Summary
The LLM decision output is parsed via parseKeyValueXml() but there's no schema validation on the parsed result. Malformed or unexpected values pass through silently.
Affected Files
lib/eliza/plugin-cloud-bootstrap/services/cloud-bootstrap-message-service.ts — XML parsing in runMultiStepCore
Impact
- Unknown action names pass through (not validated against registered actions before execution)
- Parameters may not be valid JSON (caught by try/catch but no structured error)
isFinish parsed as string, not boolean (implicit conversion)- Retry logic handles parse failures but not semantically invalid output
Recommended Fix
Add lightweight validation after parsing:
- Verify
action is a known registered action name
- Verify
parameters is valid JSON and matches expected schema
- Validate
isFinish is explicitly "true" or "false"
- Log and handle invalid decisions as parse failures (trigger retry)
Effort estimate: Short (<4h)
Source
Identified by GPT Architect agent during comprehensive plan review (2026-02-06).
Summary
The LLM decision output is parsed via
parseKeyValueXml()but there's no schema validation on the parsed result. Malformed or unexpected values pass through silently.Affected Files
lib/eliza/plugin-cloud-bootstrap/services/cloud-bootstrap-message-service.ts— XML parsing inrunMultiStepCoreImpact
isFinishparsed as string, not boolean (implicit conversion)Recommended Fix
Add lightweight validation after parsing:
actionis a known registered action nameparametersis valid JSON and matches expected schemaisFinishis explicitly "true" or "false"Effort estimate: Short (<4h)
Source
Identified by GPT Architect agent during comprehensive plan review (2026-02-06).