Version: confirmed in 2026.4.29 (active install at /opt/homebrew/lib/node_modules/openclaw/dist/); same pattern present in 2026.4.11 (npm-installed copy at ~/.nvm/.../openclaw/dist/). First observed 2026-04-26 with a stale claude-local session entry that had a non-string model.

Stack location:

• Crash site (display path): dist/model-selection-display-CZKOmf9u.js:3 (and lines 4, 11, 12, 19) —

  const runtimeModel = params.runtimeModel?.trim();

  The ?. only protects against null/undefined. If runtimeModel is e.g. an object ({provider, model, baseUrl}), .trim is undefined → TypeError: runtimeModel?.trim is not a function.

• Same bug also at dist/model-selection-sqz--Abu.js:52 (resolver path; resolvePersistedModelRef).

• Caller: dist/commands/status.summary.runtime.js:75-89 →

  function resolveSessionModelRef(cfg, entry, agentId) { … }
    runtimeProvider: entry?.modelProvider,
    runtimeModel: entry?.model,
    overrideProvider: entry?.providerOverride,
    overrideModel: entry?.modelOverride,

  These are passed unchecked from ~/.openclaw/agents/<agent>/sessions/sessions.json entries.

Repro: put any non-string value (object, number) in model/modelProvider/providerOverride/modelOverride of any session entry in any agent's sessions.json, then run openclaw status. (We did not corrupt live state to confirm — diagnosis is from reading the dist code; the historical crash on 2026-04-26 matched the same path.)

Suggested fix: replace the unsafe ?.trim() calls with a string-narrowing helper. Apply at minimum to:

• model-selection-display.ts — runtimeModel, runtimeProvider, overrideModel, overrideProvider, fallbackModel
• model-selection.ts — runtimeModel, runtimeProvider, overrideModel, overrideProvider in resolvePersistedModelRef (and defaultProvider.trim() should also tolerate undefined).

const trimString = (v: unknown): string | undefined =>
  typeof v === "string" ? v.trim() || undefined : undefined;

Why it matters:

• A single bad session entry takes down the entire openclaw status CLI — the primary diagnostic surface — for all agents.
• The data shape that triggers it is reachable from upstream code paths (pi-embedded-runner writes runtime model objects in some flows); a downstream serialization or session-rotation bug can leave entries in this shape, and then status is unusable until someone manually edits the JSON.
• Defense-in-depth: status should never crash. It's the tool you reach for when something else is broken.

Workaround applied locally (2026-04-26): VOSS normalized the bad claude-local session entry. As of 2026-05-02 all 12 agent sessions.json files are clean (verified via jq), so the crash does not currently reproduce here — but the unsafe code path remains in 2026.4.29.