solution channel medium macos linux windows telegram

Telegram CLI: LocalMediaAccessError for --media paths outside allowed directories

Fix `openclaw message send --channel telegram --media <path>` failures by staging the file under OpenClaw's allowed media roots (such as ~/.openclaw/media) before sending.

By CoClaw Team •

Symptoms

  • Telegram is healthy in openclaw status --deep, but a CLI send with a local file fails:
openclaw message send --channel telegram --target <chat> --media /some/path/image.jpg
  • You see an error like:
LocalMediaAccessError: Local media path is not under an allowed directory: /some/path/image.jpg
  • If you copy the file into ~/.openclaw/* and try again, the send succeeds.

Cause

OpenClaw treats local-file media reads as a security boundary.

By default, it only allows local media paths under specific OpenClaw-managed directories (state/media/workspace/tmp roots). This reduces the risk of accidentally uploading arbitrary host files.

So an explicit --media /root/clawd/cat.jpg path can still be rejected if it is outside those allowed roots.

Fix

On the same host where you run openclaw message send:

mkdir -p ~/.openclaw/media
cp /some/path/image.jpg ~/.openclaw/media/image.jpg

Then send the staged path:

openclaw message send \\
  --channel telegram \\
  --target <chat> \\
  --media ~/.openclaw/media/image.jpg \\
  --message \"test local image\"

Why this helps: the staged file lives under an allowed root, so OpenClaw can safely read and upload it.

2) Prefer OpenClaw-managed temp/media paths for automation

If you generate files programmatically (screenshots, charts, exports), write them directly into an OpenClaw-managed directory like ~/.openclaw/media so you can send them without extra copy steps.

Verify

  • Re-run the same openclaw message send command using the staged ~/.openclaw/media/... path.
  • Confirm Telegram receives the image and the CLI output indicates success.
  • Confirm the original failing path still fails (expected) — that means the guard is working as designed.

If it still fails, collect:

  • your exact CLI command (redact tokens)
  • the full LocalMediaAccessError line
  • your OS + whether the file path is a symlink (OpenClaw resolves symlinks when validating)

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows

References

Official docs

  1. OpenClaw docs: /channels/telegram
  2. OpenClaw docs: /cli/message

Issue threads

  1. OpenClaw GitHub issue #44078
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Telegram: voice/audio-only messages don't trigger a response
Fix
Fix Telegram voice notes that are ignored by enabling inbound audio transcription (tools.media.audio) and ensuring media limits allow downloading/transcribing.
Telegram: channel stops working because persisted session state JSON is bad
Fix
Recover a Telegram channel that looks mysteriously broken by identifying the bad persisted Telegram session-state JSON, backing it up, resetting only that file, and restarting the gateway.
Telegram: bot is in a group but never responds
Fix
Fix Telegram group response issues caused by allowlist/groups config, requireMention, or Telegram privacy mode/admin permissions.
Telegram: 'setMyCommands failed' / Bot API requests fail
Fix
Fix Telegram Bot API failures caused by outbound HTTPS/DNS/IPv6 issues to api.telegram.org (common on restricted VPS or proxies).
Telegram + OpenClaw: Setup, Group Controls, and Common Pitfalls
Guide
Set up Telegram for OpenClaw with safe DM and group controls, privacy-mode awareness, and a verification path that proves the bot sees the right messages.
OpenClaw CLI Command Cheat Sheet (and the Reddit FAQ)
Guide
Use the right OpenClaw CLI command for the job: map symptoms to the correct layer, run a minimal diagnosis pack, and know what evidence to capture before you change config or ask for help.