You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Exec Policy Bypass Exec policy checks only the first token of the command (base command). Wrappers like sudo, absolute paths (/bin/rm), shell -c invocations or chained commands may bypass allow/deny logic. Deny rules should inspect the full command and normalized executable name.
Approval Flow The approval path for high-risk commands always creates a pending/deny result after notifying channels and never inspects external overrides. There's no polling/confirmation hook or state check to flip an approval once a human responds; this will cause safe-but-time-consuming operations to be denied by default.
Logger Initialization Order StructuredLogger is instantiated in the adapter init before normalize_env() is applied in run(). As a result the normalized OPENCLAW_REDACT_LOGS value set by normalize_env() may not be picked up by the logger, leading to inconsistent redaction behavior between startup and runtime.
Lifecycle Cancellation The lifecycle background task is cancelled but not awaited on shutdown; cancelling without awaiting can leave incomplete tasks or unhandled exceptions. Also sending the final lifecycle update inside finally may fail if the WS is already closing β should guard send with connection state/error handling.
Webhook Error Handling Discord/Telegram notification calls post messages but do not validate responses or raise on non-2xx results. This can silently drop approvals or hide downstream failures (network errors, bad webhook URL, auth issues).
Nitpicks π
Exec Policy Bypass
Exec policy checks only the first token of the command (base command). Wrappers like
sudo, absolute paths (/bin/rm), shell-cinvocations or chained commands may bypass allow/deny logic. Deny rules should inspect the full command and normalized executable name.Approval Flow
The approval path for high-risk commands always creates a pending/deny result after notifying channels and never inspects external overrides. There's no polling/confirmation hook or state check to flip an approval once a human responds; this will cause safe-but-time-consuming operations to be denied by default.
Logger Initialization Order
StructuredLoggeris instantiated in the adapter init beforenormalize_env()is applied in run(). As a result the normalizedOPENCLAW_REDACT_LOGSvalue set by normalize_env() may not be picked up by the logger, leading to inconsistent redaction behavior between startup and runtime.Lifecycle Cancellation
The lifecycle background task is cancelled but not awaited on shutdown; cancelling without awaiting can leave incomplete tasks or unhandled exceptions. Also sending the final lifecycle update inside finally may fail if the WS is already closing β should guard send with connection state/error handling.
Webhook Error Handling
Discord/Telegram notification calls post messages but do not validate responses or raise on non-2xx results. This can silently drop approvals or hide downstream failures (network errors, bad webhook URL, auth issues).
Originally posted by @CodeAnt-AI in #27 (comment)