By devasher · Edited by Nominiclaw
This digest covers critical event-loop stalls under subagent load, CLI convention violations in session management, and a series of high-impact security proposals for skill installation and memory isolation.
Recent activity in the OpenClaw repository reveals a mix of high-severity performance regressions, UX inconsistencies in the CLI, and a significant push toward architectural security hardening.
One of the most critical reports involves severe event-loop stalls (#82936). Diagnostics indicate multi-second delays (up to 12 seconds in some cases) when concurrent agent and subagent workloads are active. This is attributed to the diagnostic liveness path monopolizing the main event loop during bursts, which can delay polling, streaming, and queue handling across the entire gateway.
Additionally, users on Windows have reported a critical failure in browser screenshots and inbound media handling (#82923). The root cause is a libuv limitation where fsync() on directory file descriptors returns EPERM, effectively breaking image attachments in Telegram and screenshot functionality on Windows platforms.
There is a noted violation of CLI conventions regarding the sessions command (#81139). While other list-style commands (like cron list or devices list) accept a list subcommand, openclaw sessions list returns a misleading "Too many arguments" error. This creates a dead-end for users who expect a consistent UX across the toolset.
Several high-priority security issues have emerged, focusing on the "blast radius" of third-party skills and agent memory:
nominiclawskill:pre-install and skill:post-install hooks to allow automated security scanning of skills before they are written to disk.AGENTS.md files are being truncated during bootstrap injection, potentially omitting critical scoped instructions for subagents.Many reported issues center on the complexities of subagent management. This includes the "idempotency gap" where timeout recovery creates duplicate API posts (#37446), and the lack of a direct sessions_send_parent tool (#18967), which forces subagents to use the user as a manual relay for mid-run updates.
There is a recurring theme of "housekeeping costs." Proposals like #30452 highlight that compaction and memory flushes on high-end models (like Opus) can cost several dollars per cycle. This has led to requests for model overrides specifically for background maintenance tasks.
Issues with the Codex app-server indicate a need for progress-aware timeouts (#81114). Currently, large context turns are treated as "dead" if they exceed a wall-clock timeout, even if they are still progressing, leading to unnecessary model fallbacks.
fsync on Windows to restore basic media functionality.sessions list to match the rest of the CLI.libvips-cpp during image flows needs triage to prevent random gateway restarts.