[Bug] "gateway Running as non-root — privilege separation disabled" message leaks into Telegram responses #1064
Description
Description
When running NemoClaw with Telegram channel, the startup message gateway Running as non-root (uid=998) — privilege separation disabled from nemoclaw-start.sh (line 184) leaks into every Telegram response, appearing as the first line before the agent's actual reply.
Environment
- NemoClaw on Hetzner VPS (Ubuntu 24, 8GB RAM)
- OpenClaw v2026.3.24
- Telegram channel
- Sandbox running as uid=998 (non-root, as intended)
Root Cause
/usr/local/bin/nemoclaw-start (the container entrypoint, copied from scripts/nemoclaw-start.sh) has an echo statement at line 184:
if [ "$(id -u)" -ne 0 ]; then
echo "[gateway] Running as non-root (uid=$(id -u)) — privilege separation disabled"
export HOME=/sandboxThis echo goes to stdout, which gets captured by the Telegram bridge and prepended to agent responses.
Fix
Comment out or suppress the echo on line 184 of scripts/nemoclaw-start.sh:
if [ "$(id -u)" -ne 0 ]; then
# echo "[gateway] Running as non-root (uid=$(id -u)) — privilege separation disabled"
export HOME=/sandboxOr redirect it to stderr so it only appears in logs, not in Telegram output:
echo "[gateway] Running as non-root (uid=$(id -u)) — privilege separation disabled" >&2Workaround (for current users)
Patch the running container directly:
docker exec openshell-cluster-nemoclaw kubectl exec -n openshell <sandbox-name> -- sed -i '184s/.*echo.*privilege separation.*/ # suppressed/' /usr/local/bin/nemoclaw-startThen restart the gateway inside the sandbox.
Suggested Fix
Redirect the message to stderr (>&2) instead of stdout so it appears in logs but does not leak into channel responses.