Summary

I ran a community architecture health check against openclaw/openclaw using agchk from huangrichao2020/agchk@8c3a97f after the fast file-walker optimization landed on main.

Important framing: this is an architecture and maintainability audit, not a security vulnerability report. The 100/100 score below is agchk's maturity signal for visible agent-runtime primitives, not a claim that the repo has no issues. The useful part is the concrete audit leads and false-positive calibration notes.

Reproduction

git clone --depth 1 https://github.com/openclaw/openclaw.git /tmp/openclaw-agchk-audit
git clone https://github.com/huangrichao2020/agchk.git /tmp/agchk-main
cd /tmp/agchk-main
uv run agchk /tmp/openclaw-agchk-audit \
  --profile personal \
  -o /tmp/agchk-openclaw-output/audit_results.json \
  -r /tmp/agchk-openclaw-output/audit_report.md

Scan metadata:

• agchk source: huangrichao2020/agchk@8c3a97f
• OpenClaw source scanned: openclaw/openclaw@42f87c07
• Profile: personal_development
• Scanner count: 27
• Reported scan duration: 386.72s
• Wall time on my local Mac: 491.17s

Raw severity summary:

agchk also classified OpenClaw as 人工智能时代 (100/100), mainly because it detects mature agent-runtime primitives: tool/syscall boundaries, memory lifecycle governance, multilingual retrieval, RAG governance, daemon lifecycle safety, plugin sandbox policy, remote tool boundaries, traces/evals, stateful recovery, and LLM CLI worker patterns.

Manually triaged audit leads

These are the parts that looked concrete enough to be useful after spot-checking the scan output.

1. Tracked root-level one-off repair script

fix2.py is tracked at the repo root and directly rewrites src/infra/heartbeat-runner.ts with a string replacement:

• fix2.py:60-82
• fix2.py:84

That looks like a temporary migration/repair script that may have accidentally stayed in the root source tree. If it is still needed, it may belong under a documented scripts/migrations path with an idempotency check. If not, it looks removable.

2. Browser evaluate path uses dynamic function reconstruction

The browser interaction path reconstructs functions with new Function(...) and then evaluates fnBody in the browser context:

• extensions/browser/src/browser/pw-tools-core.interactions.ts:856-864
• extensions/browser/src/browser/pw-tools-core.interactions.ts:896-904

This may be intentional for a browser automation tool, and I am not claiming it is a vulnerability. The audit question is narrower: is the trust boundary for fnBody documented and tested, especially for remote/browser-control use cases? If this input can come from an untrusted or remotely-triggered source, the path deserves an explicit policy/test around allowed callers and target origin constraints.

3. Slash-command dispatch is split across local queueing and gateway RPC

ui/src/ui/app-chat.ts has a client-side command queue/dispatch path:

• queued local command dispatch: ui/src/ui/app-chat.ts:278-307
• direct command dispatch: ui/src/ui/app-chat.ts:360-379
• command switch and gateway execution handoff: ui/src/ui/app-chat.ts:410-450

This may already be protected by server-side method scopes. The useful review question is whether the client-visible command catalog, queueing behavior, and gateway method-scope enforcement are covered by one canonical policy contract, particularly for commands such as /kill, /redirect, /model, and /compact.

4. Secret findings mostly look like test fixtures

The critical bucket is dominated by fake tokens in tests, for example:

• src/infra/push-apns.store.test.ts:28
• src/config/redact-snapshot.test.ts:563-564
• src/agents/openclaw-tools.sessions.test.ts:687

That does not look like a production credential leak. It is still useful as an audit-tool calibration point: either agchk should down-rank obvious *.test.ts fixtures by default, or OpenClaw can add explicit fixture/allowlist markers where it wants scanners to understand the intent.

Why I am opening this

I am also opening a tiny docs PR to list agchk as an optional community architecture audit tool in the README ecosystem/community area. Linking it to this issue gives maintainers a concrete OpenClaw scan result and a few manually triaged leads instead of a generic external-tool listing.

If this is not the right place for community audit results, feel free to close it. The main intent is to make the result reproducible, useful, and honest about both findings and false positives.