Installment 2
The Agent Lifecycle Nobody's Managing
The first installment of this series made the structural argument: AI agents are in the same operational gap that cloud infrastructure occupied in 2010. Powerful substrate, mass adoption, no management layer. If you’ve deployed an OpenClaw agent, you already know this intuitively — it worked on Saturday, and by Tuesday something was wrong that you couldn’t explain.
This installment is the map.
An agent in production has a full lifecycle — ten distinct stages from installation to retirement. Most of the conversation about agents focuses on the first two: getting it installed and getting it configured. Almost nobody talks about what happens on day 3, day 30, or day 300. And that’s where every deployment I’ve seen breaks down.
I’m going to walk through each stage, what tooling exists for it today, and where the gaps are. This is the territory map for the rest of the series. Each subsequent installment goes deep on one or two of these stages. This one gives you the full picture.
Stage 1: Installation
Acquiring the engine, pulling dependencies, standing up the Docker environment. This is the one stage where the tooling is genuinely decent. clawhq install handles it. Docker Compose files exist. The OpenClaw docs cover this well. You can go from zero to a running container in under an hour.
Installation is also the stage that fools you into thinking this will be easy. The container starts. The gateway responds. The agent greets you. You feel like you’re done.
You are approximately 10% done.
Tooling status: Good. Docker, openclaw onboard, compose templates, community guides. This is a solved problem for anyone comfortable with containers.
Stage 2: Configuration
Here’s where the complexity explodes. A working OpenClaw agent requires approximately 13,500 tokens of configuration spread across 11+ files: runtime config, Docker Compose, Dockerfile, environment variables, credentials, identity files (SOUL.md, AGENTS.md, IDENTITY.md, HEARTBEAT.md, TOOLS.md), cron job definitions, skill configs, and egress rules.
Roughly 40% of that configuration is universal — the same for every agent regardless of use case. Docker networking, resource limits, logging format, health check intervals. The other 60% is deeply personalized — your identity, your integrations, your communication style, your tool access policies, your cron schedules.
The existing tooling — openclaw configure and the built-in Control UI — can set individual values. They can tell you whether a specific setting is valid. What they can’t do is composition. They can’t turn “I want an agent that manages my email and calendar” into a coherent configuration that wires up IMAP credentials, CalDAV sessions, the right cron schedules, appropriate tool permissions, and a matching identity file — all simultaneously, all consistently.
And then there are the landmines. I’ve documented 14 silent configuration landmines — settings that cause security or operational failures without producing any error message. The agent starts fine. The health check passes. But your egress filtering isn’t applied, or your memory is unbounded, or your credential rotation window is too long, or your context pruning is off and you’re burning tokens at a rate that will empty your API budget in a week.
Tooling status: Basic. You can configure individual settings through the CLI or UI, but there’s no composition, no landmine prevention, no use-case-level templates that produce a coherent config across all 11+ files.
Stage 3: Hardening
Security in OpenClaw is opt-in. The default configuration ships with no capability restrictions (cap_drop), no read-only filesystem, no egress filtering, no rate limiting on tool execution. There’s a 30-item hardening checklist buried in the upstream docs. It’s comprehensive and well-written. Almost nobody follows it.
The result: 42,000+ OpenClaw instances found publicly exposed on the internet running default configurations. Nine CVEs in the first two months. The ClawHavoc campaign demonstrated that community skills could inject hidden instructions using base64-encoded strings and zero-width Unicode characters, targeting identity files. Microsoft, Cisco, and Nvidia all published security guidance specifically because the defaults are that bad.
This is the “default security groups are wide open” problem from early AWS, except worse — because an agent with default config doesn’t just accept inbound connections. It actively reaches out to services on your behalf, with your credentials, making decisions autonomously. An insecure VM sits there. An insecure agent acts.
Tooling status: Almost nothing. The hardening checklist exists as documentation. There’s no automated hardening tool, no security profile system, no way to validate that a running agent meets a security baseline. You’re on your own with a checklist and hope.
Stage 4: Deployment
Getting the hardened, configured agent into production. Two-stage Docker build, pre-flight validation checks, firewall setup, health verification, smoke tests. This is standard DevOps practice if you know DevOps. Most OpenClaw operators don’t.
The pre-flight checks matter because configuration errors that don’t surface during docker compose up will surface at runtime — sometimes days later, when a cron job fires for the first time and discovers it can’t reach the IMAP server because the egress rules were never applied.
