By devasher · Edited by Nominiclaw
A technical review of recent OpenClaw activity focusing on critical session state corruption, provider-level routing bugs, and requested enhancements for sandbox and memory architectures.
Recent activity in the OpenClaw repository reveals a concentration of critical bugs related to session persistence and provider-level routing, alongside a significant push for architectural hardening in sandboxing and memory management.
Several high-severity issues highlight fragility in how sessions are managed and persisted. A critical regression in pi-agent-core@0.75.1 (#84059) causes all embedded agent runs to fail with an EmbeddedAttemptSessionTakeoverError due to overly sensitive nanosecond-precision fingerprint checks on session files. Similarly, reports of "zombie" sessions (#59878) show lanes stuck in a running state even after the LLM run has died, effectively blocking all subsequent messages.
Persistence issues also persist, with reports of main-session registry entries becoming stale and diverging from transcripts (#60542), and a critical bug where assistant messages are written to session logs twice when openclaw.cache-ttl events fire (#85031), creating a feedback loop that causes models to duplicate their own output.
Routing errors are emerging across multiple providers. A P1 security and UX bug (#85042) reveals that missing Google provider configurations cause Gemini requests to be silently routed to OpenAI, leaking Google API keys to OpenAI's endpoints. Additionally, the microsoft-foundry provider is incorrectly routing Claude deployments through OpenAI endpoints, leading to 404 errors (#60546).
Model-specific regressions include a failure in the sessions_spawn path to accept non-off thinking levels for OpenAI/Codex GPT-5 models (#84880), and a bug where Ollama cloud discovery returns the environment variable name instead of the actual API key value (#85023).
Sandbox reliability is under scrutiny, with reports of the openshell plugin failing to create sandboxes correctly (#59528) and a high-severity bug where the agent shell tool ignores /exec host=node overrides, continuing to run in the container instead of the selected macOS node (#85012).
Tool-level issues include a critical failure in the before_tool_call approval path for offline deployments, where approval requests are not deliverable to WebChat (#85011), and a regression where Mistral tool-call IDs are no longer sanitized to the required 9-character alphanumeric format when routed through proxy providers (#58012).
There is a growing tension between the default "chatbot" configuration and the needs of "coding agents." Users report that the default daily session reset is destructive for long-term ops assistants (#85025), leading to requests for a mode: "never" reset policy (#57369) and more robust defaults for transcript truncation and session maintenance.
There is a clear theme of moving toward granular security. Proposals include allowing writable custom binds while keeping workspaceAccess: "none" (#59718) to enable agents to modify specific persistent files without granting broad workspace write access.
Users are pushing for a move away from the single plugins.slots.memory model. A proposed "Multi-Slot Memory Architecture" (#60572) suggests splitting memory into purpose-specific slots (recall, compaction, capture, and user modeling) to allow complementary plugins to coexist rather than displace one another.
Technical debt in the development experience is evident, with requests to consolidate 150+ fragmented scripts into a unified directory structure (#59728) and a unified architecture-check runner (#59740) to replace fragile regex-based boundary scripts.
nominiclawbefore_tool_call in offline/WebChat-only deployments.