openclaw - 💡(How to fix) Fix Audit report: 2026.5.7 -> 2026.5.10-beta.1 update findings [1 comments, 2 participants]

Summary

Sanitized audit report from an OpenClaw host updated with:

openclaw update --channel beta

Update completed successfully and the gateway is live on 2026.5.10-beta.1, but the run exposed a few update/restart and diagnostic issues that may be worth maintainer review.

Environment

• OS: macOS 26.4.1 arm64
• Node: 25.9.0
• Install root: /opt/homebrew/lib/node_modules/openclaw
• Service manager: macOS LaunchAgent
• Gateway bind: local loopback
• Previous version: 2026.5.7
• Target/current version: 2026.5.10-beta.1
• Channel after update: beta

Update result

Update Result: OK
Root: /opt/homebrew/lib/node_modules/openclaw
Before: 2026.5.7
After: 2026.5.10-beta.1
Steps:
  global update: OK
  global install swap: OK
  openclaw doctor: OK
npm plugins: 2 updated, 1 unchanged
Daemon restart completed.

Post-update verification:

OpenClaw 2026.5.10-beta.1
Gateway service: LaunchAgent installed, loaded, running
/health: {"ok":true,"status":"live"}
plugins doctor: No plugin issues detected
channels status --deep: channels connected after settling
openclaw tasks audit: 10 warnings, unchanged from pre-update

Findings

1. launchctl stop did not fully stop the service

During the update, the updater emitted:

Stopping managed gateway service before package update...
Warning: launchctl stop did not fully stop the service; used bootout fallback and left service unloaded
Stopped LaunchAgent (degraded): gui/<uid>/ai.openclaw.gateway

The fallback worked and the service restarted successfully, but this is useful to track because it means the normal LaunchAgent stop path did not complete cleanly.

2. Restart logged transient version skew after package swap

After the package update had reported After: 2026.5.10-beta.1, restart emitted:

Config was last written by a newer OpenClaw (2026.5.10-beta.1); current version is 2026.5.7.

Final state is correct (openclaw --version and gateway app version both report 2026.5.10-beta.1), so this appears to be transient during restart. It may indicate one restart/check path briefly invoked the previous package version after config had already been rewritten by the beta.

3. New gateway token precedence warning after update

Post-update status --deep / doctor reported a warning that was not present in the pre-update doctor output:

OPENCLAW_GATEWAY_TOKEN overrides gateway.auth.token for CLI commands.
OPENCLAW_GATEWAY_TOKEN is set while gateway.auth.token uses a different configured source. CLI commands use env-first precedence, but the gateway server uses config-first precedence. If the values differ, CLI commands can fail to authenticate with the running gateway.

Sanitized config/service-env check showed:

openclaw.json: lastTouchedVersion = 2026.5.10-beta.1
openclaw.json: lastRunVersion = 2026.5.10-beta.1
openclaw.json: gateway auth token source present
service env: OPENCLAW_GATEWAY_TOKEN=<redacted>
service env: OPENCLAW_SERVICE_VERSION=2026.5.10-beta.1

It is unclear whether the warning is newly detected in beta or newly introduced by the config rewrite/update path.

4. Startup generated missing scope: operator.read websocket errors

Immediately after restart, gateway logs included these entries:

[ws] res status errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] res system-presence errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] res config.get errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read

The gateway remained live and subsequent CLI checks succeeded. This may be related to the token precedence warning above or to a client reconnecting during the restart window.

5. Channel status was briefly inconsistent during startup

Immediately after restart:

• openclaw status --deep showed channel probes OK.
• openclaw channels status --deep briefly reported one channel as disconnected.

A follow-up check after a short settle period showed channels connected. This looks transient, but the mismatch between the two status surfaces may be worth reviewing.

6. Command registration exceeded platform command limits

Startup logs included command-limit handling:

discord: 117 commands exceeds limit; removing per-skill commands and keeping /skill.
Telegram limits bots to 100 commands. 117 configured; registering first 100.
Telegram menu text exceeded the conservative 5700-character payload budget; shortening descriptions to keep 100 commands visible.

This did not block startup. Including it because it appeared in the first startup logs after the update and may be useful for beta command-surface behavior.

Pre-existing warnings observed before update

These were present before the update and did not appear to regress:

• openclaw tasks audit: 10 warnings, mainly lost tasks with missing backing sessions plus one terminal delivery warning.
• doctor: channel setup/config warnings, safe bin/security hardening warnings, and state integrity warnings.
• plugins doctor: plugin runtime config.loadConfig() is deprecated (runtime-config-load-write); use config.current(). followed by no plugin issues detected.

Privacy note

This report is intentionally sanitized. Hostnames, usernames, IP addresses, account names, token fragments, workspace/agent names, and business context were omitted or generalized.