OpenClaw

The gateway moves messages. The intelligence layer decides what to do with them. OpenClaw treats the system prompt as compiled output, not static configuration. At session start, a prompt compiler assembles the system prompt from runtime context: available tools, channel capabilities, identity files, installed skills, and conversation history.

The same agent on the same machine produces different system prompts depending on which tools are available, which channel the message arrived on, and what files exist in the workspace. The prompt is an emergent property of the runtime environment.

Context management follows a prune-then-inject pattern. OpenClaw tracks token budgets per session, compresses older messages via summarization, and reserves space for tool results. Session keys identify conversations uniquely, allowing the agent to maintain separate context windows for different chats even when they share the same underlying model.

Skills discovery is dynamic: the gateway scans for installed skills at startup and injects their tool definitions into the system prompt. Add a skill, restart the gateway, and the agent gains new capabilities without any code changes.

Without persistence, an AI agent suffers digital anterograde amnesia — it meets you for the first time at the start of every session. OpenClaw's memory architecture solves this with a hybrid approach.

The design principle is files as canonical source of truth. MEMORY.md holds curated long-term facts. Daily log files (memory/YYYY-MM-DD.md) are append-only. The vector index and BM25 index are derived from these files — they can be rebuilt at any time. When something breaks, debugging is reading, not querying.

The pre-compaction flush: Before OpenClaw compacts a conversation to free context space, it flushes important facts into MEMORY.md. This prevents information loss during context pruning — facts that would otherwise be summarized away are saved to persistent storage first.

Most agents have a system prompt. OpenClaw agents have a soul. The architecture separates agent configuration into three independent layers: SOUL.md defines philosophy (who the agent is), IDENTITY.md defines presentation (how it appears to users), and openclaw.json defines capabilities (what it can do). Each layer changes independently.

“System prompts tell models what to do. Soul files tell them who to be.” The prompt compiler doesn't instruct the model to follow the soul — it instructs it to embody the soul.

Identity values resolve through a cascade: global config overrides per-agent config, which overrides workspace files, which override defaults. The most specific definition wins. This is the same pattern as CSS specificity or DNS resolution, applied to agent persona.

Multi-agent support takes this further. A single gateway can run multiple agents, each with its own workspace, state directory, and session store — complete isolation. A “work” agent can be formal and detail-oriented while a “personal” agent is casual. Same gateway, different brains. Bindings route inbound messages to specific agents based on channel, account, server, or individual contact.

The soul-evil hook makes identity dynamic: a bundled hook that can swap SOUL.md for an alternate persona at bootstrap time, based on random chance or a scheduled “purge window.” Built as a dev tool for testing adversarial behavior, it also demonstrates how mutable identity becomes an attack surface.

Every layer above creates attack surface. The same capabilities that make OpenClaw powerful make it exploitable.

The identity persistence attack. Zenity Labs demonstrated a zero-click chain from a shared Google Workspace document to full system compromise. The attack used OpenClaw's intended capabilities — Google Workspace integration, Telegram channel plugin, file writing, command execution — to poison SOUL.md, establish a Telegram backdoor, create scheduled reinforcement tasks, and deploy a C2 beacon. No software vulnerability was exploited.

The supply chain. VirusTotal found 341 malicious skills on ClawHub, 335 targeting macOS password theft. Skills can drop instructions into SOUL.md and AGENTS.md that persist even after the skill is uninstalled.

Identity Persistence is a new vulnerability class. The ability to modify the instructions an agent loads at boot time turns a single successful injection into permanent compromise. This isn't unique to OpenClaw — CLAUDE.md, .cursorrules, .windsurfrules all create the same pattern. But OpenClaw's explicit encouragement of soul self-modification makes the attack surface clearest here.