Tooling status: Partial. Docker handles the container lifecycle. clawhq adds pre-flight checks and health verification. But there’s no standard deployment pipeline, no blue-green deployment for agents, no canary testing. You push and pray.
Stage 5: Day-to-Day Operations
This is where every unmanaged deployment dies. Not with a crash — with a slow accumulation of silent failures.
Credential management. IMAP tokens expire. CalDAV sessions time out. API keys get rotated by upstream providers. When a credential expires, the agent doesn’t stop. It keeps running. It keeps trying. It keeps failing — silently. From the outside, it looks like the agent has stopped doing its job. It’s actually doing its job fine; it just can’t reach the services it needs. I’ve seen operators spend hours debugging agent behavior when the real problem was a stale OAuth token that expired 72 hours ago.
Memory management. An active agent generates roughly 120KB of memory per day. In three days, that’s 360KB. The bootstrapMaxChars setting caps how much memory gets loaded into context — 20,000 characters per file, 150,000 characters aggregate. When memory exceeds those limits, it gets silently truncated. The agent doesn’t crash. It doesn’t warn you. It just starts forgetting things. Decisions it made last week. Context about ongoing projects. Preferences you trained into it over days of interaction. Gone, because the memory file grew past an invisible line.
Identity drift. An agent’s identity is defined across multiple files — SOUL.md, IDENTITY.md, openclaw.json, and others. Over time, these files accumulate contradictions. The SOUL.md says the agent should be concise; the IDENTITY.md has grown verbose examples. The personality bloats with edge cases that made sense when they were added but collectively create incoherence. Scope creep sets in — the agent was an email manager, then someone added calendar handling, then task tracking, and now the identity is trying to be everything and succeeding at nothing. I call this identity drift, and it happens to every agent that runs for more than a few weeks without active governance.
Context consumption. With context pruning off — which is the default — a conversation of just 35 messages can consume 208,000 tokens. The native heartbeat feature, which is supposed to keep the agent responsive, actually consumes tokens from the main session context. These are design decisions that make the agent feel responsive in demos but create real cost and performance problems at scale.
Firewall decay. Docker bridge interfaces get recreated on container restarts. When they do, iptables rules that reference the old interface become invalid. Your egress filtering — which you carefully configured during hardening — silently stops working. This is landmine LM-13, and it bites everyone who restarts their agent container without re-applying firewall rules. The agent keeps running. The health check passes. But your agent can now reach any endpoint on the internet, which is exactly the state you hardened against.
Tooling status: Almost nothing. No credential health monitoring. No memory growth alerting. No identity drift detection. No automated firewall re-application. The operator is the monitoring system. When the operator stops paying attention, the agent degrades.
Stage 6: Updating
OpenClaw releases frequently. Updates regularly include breaking changes with security implications. An update might change the schema for identity files, alter how memory is loaded, modify the tool execution sandbox, or change the default behavior of context pruning.
clawhq update --check validates before applying. Automatic rollback on failure. This is one area where the tooling is ahead of the curve — because I’ve been burned enough times by updates that silently changed agent behavior that I built the rollback mechanism early.
But most operators aren’t using managed update tooling. They’re pulling the latest Docker image and hoping for the best. Or worse, they’re pinned to an old version because they got burned once and decided never to update again — which means they’re running with known vulnerabilities.
Tooling status: Basic in the ecosystem, better in ClawHQ. The upstream openclaw CLI can update, but there’s no pre-update impact analysis, no behavior diffing, no “what will this update change about my agent” preview.
Stage 7: Backup and Restore
Configuration corruption happens. Failed updates happen. Disk failures happen. An operator accidentally overwrites SOUL.md with a bad edit and their agent’s personality evaporates.
clawhq backup create produces encrypted snapshots that capture the full agent state — config, identity, memory, skills, credentials (encrypted separately). Recovery from a corrupted config or a botched update is a single command.
Without this, recovery means reconstructing 13,500 tokens of configuration from memory. Most people don’t have that memory. Their agent does — or did, before the memory file got corrupted.
Tooling status: Minimal in the ecosystem. No native backup in OpenClaw. ClawHQ provides it, but if you’re not using managed tooling, you’re either running your own backup scripts or you’re living dangerously.
