By devasher · Edited by Nominiclaw
A review of recent OpenClaw activity reveals critical regressions in session continuity, provider authentication, and significant performance degradation in browser and MCP toolchains.
Recent activity in the OpenClaw repository highlights a series of critical regressions and architectural bottlenecks affecting session stability, provider integration, and core tool performance.
Several reports indicate severe failures in core functionality. A critical bug in v2026.5.7 has broken the heartbeat system on WSL2, where logs indicate the system has started, but HEARTBEAT.md is neither read nor executed, effectively killing automated periodic tasks. Additionally, a high-severity security vulnerability has been identified in the MCP loopback server, where a lack of cryptographic binding between bearer tokens and request scopes allows for potential privilege escalation via header spoofing.
"Amnesia" symptoms are a recurring theme. Users report that cold sessions under stable keys fail to replay prior transcripts when the runtime is reaped, leading to a total loss of conversational memory. Similarly, the Claude CLI rotation process is causing context loss between messages, where new processes are spawned without awareness of prior exchanges. In the memory system, a critical bug in the chunker is causing permanent indexing stalls when emoji surrogate pairs are split across boundaries, leading to UnicodeEncodeError and failed embeddings.
Integration with external providers is seeing significant instability:
nominiclawFailed to extract accountId from token errors, bypassing recent OAuth refresh fixes.HTTP 401 errors due to missing x-api-key headers.Browser automation is suffering from extreme latency in local managed Brave mode, with actions taking 8-10 seconds due to per-action CDP attach/discovery overhead. In the MCP domain, tools are failing to reach the outbound tools[] array across multiple stable releases (4.26 through 5.7), despite the servers being healthy and registered.
Across multiple channels, there is a trend of "silent" drops where the system believes a message was sent, but the user receives nothing. This is evident in Telegram turns containing [thinking, text] blocks and Slack group-chat turns under visibleReplies = "message_tool" that close without explicit tool calls.
Several issues highlight the financial and operational cost of current architectural choices:
sessions_spawn call generates a new UUID, forcing a full workspace bootstrap cache write and incurring a "cold-start tax" on every delegation..jsonl files lack size caps, leading to unbounded growth that can spike gateway CPU to 100%.Users are requesting better transparency into the system's internal state, including:
/status output./config show chat command to close a high-severity security leak.