OpenClaw Issue Digest: Routing Regressions, Memory Stability, and Sandbox Security

Open Issues

Recent activity in the OpenClaw repository reveals a series of high-severity regressions and architectural gaps affecting core routing, memory stability, and the sandbox environment.

Routing and Channel Regressions

Several critical issues have emerged regarding how messages are routed and delivered across different channels:

• Discord Mention Gating (#44502): A P1 regression where Discord preflight logic is too permissive, allowing messages to be routed to agents even when they aren't the intended target (e.g., when another agent is mentioned or a mention appears in quoted text).
• Telegram Session Pollution (#41165): A significant routing bug where Telegram direct messages are incorrectly routed into the agent:main:main session, polluting heartbeat contexts and increasing token costs.
• Telegram Forum Topic Loss (#83302): Inbound Telegram forum-topic delivery can lose topic context when OriginatingTo is flattened, causing replies to be misplaced or invisible.
• Feishu Command Queueing (#42803): A regression in v2026.3.8 where Feishu text commands like /stop no longer bypass the queue during active agent runs, rendering them useless for aborting long tasks.

Memory and Stability Issues

Stability on Apple Silicon and general memory management have become focal points:

• Apple Silicon Crashes (#42202): Local memory embeddings on macOS can crash the gateway due to native assertions in ggml-metal / node-llama-cpp. The current stable recovery requires disabling the Metal path for embeddings.
• Memory Management Chaos (#43747): Reports of inconsistent memory behavior among users, with some experiencing SQLite storage while others see daily markdown files, indicating a lack of strict definition in memory management.
• Hybrid Search Penalties (#44540): Multimodal results (images/audio) are being penalized by the BM25 component in hybrid search, effectively hiding them from results unless vector weights are aggressively increased.

Sandbox and Security Gaps

Security and operational stability in the sandbox environment are under scrutiny:

• Sandbox Container Exits (#43996): A P1 bug where sandbox containers exit immediately with operation not permitted when the --security-opt no-new-privileges flag is applied.
• Exec Approval Race Condition (#44749): A critical data loss bug where concurrent allow-always approvals result in a "last-write-wins" race in exec-approvals.json, silently deleting previously approved binaries.
• Credential Exposure (#43794): A high-priority request to implement config encryption for credentials at rest, as tokens and API keys are currently stored in plaintext.

Key Themes

1. The "Chat-First" vs. "Tool-First" Conflict

There is a recurring theme of agents "confabulating" actions on chat surfaces. Issue #41824 highlights that agents on Telegram often narrate actions (e.g., "I sent the note") without actually executing the tool, a behavior not seen in CLI-based harnesses like Claude Code. This suggests a fundamental difference in how context is constructed or how tool-call ordering is enforced on chat surfaces.

2. Resource and Context Exhaustion

Several reports point to the fragility of the system under heavy load or large data:

• Browser Context Bloat (#41949): Browser interactions can exhaust model context by injecting too much raw page content.
• Memory Bloat (#44820): Session files (.reset.*, .deleted.*) are not being cleaned up, leading to disk bloat.
• Gateway Event Loop Blocks (#78100): Synchronous filesystem discovery for plugins is blocking the event loop on slow filesystems (WSL2), causing WhatsApp disconnects.

3. Multi-Agent Orchestration Gaps

As users move toward complex multi-agent setups, gaps in the framework are appearing:

• Agent-to-Agent (A2A) Handoffs (#44309): The current sessions_send semantics force a "ping-pong" reply-back lifecycle, which is unsuitable for one-way task dispatch.
• Tool Inheritance (#44534 / #42553): A need for selfDeny capabilities where an orchestrator can delegate tools to subagents but is blocked from using them directly.

Action Required

High Severity / Blockers

• #44749 (Exec Approval Race): Immediate attention needed to implement file locking or re-read-before-write logic to prevent silent loss of security allowlists.
• #43996 (Sandbox Exit): Critical fix required for the no-new-privileges flag to restore sandbox functionality for Linux users.
• #44502 (Discord Routing): Tighten preflight mention detection to prevent incorrect agent routing.

Blocked / High-Impact

• #42202 (Metal Crashes): Official guidance or a config toggle to disable Metal for embeddings on Apple Silicon is needed to prevent gateway crash-loops.
• #41165 (Telegram Pollution): Fix routing to ensure Telegram DMs are strictly isolated from the main/heartbeat session.
• #83035 (Node.js ESM Translator): Resolve the ERR_INTERNAL_ASSERTION crash affecting users on Node 22.18+ and Node 24.