OpenClaw Updates

v2026.3.22 & v2026.3.23

12
Breaking Changes
48h
Agent Timeout
13
Patch Fixes
Security
Hardened

48-Hour Agent Timeout

Sessions no longer die mid-task — no config change needed

BEFORE
600s
10-minute hard limit
Long tasks silently killed
Lost progress, broken state
Workarounds required
timeout: 600
AFTER
48h
172,800 second window
Survives complex pipelines
Full multi-hour agent runs
Zero config change
timeout: 172800

Upgrade automatically — existing sessions pick up the new default on next restart

ClawHub & Plugin Ecosystem

Native skill discovery, install, and update — npm as fallback

ClawHub
Default source
Search
Browse skills
Install
One command
Auto-update
Stay current
🔗 Registry
Curated skill index
Version pinning
Integrity checks
🛠 CLI
openclaw skill search
openclaw skill install
openclaw skill update
📦 Fallback
npm registry fallback
Private packages
Scoped installs

Bundled Search Tools

Exa · Tavily · Firecrawl — first-party, zero setup

Exa
Neural web search
Semantic retrieval
exa_search
Tavily
AI-optimised results
Answer extraction
tavily_search
Firecrawl
Full-page scraping
Structured extraction
firecrawl_search
firecrawl_scrape
Research Superpower
Agents can now search, scrape, and synthesise the web natively — no API keys, no manual wiring. Install from ClawHub and go.

New Models & Platforms

MiniMax M2.7 default · Claude on Google Vertex AI

🤖
MiniMax M2.7
New default model
Replaces M2.5
Improved reasoning
Better tool use
Lower latency
Zero config change
+
☁️
Claude via Vertex AI
Google Cloud platform
GCP IAM / ADC
Enterprise auth via ADC
GCP IAM permissions
Regional endpoints
No API key needed
minimax/minimax-m2.7 vertex/claude-3-5-sonnet vertex/claude-3-7-sonnet openrouter/...

Set GOOGLE_APPLICATION_CREDENTIALS or use gcloud auth application-default login

πŸ” SSH Sandbox Backend

New pluggable sandbox system β€” bring your own execution environment

πŸ”Œ
Pluggable Sandbox System
Swap execution backends without changing agent logic. Clean interface, infinite extension points.
πŸͺž
Mirror Mode
Remote workspace mirrors local files in real time. Edit locally, execute remotely.
🌐
Remote Workspace Mode
Agent runs fully inside remote machine β€” no local file sync required.
πŸ”‘
Secret-Backed Credentials
SSH keys & certificates injected from secret store β€” never touch the filesystem.
ARCHITECTURE
πŸ€– OpenClaw Agent
↓
⬑ Sandbox Interface
↓
🐚 OpenShell Backend
πŸͺž Mirror
local β†’ remote
🌐 Remote WS
fully remote
↓
πŸ” SSH Transport
πŸ—οΈ Secret Store
keys / certs
↓
πŸ–₯️ Remote Host

πŸ“± Android Upgrades

Mobile-first agent capabilities β€” expanding what your phone can do

πŸ’¬
SMS Search
πŸ“ž
Call Log Search
πŸŒ™
System Dark Theme
πŸ”
SMS Search
Query message history by contact, keyword, or date range. Agent can read and reference your conversations.
πŸ“‹
Call Log Search
Search incoming, outgoing, and missed calls. Filter by contact or time window.
🎨
System-Aware Dark Theme
UI auto-switches with Android system theme. No manual toggle β€” just works.
πŸš€
Expanding Capabilities
Android is becoming a first-class agent surface. More device integrations coming in future releases.
πŸ“² Your Android isn't just a chat interface anymore β€” it's a full agent endpoint.

πŸ€” Mid-Run Questions + DAG Summarization

Smarter agent runtime β€” ask without breaking flow, summarize without bloating

⚑ MID-RUN QUESTIONS
Problem: Asking a question mid-task used to inject context into the ongoing session, polluting future tool calls.
Solution: Questions are now isolated β€” ask anything during an agent run without altering the session's future context window.
πŸ€– Agent
Running
β†’
❓ User
Question
β†’
βœ… Answer
(isolated)
Session context: unchanged βœ“
πŸ•ΈοΈ DAG SUMMARIZATION
Problem: Long-running agents generate session files that grow unboundedly, causing context overflows and slow loads.
Solution: DAG-based hooks summarize completed branches automatically β€” keeping session files lean without losing history.
Task A
Task B
Task C
↓ complete ↓
πŸ•ΈοΈ DAG Hook β†’ Summarize
↓
πŸ“„ Compact Summary Node
Session file stays bounded βœ“

