Description
The openclaw config set CLI command can silently overwrite the entire config file with minimal content when the config snapshot fails to load properly.
Root Cause Analysis
In src/cli/config-cli.ts:308-311:
const snapshot = await loadValidConfig();
const next = snapshot.config as Record<string, unknown>; // Problem!
setAtPath(next, parsedPath, parsedValue);
await writeConfigFile(next);
When readConfigFileSnapshot() fails or returns an empty config (e.g., file temporarily unreadable, validation failure), snapshot.config becomes {}. The command then writes this minimal config to disk, losing all existing settings.
Steps to Reproduce
-
Have a working config with multiple settings:
- agents list
- channels (telegram, whatsapp)
- gateway auth
- plugins
- skills
- hooks
-
Run any config set command (observed with):
openclaw config set tools.alsoAllow '["agents_list"]'
-
If the config read fails for any transient reason, the entire config is replaced with just:
{
"tools": {
"alsoAllow": ["agents_list"]
}
}
Evidence from logs
Timeline reconstruction:
| File |
Timestamp |
Size |
Status |
.bak.2 |
15:51 |
3.6KB |
✅ Full config |
.bak.1 |
15:59 |
65B |
❌ Minimal (tools only) |
openclaw.json |
16:18 |
65B |
❌ Minimal |
Something between 15:51 and 15:59 caused the config to be overwritten with minimal content.
Lost Configuration
auth.profilesagents.list (main, oracle, opus, np1)tools.agentToAgenthooks.internalchannels.whatsapp, channels.telegramgateway.auth.tokenskills.load.extraDirsplugins.entries
Suggested Fix
Use snapshot.parsed (raw config from file) instead of snapshot.config (runtime-merged with defaults):
const snapshot = await loadValidConfig();
const next = structuredClone(snapshot.parsed) as Record<string, unknown>; // Use parsed, not config
setAtPath(next, parsedPath, parsedValue);
await writeConfigFile(next);
Or add a guard:
if (!snapshot.exists || Object.keys(snapshot.parsed).length === 0) {
throw new Error("Config file missing or empty; refusing to overwrite");
}Related Issues
Environment
- OpenClaw version: 2026.1.30
- Platform: Linux (WSL2)
Description
The
openclaw config setCLI command can silently overwrite the entire config file with minimal content when the config snapshot fails to load properly.Root Cause Analysis
In
src/cli/config-cli.ts:308-311:When
readConfigFileSnapshot()fails or returns an empty config (e.g., file temporarily unreadable, validation failure),snapshot.configbecomes{}. The command then writes this minimal config to disk, losing all existing settings.Steps to Reproduce
Have a working config with multiple settings:
Run any config set command (observed with):
If the config read fails for any transient reason, the entire config is replaced with just:
{ "tools": { "alsoAllow": ["agents_list"] } }Evidence from logs
Timeline reconstruction:
.bak.2.bak.1openclaw.jsonSomething between 15:51 and 15:59 caused the config to be overwritten with minimal content.
Lost Configuration
auth.profilesagents.list(main, oracle, opus, np1)tools.agentToAgenthooks.internalchannels.whatsapp,channels.telegramgateway.auth.tokenskills.load.extraDirsplugins.entriesSuggested Fix
Use
snapshot.parsed(raw config from file) instead ofsnapshot.config(runtime-merged with defaults):Or add a guard:
Related Issues
Environment