMOCLAW_GH_SYNC_APPROVAL

[NVB# 6089914]

Metadata

Metadata

Assignees

No one assigned

    Labels

    NV QABugs found by the NVIDIA QA TeamNemoClaw CLIUse this label to identify issues with the NemoClaw command-line interface (CLI).Platform: UbuntuSupport for Linux UbuntubugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions