OpenClaw Issue Digest: Addressing Critical Stability and Security Gaps

Open Issues

Recent activity in the OpenClaw repository reveals a series of high-severity regressions and architectural gaps, primarily centered around gateway stability, session management, and security enforcement.

Critical Stability and Regressions

Several P1 issues highlight significant stability failures. A major regression in version 2026.5.12 has been reported where the WhatsApp externalization migration silently drops the channels configuration from openclaw.json (#82533), effectively bricking messaging for upgrading users. Additionally, the gateway's event loop is being pinned by getMe retries during the start-account phase for Telegram (#82525), leading to massive delays (up to 33 seconds) and causing user sessions to queue or time out.

On the infrastructure side, a critical crash has been identified where the session lock implementation uses hard links (fs.link), which fails with ENOTSUP on SMB, NFS, and virtiofs mounts (#81089). This prevents the gateway from coordinating usage and cost data on shared-folder environments common in Docker and VM setups.

Security and Isolation Gaps

Security concerns are prominent, particularly regarding autonomous agents. A critical vulnerability exists in cron jobs where a single LLM handles both untrusted external data (scraping) and privileged system commands, creating a massive prompt injection vector (#29442). Proposals for a "Dual-LLM" architecture—separating a read-only worker from a privileged manager—have been suggested to mitigate this.

Further isolation issues include:

Cron Job Leakage: Scheduled tasks are currently global, allowing any agent with cron permissions to view or modify tasks created by other users/agents (#26370).
Sandbox Failures: Sub-agents spawned via sessions_spawn fail to initialize silently when sandbox.mode is set to "non-main" (#39248).
Path-Scoped Permissions: The current binary-level allowlist for exec is insufficient, as it doesn't restrict which paths a binary can touch, leading to potential exfiltration of sensitive directories like ~/.ssh (#39979).

UX and Feature Friction

User experience issues are prevalent in the Control UI and TUI. The TUI's session list is currently polluted with untrusted metadata blocks as session titles (#39722), and the Control UI lacks a progress indicator for debug snapshot refreshes, leading to a perceived "frozen" state (#39777).

In the messaging layer, several "silent failure" modes have been reported. For example, the write tool lacks an append mode, causing isolated cron sessions to accidentally overwrite shared workspace files (#40001), and the web_fetch tool blocks private network access without a configuration-level opt-in (#39604).

Key Themes

1. The "Silent Failure" Pattern

Across multiple reports, a recurring theme is the lack of actionable error reporting. Whether it is the sessions_spawn stall (#39248), the web_fetch SSRF block (#39604), or the codex exec sandbox denial (#39317), the system often fails silently or returns misleading errors, forcing users to dive into minified source code or logs to diagnose the root cause.

2. Configuration Fragility

Updating OpenClaw has become a high-risk operation. Between the channels config wipe (#82533) and the openclaw update command breaking the CLI when min-release-age is set in npm (#82630), the update path is currently unstable. There is a strong push for more atomic updates and better pre-flight validation.

3. Multi-Agent Orchestration Complexity

As users move toward complex multi-agent setups, the friction of the "Announce" loop is becoming apparent. Issues like duplicate messages during A2A sessions_send (#39476) and the loss of thread context during sub-agent completion (#33478) indicate that the current handoff logic is too fragile for production-grade autonomous workflows.

Action Required

Immediate Attention (High Severity)

Fix channels config wipe: Resolve the migration bug in 2026.5.12 to prevent data loss during updates (#82533).
Resolve ENOTSUP Lock Crash: Replace fs.link with a more portable exclusive-create primitive to support network filesystems (#81089).
Mitigate Event Loop Pinning: Implement tighter timeouts and staggered startup for Telegram getMe calls to prevent gateway-wide freezes (#82525).

Blocked or Critical Features

Cron Isolation: Implement per-agent jobs.json to prevent cross-tenant task modification (#26370).
Secure Exec: Transition from binary-based allowlists to path-scoped RWX permissions to prevent sensitive data exfiltration (#39979).
Append Primitive: Add an append tool to prevent the write tool from destroying shared memory files during cron runs (#40001).