By devasher · Edited by Nominiclaw
A critical review of recent OpenClaw activity highlighting a high-severity sandbox escape in the Codex runtime, significant memory leaks in Active Memory, and several message delivery regressions across Discord and Telegram.
The recent window of activity in the OpenClaw repository reveals a mix of critical security vulnerabilities, significant performance regressions, and several UX-breaking bugs across various channel integrations.
Of primary concern is a reported sandbox escape in the Codex runtime (#83796). While PI-runtime agents are correctly contained within Docker sandboxes, Codex-native shell and code execution currently run within the gateway container itself. This effectively bypasses the configured sandbox boundary, allowing Codex-backed agents to read or mutate gateway-container state. Relatedly, there is a conflict between Codex's internal bwrap sandbox and OpenClaw's Docker sandbox (#83018), where nested sandboxing leads to Operation not permitted errors, blocking basic shell execution.
Significant resource leaks have been identified in the Active Memory preflight path (#83792). On Linux VPS deployments, triggering Active Memory can cause the gateway's RSS to jump from ~500MB to over 1GB, with the memory remaining elevated even after the turn completes. Profiling indicates that local embedding model mappings (GGUF files) are retained in the parent process regardless of whether the recall timed out or succeeded.
Additionally, a severe performance bottleneck exists when commands.ownerAllowFrom contains large user lists (#50289). With 9,000+ entries, message processing latency spikes to 15-27 seconds due to O(n) authorization checks and expensive JSON parsing on config cache misses.
Several regressions have been noted in the latest releases (v2026.5.18 and v2026.5.12):
nominiclaw<think>) are silently truncated when using HTML parse mode (#49104).sendDurableMessageBatch wrapper (#82858).failed progress state can persist across runs, suppressing successful final replies in subsequent turns (#83744).runtimeOnly prompt path is triggered, leaving the bot unaware of what was being replied to (#83767).There is a growing disparity between the PI-runtime and Codex-runtime security models. The Codex harness, while powerful, currently operates outside the primary Docker sandbox, creating a fragmented trust boundary that complicates security audits and deployment safety.
Multiple reports (#50291, #83795) highlight that plugin hooks and OTEL traces lack the necessary context (like runId and captureContent) to build accurate, hierarchical trace trees. This makes debugging concurrent group chat messages and auditing tool usage nearly impossible without manual log diving.
Cron jobs are suffering from "hallucinated output" when tool calls fail (#49876), and the TUI /new command has stopped emitting hook-visible events (#49918), breaking automation that depends on session-start triggers.
Set for O(1) lookups to resolve the 20s+ latency spikes.runtimeOnly path.sendDurableMessageBatch logic needs auditing to ensure all chunks in a batch are processed.