diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c3e7744621..d5942073139 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ Docs: https://docs.openclaw.ai
 - Discord: add per-button `allowedUsers` allowlist for interactive components to restrict who can click buttons. Thanks @thewilloftheshadow.
 - Docker: add optional `OPENCLAW_INSTALL_BROWSER` build arg to preinstall Chromium + Xvfb in the Docker image, avoiding runtime Playwright installs. (#18449)
 - Agents/Z.AI: enable `tool_stream` by default for real-time tool call streaming, with opt-out via `params.tool_stream: false`. (#18173) Thanks @tianxiao1430-jpg.
+- Auto-reply: include `sender_id` in trusted inbound metadata so moderation workflows can target the sender without relying on untrusted text. (#18303) Thanks @crimeacs.
 
 ### Fixes
 
diff --git a/src/auto-reply/reply/inbound-meta.test.ts b/src/auto-reply/reply/inbound-meta.test.ts
index 2578c7ca72c..a678623dcd0 100644
--- a/src/auto-reply/reply/inbound-meta.test.ts
+++ b/src/auto-reply/reply/inbound-meta.test.ts
@@ -47,6 +47,36 @@ describe("buildInboundMetaSystemPrompt", () => {
     expect(payload["sender_id"]).toBe("289522496");
   });
 
+  it("trims sender_id before storing", () => {
+    const prompt = buildInboundMetaSystemPrompt({
+      MessageSid: "457",
+      SenderId: "  289522496  ",
+      OriginatingTo: "telegram:-1001249586642",
+      OriginatingChannel: "telegram",
+      Provider: "telegram",
+      Surface: "telegram",
+      ChatType: "group",
+    } as TemplateContext);
+
+    const payload = parseInboundMetaPayload(prompt);
+    expect(payload["sender_id"]).toBe("289522496");
+  });
+
+  it("omits sender_id when blank", () => {
+    const prompt = buildInboundMetaSystemPrompt({
+      MessageSid: "458",
+      SenderId: "   ",
+      OriginatingTo: "telegram:-1001249586642",
+      OriginatingChannel: "telegram",
+      Provider: "telegram",
+      Surface: "telegram",
+      ChatType: "group",
+    } as TemplateContext);
+
+    const payload = parseInboundMetaPayload(prompt);
+    expect(payload["sender_id"]).toBeUndefined();
+  });
+
   it("omits sender_id when not provided", () => {
     const prompt = buildInboundMetaSystemPrompt({
       MessageSid: "789",