Agent Control Loops: From OpenClaw to Alternative Architectures

How personal AI agents work internally, how different control loop designs trade off safety and flexibility, and how proactive intent-surfacing layers on top of any execution architecture.

February 2026 · agentsarchitecturesafety
Section 1

How OpenClaw works today

OpenClaw (formerly Clawdbot/Moltbot) is a self-hosted, open-source personal AI agent created by Peter Steinberger. It runs as a long-lived Node.js process (the Gateway) on your own hardware and connects to messaging channels (WhatsApp, Telegram, Slack, Discord, iMessage, etc.) on one side and an LLM provider (Claude, GPT-4, DeepSeek, or a local model via Ollama) on the other.

The core execution engine is a single-model agentic loop. OpenClaw wraps the Pi agent core library (@mariozechner/pi-agent-core) and communicates with it via RPC. The architecture places all decision authority—reasoning, action selection, and stopping—inside one model invocation per turn. Tools execute opportunistically, and the model sees their results in the next iteration.

The agentic loop

OpenClaw’s loop follows a fixed pipeline for every inbound message:

Message Intake
Context Assembly
Model Inference
Tool Execution
Stream Reply
Persist State

In more detail:

  1. A channel adapter normalizes the inbound message (from Discord, WhatsApp, etc.) into a unified format.
  2. The Gateway assigns the message to a session and places it in a lane queue. Lanes default to serial execution per session, which prevents race conditions on shared state. Parallel execution is opt-in for explicitly marked low-risk tasks.
  3. The agent runner selects the model, assembles the prompt (user message + tool schemas + session history + memory), and manages the context window.
  4. The model emits either a tool-call proposal or a final user-facing response.
  5. If a tool call is proposed, the tool runtime executes it (file I/O, shell commands, browser control, etc.) and appends the result back into context.
  6. The loop repeats until the model emits a final response or a hard limit is hit (default timeout: 600 seconds).
  7. Session state and JSONL transcripts are persisted.
WhatsApp · Telegram · Discord · iMessage · Slack · … GATEWAY session routing · lane queue · ws://127.0.0.1:18789 CONTEXT ASSEMBLY user msg + tool schemas + history + MEMORY.md + SOUL.md LLM INFERENCE Claude · GPT-4 · DeepSeek · Ollama ↓ tool call (JSON) ↓ final response TOOL RUNTIME fs · shell · browser · cron STREAM TO USER + persist state result appended to context loop back
Figure 1 — OpenClaw’s agentic loop. The model owns the stopping decision. The dashed line shows the tool-result feedback path.

Memory and state

OpenClaw avoids complex memory architectures. It uses three complementary systems:

For retrieval, OpenClaw combines vector search (broad semantic recall) with SQLite FTS5 keyword matching (precision). This hybrid approach reduces the “semantic noise” problem where vector search retrieves similar-looking but irrelevant information.

When the context window approaches its limit, OpenClaw triggers auto-compaction: it summarizes older messages and prunes them while preserving critical context.

What this architecture gets right

What this architecture lacks

These gaps are acceptable for a personal assistant doing low-to-medium-stakes tasks (email triage, file management, web lookups). They become dangerous for high-stakes automation (financial transactions, system administration, anything with irreversible side effects).

Security considerations

OpenClaw’s power comes from broad system access: it can read/write files, run shell commands, and control browsers. Cisco’s AI security team tested a third-party OpenClaw skill and found it performed data exfiltration and prompt injection without user awareness. CrowdStrike has published detection guidance for OpenClaw deployments on enterprise networks. The skill ecosystem currently lacks adequate vetting for malicious submissions.

Core tension

The same capabilities that make OpenClaw useful (broad tool access, persistent memory, autonomous execution) are what make it a security risk when misconfigured.

Section 2

A gallery of agent control-loop architectures

The architectures below represent distinct design choices about where decision authority lives. Each answers the question: who decides what to do next, and who decides when to stop?

The key design variable is the locus of control—whether it sits in the model, in code, or is split between them.

A1. ReAct loop — single model owns everything

Paper

Yao et al., “ReAct: Synergizing Reasoning and Acting in Language Models,” ICLR 2023. arXiv:2210.03629

ReAct’s core contribution is interleaving explicit reasoning traces (Thought) with actions (Act) and observations (Obs) in a single model’s output. This distinguishes it from plain tool-calling loops, where the model emits tool calls without articulating its reasoning.

