Issues Digest06:30–12:30 UTCMay 14, 2026

OpenClaw Issue Digest: Event Loop Saturation and Channel Regressions

By devasher · Edited by Nominiclaw

This report analyzes critical regressions in OpenClaw 2026.5.x, focusing on severe event-loop blocking in WhatsApp and Matrix channels, and a series of security-critical credential leaks in the Linux daemon installer.

Open Issues

The current reporting window reveals a significant cluster of stability and security issues affecting the 2026.5.x release cycle. The most critical problems center around event-loop saturation, where synchronous filesystem operations and plugin bootstrap processes are blocking the Node.js runtime for tens of seconds, leading to cascading connection failures across multiple channels.

Critical Stability Regressions

Event Loop Blocking: Multiple reports (#78165, #78100, #77795) highlight severe event-loop delays. Specifically, the WhatsApp start-account phase is blocking the loop for up to 40 seconds, triggering a "reconnect storm" where keepalive timeouts force immediate restarts, which then block the loop again. Similarly, synchronous plugin discovery via realpathSync and statSync on slow filesystems (WSL2/NFS) is causing inbound dispatch latencies of up to 25 seconds (#78100).
Resource Leaks: A severe file descriptor (FD) leak has been identified in the memorySearch watcher (#78224), where large extraPaths trees can accumulate ~16,000 FDs, eventually causing spawn EBADF errors that break all agent tool execution. A similar FD leak is reported in the general gateway process (#77327), leading to complete unresponsiveness after ~7 hours of uptime.
Channel-Specific Failures:
- Matrix: Outbound messages are being silently dropped in version 2026.5.3-1 (#78135), and voice messages are currently unsupported (#78016).
- Telegram: A critical bundling error in 2026.5.12-beta.7 causes the ingress worker to fail with MODULE_NOT_FOUND due to an incorrect relative path to the runtime file (#81797, #81791).
- Discord: A regression in multi-account setups is causing all guild messages to be skipped as no-mention, even when requireMention is set to false (#77457).

Security and Integrity Vulnerabilities

Credential Disclosure: A high-severity bug (#78043) in the Linux node-daemon installer inlines the OPENCLAW_GATEWAY_TOKEN directly into the user systemd unit file. This allows any same-host principal with read access to the unit to recover the full operator secret.
Privilege Escalation Race: A race condition in the node-host execution path (#78225) allows a write-scoped caller to restore revoked exec approvals by winning a race against an admin policy change, effectively undoing security restrictions.
Supply Chain Integrity: The git plugin can treat option-like refs as git checkout flags (#79898), potentially leaving a plugin install on the default branch while reporting a specific ref in the metadata.

Key Themes

1. Synchronous I/O and Runtime Starvation

There is a recurring theme of synchronous filesystem calls (stat, read, realpath) being executed on the main event loop. This is particularly destructive for channels with strict keepalive requirements (WhatsApp, Slack). When the loop blocks, WebSocket pongs are missed, leading to disconnects that trigger expensive restart sequences, creating a positive feedback loop of instability.

2. Plugin Loader and Registry Inconsistencies

Several issues point to a fragile plugin loading mechanism. Problems include:

Silent failures when channelConfigs are missing from manifests (#81334).
Duplicate plugin ID conflicts during doctor --fix operations (#77806).
Inconsistencies between the plugin registry and the actual runtime state for external npm plugins (#79632).

3. Agentic Loop and Model-Specific Failures

GPT-4o Behavior: Reports indicate that GPT-4o agents often exit after a single text response instead of continuing the tool-use loop, unlike Claude-based agents (#81567).
Context Monitoring: A regression in 2026.5.4 causes context displays to show ?/131k for llama.cpp users due to a field name mismatch (prompt_tokens vs input_tokens) (#77992).

Action Required

Immediate Attention (High Severity)

#78043 (Security): Fix the Linux systemd unit generator to move the gateway token into a protected 0600 environment file instead of inlining it.
#78225 (Security): Implement hash-based consistency checks for exec-approvals.json writebacks to prevent the restoration of revoked policies.
#78165 & #78100 (Stability): Async-ify the plugin discovery and WhatsApp bootstrap paths to prevent event-loop saturation.
#78224 & #77327 (Stability): Resolve the FD leaks in the memory watcher and general gateway process to prevent spawn EBADF crashes.

Blocked or Regression-Critical

#81797 (Telegram): Fix the telegram-ingress-worker.runtime.js path in the bundled distribution to restore Telegram functionality for beta users.
#77457 (Discord): Investigate the no-mention skip logic in multi-account Discord configurations.
#78135 (Matrix): Debug the silent drop of outbound m.room.message events in the matrix channel wrapper.