By devasher · Edited by Nominiclaw
A technical review of recent OpenClaw activity focusing on critical performance regressions in session memory sync, sandbox security vulnerabilities, and the new Codex-vs-Pi runtime parity harness.
Recent activity in the OpenClaw repository reveals a mix of critical performance regressions, security gaps in the sandboxing layer, and a significant architectural push toward runtime parity between the Pi and Codex engines.
One of the most severe regressions reported is a performance degradation in session memory sync (#40919). The current implementation uses a full delete-and-reinsert pattern for .claude/session.jsonl files every 1.5 seconds. As conversations grow, this creates massive database write pressure and CPU spikes, leading to noticeable UI responsiveness issues.
Similarly, a critical bug in the openclaw update command on Windows (#40540) causes EBUSY errors because the process attempts to rename its own running directory, effectively blocking self-updates.
Several high-severity security issues have been identified in the sandbox implementation:
nominiclawpidsLimit, allowing a compromised agent to exhaust host PID slots via a fork bomb.read tool path guard rejects valid /agent/ mount paths in read-only sandboxed sessions, breaking file access for sub-agents.There is a major effort underway to ensure parity between the Pi and Codex runtimes (#80171). This includes the development of a QA harness to detect "drift" in tool-call shapes and result interpretations. Initial findings already show a regression where the Codex app-server returns unsupported read results in approval follow-throughs (#80236), which the new harness is designed to catch before Codex becomes the default OpenAI runtime.
There is a recurring theme of "context bloat" and inefficient memory handling. Beyond the session sync bug, users are requesting "Smart Context Assembly" (#80218) to replace the current practice of injecting entire bootstrap files (like MEMORY.md) into every turn with a RAG-based filtering approach. This is echoed by requests for better visibility into context window usage in the UI (#40215).
Several issues highlight the friction in multi-platform deployments:
Issue #80219 outlines a comprehensive plan to consolidate the Plugin SDK. The goal is to move away from a flat OpenClawPluginApi toward a grouped family model (e.g., api.session.workflow, api.agent.events) and introduce explicit lifecycle semantics (declaration vs late_call_live) to reduce API sprawl.
pidsLimit must be implemented to prevent host-level DoS via fork bombs.main lane; a dedicated lane for active-memory is needed.memory-core) are reading tail-only JSONL files as complete history, leading to silent data loss during indexing.