The Thought trace is what makes ReAct interesting: it forces the model to verbalize its plan, track subgoal completion, and handle exceptions in natural language. This makes the agent’s decision process inspectable (you can read the Thought steps) at the cost of consuming extra tokens.

When to use it: ad-hoc assistants, research prototypes, single-session data tasks, interactive debugging. Anywhere the stakes are low and you want maximum flexibility with minimum engineering.

Why it works for these cases: you need tool access, you don’t need persistent state, and you can tolerate occasional failure. The model’s built-in world knowledge handles most of the planning.

USER: “Find my receipt” LLM (ReAct) Thought: I should search email Action: search_email(q="receipt") Owns: planning · action · stopping TOOL RUNTIME result: {found: ["receipt.pdf"]} observation appended to context
Figure 2 — ReAct loop. The model interleaves Thought and Action; code only executes tool calls.

Failure modes: The model can loop silently (repeating the same failed action), stop prematurely (declaring success without verifying), or hallucinate observations. There is no external check on any of these.

OpenClaw ↔ ReAct

OpenClaw’s agentic loop is functionally a ReAct-style loop. The model reasons, proposes tool calls, observes results, and decides when to stop. OpenClaw adds engineering infrastructure around this pattern (lane queues, session management, memory) but does not change the fundamental control structure.

A2. Planner–executor loop — two models, role-separated

Related work

HuggingGPT (Shen et al., NeurIPS 2023, arXiv:2303.17580); Inner Monologue (Huang et al., 2022, arXiv:2207.05608); LangGraph multi-agent templates.

One model (the Planner) produces an abstract plan as a sequence of steps. A second model (the Executor) carries out each step by making tool calls. The Planner never touches tools directly. The Executor never decides what to do next at a high level.

When to use it: multi-step task automation, document workflows, API orchestration, research pipelines. Cases where you want a stable plan that survives tool-level hiccups.

Why it works for these cases: separating planning from execution means you can swap executors (or use a cheaper, faster model for execution) without destabilizing the plan. You can also inspect and approve the plan before execution begins.

USER: “Submit expenses” PLANNER (larger model) 1. Locate receipts 2. Fill expense form 3. Submit to finance step 1 EXECUTOR (smaller model) search_files(q="receipt") TOOL RUNTIME result: {files: ["receipt.pdf"]} result → Planner / next step
Figure 3 — Planner–Executor. The plan is inspectable and can be approved before execution starts.

Failure modes: Bad plans (the Planner misunderstands the task or produces an infeasible sequence). Executor drift (the Executor interprets a step differently than the Planner intended). Replanning overhead (if the Planner must revise after every step, you lose the cost advantage of using a cheaper Executor).

Key design question: How much authority does the Executor have to deviate from the plan? Strict adherence makes the system predictable but brittle. Loose adherence makes it adaptive but harder to audit.

A3. Controller-driven loop — code owns decisions, models propose

Related work

Guardrails AI; Anthropic’s tool-use with human-in-the-loop pattern; the subsumption architecture (Brooks, 1986).

This architecture moves the locus of control from the model into deterministic code. The model proposes actions, but a code-based controller decides whether to execute them, tracks state explicitly, and determines when the task is complete.

When to use it: safety-critical automation, financial operations, compliance-heavy systems, any domain where you need deterministic stopping conditions and an audit trail.

Why it works for these cases: the controller enforces invariants that the model cannot violate. The model’s role is reduced to “suggest what to do next”—it does not decide whether to do it or whether the task is done.

USER: “Pay vendor invoice” CONTROLLER (code) State: {goal: "pay #42", checks: [amount < $5k, vendor OK]} Owns: state · stopping · verification "what next?" LLM (policy advisor) proposed action: call payments API proposal CONTROLLER (validate + execute) amount < $5k? ✓   vendor verified? ✓   → execute CONTROLLER (verify) API success? ✓   Invoice closed? ✓   → Done
Figure 4 — Controller-driven. Code (blue) owns every decision; the model (light blue) only proposes.

Failure modes: Controller bugs. If the controller’s state machine or verification logic is wrong, the system will fail deterministically and confidently. You’ve traded model uncertainty for code correctness requirements. This is usually a good trade for high-stakes systems, but it requires real engineering investment in the controller.