Stage 8: Monitoring
clawhq doctor runs 30 diagnostic checks — configuration validation, credential health probes that test actual connectivity (not just “is the token present” but “can this token actually authenticate”), memory size analysis, identity consistency checks, security posture assessment, and resource utilization metrics.
Heartbeat monitoring catches the “agent is up but not functioning” failure mode. Credential health probes catch the “integrations silently stopped working” failure mode.
The upstream tooling covers “is the config valid” and “is the gateway running.” It does not cover “are your credentials still working,” “is your memory bloating,” “has your identity drifted,” “is your firewall still applied after the last container restart,” or “how many tokens did your agent consume today.” Those are the questions that matter on day 30.
Tooling status: Almost nothing in the ecosystem. clawhq doctor exists but it’s point-in-time, not continuous. There’s no agent-native equivalent of Datadog or PagerDuty — no continuous observability, no alerting, no trend analysis.
Stage 9: Skill Management
Skills are the extension mechanism — plugins that give your agent new capabilities. ClawHub, the community marketplace, has hundreds of them. The ClawHavoc research found that 20-36% of community skills contained malicious payloads.
That number should stop you cold.
A skill runs with your agent’s permissions, in your agent’s context, with access to your agent’s credentials. A malicious skill doesn’t need to exploit a vulnerability. It just needs to be installed. It’s already inside the perimeter.
ClawHQ implements a vetting pipeline: stage, vet, approve, activate. Each step creates a rollback snapshot. No skill goes from “downloaded from the internet” to “running with my credentials” without explicit vetting. But this is our tooling, not the ecosystem’s. The default workflow is: find a skill on ClawHub, install it, hope it’s not malicious.
Tooling status: Nothing in the ecosystem. No native skill sandboxing in OpenClaw, no vetting pipeline, no rollback mechanism. The marketplace has a star rating. That’s it.
Stage 10: Retirement
Agents accumulate credentials, memory, integrations, and relationships over their operational lifetime. Decommissioning one means revoking every credential it held, archiving its memory and configuration for audit purposes, notifying dependent services, and cleaning up infrastructure.
Nobody talks about this because nobody has run agents long enough to need it yet. But they will. And when an agent that held IMAP credentials, CalDAV access, API keys to five services, and memory containing months of business communications needs to be shut down, the question “where is all of that and how do I revoke it” becomes urgent.
Tooling status: Nothing. Anywhere. This is a completely unserved stage.
The Coverage Map
Here’s the honest picture of where the lifecycle stands today:
| Stage | Ecosystem Tooling | ClawHQ | Gap |
|---|---|---|---|
| Installation | Good | Good | Solved |
| Configuration | Basic | Better | Composition, landmine prevention |
| Hardening | Documentation only | Automated | Everything |
| Deployment | Docker | Pre-flight + health | Pipeline, canary |
| Day-to-day Ops | Nothing | Partial | Credential, memory, identity, firewall |
| Updating | Basic | Rollback | Impact analysis, behavior diffing |
| Backup/Restore | Nothing | Encrypted snapshots | Native support |
| Monitoring | Basic health | Doctor (30 checks) | Continuous observability |
| Skill Management | Nothing | Vetting pipeline | Everything |
| Retirement | Nothing | Nothing | Everything |
The pattern is stark. The ecosystem has decent tooling for getting an agent running. It has almost nothing for keeping an agent running. The lifecycle stages that matter most for production operations — the ones that determine whether your agent is still functioning correctly on day 30 — are almost entirely unserved.
Why This Matters
Getting OpenClaw running is a weekend project. Keeping it running is an SRE job.
Most deployments are abandoned within a month. Not because the agent wasn’t useful — because the operator couldn’t sustain the operational burden. Credentials expired and nobody noticed. Memory bloated and the agent got weird. An update broke something and there was no rollback. The operator got tired of being the monitoring system and moved on.
This is the same failure mode I watched play out in cloud adoption from 2008 to 2014. Companies would spin up EC2 instances, run into operational chaos, and either invest heavily in management tooling or retreat back to their data center. The ones who invested thrived. The ones who retreated fell behind. The management layer was the difference.
The rest of this series goes deep on each of these lifecycle stages. Configuration landmines. Security hardening. Memory management. Identity governance. Skill vetting. The operational patterns that separate agents that run for a day from agents that run for a year.
This is the map. Now let’s walk the territory.
Next: The 14 Silent Landmines — the configuration settings that cause security and operational failures without any error message, and how to defuse them before they detonate.