openclaw - 💡(How to fix) Fix bug(gateway): Port-liveness probe flashes cmd.exe window and triggers DEP0190 on Windows [1 participants]

Description

On Windows, the OpenClaw gateway's port-liveness probe spawns cmd.exe → netstat.exe → findstr.exe repeatedly. Two side effects:

1. Visible cmd.exe window flashing — the spawn is missing windowsHide: true, so a console briefly pops up every probe cycle.
2. Node DEP0190 DeprecationWarning — the probe uses child_process with { shell: true } and an args array, so Node 24+ emits the security warning about unescaped arg concatenation.

Command observed (captured via console window title):

findstr /R /C:":18789 .*LISTEN"

This is the probe confirming the gateway port (18789) is listening. The same probe is likely used after openclaw gateway start/restart for readiness checks.

Environment

• OpenClaw: 2026.4.21 (npm global install, pnpm channel: beta)
• OS: Windows 11 (10.0.26220), x64
• Node.js: v24.13.0
• Gateway: Running as Scheduled Task with InteractiveToken logon

Log Evidence

From C:\tmp\openclaw\openclaw-2026-04-22.log:

13:14:02 (node:25540) [DEP0190] DeprecationWarning: Passing args to a child process
         with shell option true can lead to security vulnerabilities, as the arguments
         are not escaped, only concatenated.
         (Use `node --trace-deprecation ...` to show where the warning was created)

Source location (from log meta):

• File: dist/subsystem-CO_UZhIr.js
• Line: 155, column 68
• Full path: C:\Users\info\AppData\Roaming\npm\node_modules\openclaw\dist\subsystem-CO_UZhIr.js:155:68

Steps to Reproduce

1. Install OpenClaw 2026.4.21 globally on Windows 11.
2. Start the gateway (openclaw gateway start).
3. Observe:
   • Brief cmd.exe windows flashing whenever the gateway probes port 18789.
   • DEP0190 warning in C:\tmp\openclaw\openclaw-YYYY-MM-DD.log.

Expected

• Probe should run silently with windowsHide: true.
• No DEP0190 warning — args either passed as a single pre-joined command string (keeping shell: true) or passed as an array with shell: false.

Proposed Fix

In dist/subsystem-CO_UZhIr.js around line 155 (or wherever the port probe is defined in source), update the child_process.spawn/exec options:

```js // Before (hypothetical — matches the DEP0190 + window-flash pattern) spawn('cmd.exe', ['/c', 'netstat', '-ano', '|', 'findstr', '/R', '/C:":18789 .*LISTEN"'], { shell: true, });

// After — Option A: drop shell, use shell: false with direct args spawn('netstat', ['-ano'], { windowsHide: true }) .stdout.pipe(spawn('findstr', ['/R', '/C::18789 .*LISTEN'], { windowsHide: true }).stdin);

// After — Option B: keep shell, pass a single command string (Node doesn't warn) spawn('netstat -ano | findstr /R /C::18789 .*LISTEN', { shell: true, windowsHide: true }); ```

Either option silences DEP0190 and hides the window. Option A is cleaner (avoids shell entirely). Option B is a one-line change.

Related Issues

• #40340 — acpx spawns missing windowsHide: true (different code path — acpx, not gateway)
• #44693 — restart script spawns (different code path — restart, not liveness probe)
• #57682 — update-cli restart spawns (different code path)
• #25856 — CLOSED, was ARP scan window flash (different feature)

None of the above cover the gateway's port-liveness probe path, and none focus on DEP0190.

Workaround

None practical — the probe runs frequently and can't be disabled without breaking the gateway watchdog.