Add OpenClaw environment type

[zkwentz]

Summary

Adds a new OpenClaw environment type following the MCP (Model Context Protocol) pattern.

Features

• 8 tools: exec, read, write, edit, web_search, web_fetch, memory_search, memory_get
• Full test suite (17 tests passing)
• Docker support via workflow integration
• Follows echo_env reference implementation pattern

Tools

Tool	Description
exec	Execute shell commands
read	Read file contents
write	Write files
edit	Edit files with search/replace
web_search	Search the web (simulated in sandbox)
web_fetch	Fetch URL content (simulated in sandbox)
memory_search	Semantic memory search
memory_get	Retrieve memory snippets

Testing

cd tests/envs
pytest test_openclaw_environment.py -v

Related

• OpenClaw: https://github.com/openclaw/openclaw
• MCP: https://modelcontextprotocol.io

[greptile-apps]

Greptile Summary

Adds a new OpenClaw environment following the MCP (Model Context Protocol) pattern established in RFC 003. The implementation provides 8 tools for agentic RL training: file operations (read/write/edit), shell execution (exec), web tools (web_search/web_fetch - simulated in sandbox), and memory management (memory_search/memory_get).

Key Changes:

• Environment server (openclaw_environment.py) extends MCPEnvironment with inline FastMCP tool definitions
• Client (client.py) is a simple wrapper of MCPToolClient for OpenClaw-specific usage
• Comprehensive test suite with 17 tests covering all tools, edge cases, and episode isolation
• Docker integration added to CI/CD workflow
• Per-episode workspace isolation using temp directories
• Follows echo_env reference implementation pattern

Architecture Alignment:

• Correctly implements dual API boundary (MCP tools for agents, Gym API for infrastructure)
• No client-server separation violations
• Agents cannot access reset/simulation controls (only exposed via infrastructure API)
• Shell execution uses shell=True which is acceptable given workspace sandboxing

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• Clean implementation following established patterns; no invariant violations; comprehensive test coverage; proper isolation and security controls; no Tier 1 issues found
• No files require special attention

Important Files Changed

Filename	Overview
envs/openclaw_env/server/openclaw_environment.py	Implements OpenClaw environment with 8 MCP tools; follows MCPEnvironment pattern correctly; shell execution uses shell=True which is acceptable in sandboxed context
envs/openclaw_env/client.py	Simple client wrapper extending MCPToolClient; no client-server separation violations; follows echo_env pattern
envs/openclaw_env/server/app.py	FastAPI app creation follows standard pattern; correctly uses create_app with MCP types
tests/envs/test_openclaw_environment.py	Comprehensive test suite with 17 tests covering all tools, edge cases, and episode isolation
envs/openclaw_env/server/Dockerfile	Proper Docker setup with system dependencies, workspace isolation, and health check

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Agent] -->|ListToolsAction| B[OpenClawEnvironment]
    A -->|CallToolAction| B
    
    B --> C{Tool Router}
    
    C -->|exec| D[Shell Execution]
    C -->|read/write/edit| E[File Operations]
    C -->|web_search/web_fetch| F[Web Tools - Simulated]
    C -->|memory_search/memory_get| G[Memory Management]
    
    D --> H[Workspace Sandbox]
    E --> H
    G --> H
    
    H -->|Observation| A
    F -->|Observation| A
    
    I[Infrastructure] -->|reset| B
    I -->|state| B
    
    B -->|Creates per episode| H
    
    style H fill:#e1f5ff
    style A fill:#fff4e1
    style I fill:#ffe1f5
    style B fill:#e1ffe1

Loading

_{Last reviewed commit: 984320c}

[meta-cla]

Hi @zkwentz!

Thank you for your pull request.

We require contributors to sign our Contributor License Agreement, and yours needs attention.

You currently have a record in our system, but the CLA is no longer valid, and will need to be resubmitted.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

[Darktex]

Alignment Review — PR #402

Tier 1: Fixes Required

1. Path traversal vulnerability in _resolve_path() — openclaw_environment.py

Relative paths like ../../etc/passwd resolve via self._workspace / path_obj without calling .resolve() or stripping .. components. This allows escaping the workspace sandbox through any read/write/edit/exec tool call.

Fix: call .resolve() on the final path and assert it remains rooted within self._workspace:

def _resolve_path(self, path: str) -> Path:
    resolved = (self._workspace / path).resolve()
    if not str(resolved).startswith(str(self._workspace.resolve())):
        raise ValueError(f"Path escapes workspace sandbox: {path}")
    return resolved

2. os.environ leak in exec tool — openclaw_environment.py

The line env={**os.environ, "HOME": str(env._workspace)} forwards the full server process environment to every agent-spawned subprocess. If the server has AWS_SECRET_ACCESS_KEY, HF_TOKEN, OPENAI_API_KEY, etc., agents can read them via exec("env"). Use an allowlist instead:

safe_env = {
    "HOME": str(env._workspace),
    "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM": "xterm",
}

3. Dead code in app.py try/except ImportError

Both branches import identically — the except block is unreachable. The except branch should use the standalone import path (from server.openclaw_environment import OpenClawEnvironment).

---

Tier 2: Alignment Flags (for @Darktex)

FLAG 1: shell=True exec tool threat model — The environment relies entirely on Docker container isolation. The Dockerfile/README should document required container security constraints (no --privileged, no host mounts). Has a security threat model been reviewed?

FLAG 2: memory_search/memory_get cross-episode persistence — Does reset() flush the memory store? If memory from episode N is visible in episode N+1, this violates the "one env = one trajectory" invariant and allows cross-episode information leakage.

FLAG 3: Client-server separation — client.py appears clean (extends MCPToolClient only), but please confirm no server/ imports exist. No models.py is present, which is acceptable if the client imports nothing from the server package.

FLAG 4: Missing RFC — This is a general-purpose agentic environment (shell + filesystem + web + memory), not a narrow domain env. Per PRINCIPLES.md, architectural decisions about new environment categories should be documented in an RFC. Was one filed?

---

Verdict: REQUEST_CHANGES — The path traversal and os.environ leak are security blockers. The alignment flags warrant human review before merge.