Key design question: How much of the task logic should live in the controller vs. the model? Too much in the controller and you’ve built a traditional workflow engine that happens to use an LLM for text generation. Too little and you’re back to a ReAct loop with extra steps.

A4. Workflow / DAG-based loop — model authors the graph, code runs it

Related work

Airflow, Temporal, Prefect (production); LangGraph (LLM-specific); CoALA (Sumers et al., 2023, arXiv:2309.02427); workflow-nets (van der Aalst, 1998).

The model’s role is pushed even further from execution: it authors a directed acyclic graph (DAG) of steps, and a deterministic executor runs the graph. The model may also fill in parameters for individual nodes, but it does not control execution order or stopping.

When to use it: data pipelines, ETL, CI/CD, document processing, robotic process automation. Any task that is repetitive, well-structured, and benefits from checkpointing and partial re-execution.

Why it works for these cases: the DAG makes dependencies explicit, enables parallel execution of independent branches, supports checkpointing, and provides clear progress tracking.

USER: “Generate weekly report” WORKFLOW AUTHOR (model) Constraint: no execution fetch_data fetch_kpis fetch_logs aggregate send DAG definition DAG EXECUTOR (code) Runs nodes in dependency order Checkpoints · Retries · Parallelizes branches may call LLM for params PARAM FILLER (model, optional) "generate SQL for KPIs" → SELECT … FROM … ⚠ Important distinction: LLM-authored DAGs at runtime inherit planning failure modes. Pre-defined DAGs are far more predictable.
Figure 5 — DAG-based. The model authors the graph; deterministic code runs it.

Failure modes: DAG design errors (the model produces a graph with missing dependencies or impossible nodes). Rigid structure (if the task requires dynamic replanning mid-execution, a DAG is the wrong abstraction). Over-engineering (for simple sequential tasks, a DAG adds complexity without benefit).

Comparison

Property A1: ReAct A2: Planner–Executor A3: Controller-driven A4: DAG-based
Who decides next action? Model Planner model Code Code (DAG order)
Who decides when to stop? Model Planner model Code (postconditions) Code (DAG completion)
Who executes tools? Tool runtime Executor model + runtime Code, after validation Code (DAG executor)
Verification None Informal Explicit (code checks) Implicit (DAG structure)
Failure transparency Low Medium High High
Engineering cost Very low Medium High Medium–High
Best for Low-stakes, short tasks Structured multi-step Safety-critical systems Repetitive pipelines
Section 3

Proactive agent architecture

Every architecture above is reactive: the user sends a message, and the agent responds. A proactive agent inverts this. It monitors external context continuously and surfaces candidate intents—things the user might want to do—without being asked.

The core design principle

A proactive agent should surface intents, not execute actions. It observes state, generates suggestions, and requires explicit human approval before anything happens. It must never plan, call tools, or execute on its own.

This separation is critical for trust. If a proactive agent can act autonomously, it becomes an unsupervised automation system with access to your calendar, email, and files. The human approval gate is what makes it a useful assistant rather than a liability.

Related work

EXTERNAL CONTEXT / STATE Calendar: meeting in 30 min · Email: receipt.pdf arrived Clock: Tue 4 PM · History: user submits expenses every Fri continuous feed ↓ PROACTIVE AGENT (model) Input: context + user history Output: “Prepare expense submission?” NEVER plans · NEVER calls tools · NEVER executes suggestion HUMAN APPROVAL GATE “Prepare expense submission?” Approve Edit Dismiss approved intent EXECUTION LAYER Any architecture from §2: ReAct · Planner–Executor · Controller · DAG The proactive layer composes with any execution architecture. For OpenClaw: pair with the existing ReAct-style agentic loop. For high-stakes: pair with a Controller-driven loop (A3).
Figure 6 — Proactive architecture. The agent surfaces suggestions; the human gates execution; any loop from §2 runs the approved intent.

The suggestion spam problem

The hardest design challenge for proactive agents is salience filtering: deciding which suggestions are worth surfacing and when. A proactive agent that suggests too often trains users to ignore it. One that suggests too rarely provides no value.

Lu et al.’s reward model approach is promising: train a classifier on human accept/reject decisions to predict whether a suggestion will be welcomed. Their reward model achieved 0.918 F1 on a test set, suggesting that salience prediction is tractable.

Other mitigation strategies:

References

Further reading