Agents silently mutate openclaw.json config (model/auth settings changed without user consent)

[fwends]

Problem

Agents are silently modifying ~/.openclaw/openclaw.json — specifically changing agent model settings and the agents list — without any user action or consent. This causes the entire system to break.

Real-world impact: Config has been corrupted 15+ times in a single morning session, causing 4+ hours of lost productivity. Every time the config gets changed, the user has to diagnose what broke, find which field was overwritten, and manually restore it.

What's happening

• Main agent model field gets changed (e.g. set to kimi-coding/kimi-for-coding when it should be minimax/MiniMax-M2.5)
• Auth profiles lose providers (e.g. anthropic profile disappears from auth-profiles.json)
• The agents list in openclaw.json fluctuates wildly — goes from 10 agents down to 1, then back to 8, then none work
• No log, no warning, no indication that the config was modified
• Nothing in the UI indicates a write happened

Root cause hypothesis

Everything lives in one monolithic openclaw.json. Any agent or gateway process that writes config rewrites the whole file. With multiple agents running concurrently, they race each other — last writer wins — and whichever agent wrote last dictates what models, auth, and agent list the whole system sees.

Proposed fix: separate per-agent config files

Instead of one shared openclaw.json, consider:

• One file per agent: ~/.openclaw/agents/<id>/config.json — owned by that agent only, never touched by other agents
• One function, one export per config concern: model selection, auth, agent list, routing — each in its own file/module with a single owner
• A read-only master registry that lists agent IDs but delegates all per-agent settings to per-agent files
• The gateway assembles the full picture at runtime but never merges everything back into one file

This way:

• Agent A changing its model can't affect Agent B
• The agents list can't be accidentally truncated by a concurrent write
• Each agent config is independently lockable/auditable

Current impact

• 10 agents configured → agents list gets overwritten → drops to 1, then 3, then 8, then 0
• Main agent model resets to wrong provider
• Auth profiles lose entries
• Result: nothing works until manually diagnosed and restored

Suggested immediate mitigations

1. Write guard: Log every write to openclaw.json with a stack trace
2. Atomic writes with diff check: Before saving, diff against on-disk state and warn if unexpected fields changed
3. Audit all config.save() callsites — any agent-triggered path that can overwrite user-set model fields or the agents list is a bug
4. Lock file or mutex around config writes to prevent concurrent overwrites

[fwends]

Additional hypothesis: agents overwrite without reading first

Another likely cause: agents are writing openclaw.json without reading the current file first. They construct a config object from their own in-memory state and write it out — which silently deletes everything else that was in the file.

So if Agent A has an in-memory view that only knows about 3 agents, and it saves config, it writes those 3 agents and the other 7 are gone. No merge, no read-modify-write — just a blind overwrite.

This explains:

• Why the agents list drops suddenly (writer only knew about a subset)
• Why model settings revert (writer had stale in-memory state from startup)
• Why auth profiles lose entries (same pattern)

The fix must enforce read-modify-write for any config save — always read the current file, merge changes at the field level, then write. Or better, move to per-agent files so there's nothing to merge.

[fwends]

Another example: agents adding unrecognized keys

Just happened again. An agent added a "relay" key at the root of openclaw.json:

"relay": {
  "enabled": true,
  "port": 7881,
  "path": "/relay/message"
}

This key is not in the config schema, so the gateway rejected the entire config as invalid — nothing worked until it was manually removed.

This is the same blind-overwrite pattern: the agent wrote its own config without reading/validating against the existing schema, added a key that doesn't belong, and broke the whole system.

The config validator should reject writes that introduce unrecognized root-level keys, not just reject reads.

[kaykas]

Real-world data point: 10 crashes in one day, multi-agent setup

Adding concrete crash data to support this issue.

Setup: 3 agents on one Mac mini (mira/main, mira-alexandra, mira-chad), all sharing a single openclaw.json. Running Claude Sonnet 4.6 as primary, with ~51 cron jobs.

What happened today: 10 gateway crashes from invalid config writes. Here are the specific invalid fields that caused each crash:

#	Invalid field/value	Likely trigger
1–8	Various invalid enum/key writes	Cron agents attempting config changes
9	tools.sessions.visibility = "global" (valid enum values: self, tree, agent, all)	Agent guessed an enum value
10	channelId added to bindings entries	Agent attempting multi-bot channel routing setup

The concurrent write race is real. With 3 agents + 51 crons all potentially touching config, last-writer-wins destroyed us. The agents list fluctuated exactly as described — agents would disappear from the list between crashes.

What partially helped:

• A Config Guardian cron that polls every ~hour, detects invalid top-level keys, and restores from .lastgood — but it only catches things hourly, not in real-time
• Manual openclaw.json.lastgood restores

What didn't help:

• Behavioral instructions in system prompts telling the agent not to modify config — agents ignore these under pressure, especially when trying to complete a task that seems to require a config change
• The .lastgood mechanism, because concurrent agents can overwrite it before the guardian runs

Root cause confirmed: Multi-agent setup attempting to configure channel bindings/routing is the specific trigger for crash #10. The agent was trying to add channelId to a bindings entry to route a specific channel to a specific agent — a legitimate config operation, but one that corrupted the schema.

Supporting the per-agent config file proposal. The monolithic openclaw.json is the core problem. Per-agent files would have contained the damage. A real-time write validator (not a polling cron) would catch bad writes instantly instead of letting the gateway crash first.

Also filed related: #25194 (thinking block corruption on gateway crash)

[tianxiao1430-jpg]

Another data point: #29838 - same pattern where agents modify openclaw.json without authorization.

In our case, a gemini agent modified config including model settings, dmScope, and botToken positions. This broke the gateway.

The proposed tool-level guard (blocking edit/write to openclaw.json) would be an immediate mitigation while the per-agent config file solution is being developed.