⚑ Performance: 35x Faster

Session loading is no longer the bottleneck

35Γ—
faster session loading
πŸ”„
JSON5 β†’ Native JSON
Switched session file parsing to native JSON.parse(). Single biggest win.
🚫
No More Event-Loop Blocking
Eliminated synchronous I/O on hot paths. Agent stays responsive during heavy loads.
πŸ“¦
Proactive Context Compaction
Long tool loops trigger compaction before context overflows β€” not after.
BEFORE / AFTER

β›” Before

  • JSON5 parser (slow)
  • Blocking I/O on load
  • No compaction hooks
  • WhatsApp boot: tens of seconds
β†’

βœ… After

  • Native JSON.parse()
  • Async, non-blocking
  • Proactive compaction
  • WhatsApp boot: seconds
~30s
WA cold boot before
β†’
<2s
WA cold boot after

πŸ”§ Critical Fixes

Stability, security, and reliability β€” the unsexy work that matters most

βœ…
WhatsApp QR Pairing Fix
Resolved Baileys 515 stream error that caused QR scan failures. Pairing now succeeds 100% of the time.
βœ…
OpenRouter Vision Fix
Dynamic runtime checks now correctly detect vision capability per model. No more silent image-drop failures.
πŸ”’
Windows SMB Credential Leak β€” Patched
UNC path injection in exec could expose NTLM credentials to a remote host. Now sanitised at input.
βœ…
Unicode Padding in Exec Prompts β€” Fixed
Invisible Unicode characters caused misaligned approval prompts. Stripped at render time.
πŸš€
Startup Time Improvements
Lazy-loaded non-critical modules. Cold start measurably faster across all platforms.
100%
WA QR success rate
0
SMB credential leaks
5
critical fixes shipped
Security Shield

v2026.3.22

Security Overhaul

The largest security patch in OpenClaw project history.

πŸ”Œ

Device Pairing Gaps

Authentication gaps in the device pairing flow patched β€” rogue devices can no longer complete pairing without proper validation.

πŸͺ

Webhook Authentication

Incoming webhook endpoints now enforce signature verification. Unauthenticated webhook delivery rejected at the gateway layer.

πŸͺŸ

Windows SMB Credential Leak

Resolved UNC path injection vector on Windows that could trigger SMB authentication and expose NTLM credentials to a remote host.

πŸ”€

Unicode Padding Exploit

Unicode zero-width / padding characters could bypass input length limits and filter checks. Now stripped and normalised before validation.

πŸ”¬
Researcher-Reported Vulnerabilities

Additional CVEs reported via responsible disclosure program β€” all patched in this release. A serious step forward in security posture.

⚠️

Breaking Changes

3 changes require action before upgrading

01

Plugin installs now default to ClawHub

openclaw plugin install <name> now resolves from ClawHub by default instead of npm. Existing plugins continue to work. Use --registry npm flag to force npm resolution.

02

Legacy Chrome extension relay path removed

The deprecated /relay/legacy Chrome extension endpoint has been removed. Run the migration tool to update your config automatically:

$ openclaw doctor --fix
03

CLAWDBOT_* & MOLTBOT_* env vars removed

Final MoltBot β†’ OpenClaw rebrand. Legacy prefixes are no longer read at startup. Switch all environment variables to the OPENCLAW_* prefix.

CLAWDBOT_* βœ— MOLTBOT_* βœ— β†’ OPENCLAW_* βœ“
🚨

Incident Report

Known Issue & Hotfix

SEV-2 Β· v2026.3.22 Initial Release Resolved βœ“

Missing dist/control-ui directory in npm package

The initial v2026.3.22 npm package was published without the dist/control-ui directory, causing the dashboard UI to fail to load. Users on the initial release would see a blank screen or 404 when opening the OpenClaw control panel.

πŸ› οΈ Resolution β€” Hotfix Steps
1

Update to the hotfix release

npm i -g openclaw@latest
2

Verify dist/control-ui is

OpenClaw

Available Now

Upgrade to v2026.3.22

Security
Largest security patch in project history
ClawHub
New default plugin registry
Rebrand Complete
MoltBot era ends β€” OPENCLAW_* everywhere
terminal
$ npm i -g openclaw@latest
📄 Full release notes → github.com/openclaw/releases/v2026.3.22
v2026.3.23

Stability & Polish Patch

13 targeted fixes β€” no breaking changes

βœ“ Browser/Chrome MCP attach timing
βœ“ Gateway pricing recursion fix
βœ“ ClawHub macOS auth paths
βœ“ Mistral max-token defaults
βœ“ Plugin message schema fix
βœ“ Security hardening (exec + canvas)
Browser

Browser Fixes

Chrome MCP attach timing & CDP loopback reuse

Before

Chrome MCP treated initial handshake as ready immediately → user-profile timeouts & repeated consent churn on macOS attach flows.

CDP loopback miss → immediate relaunch detection → second-run browser regressions on slower headless Linux.

After

Wait for usable state after attach before signalling ready → no more consent churn or timeouts. #52930

Reuse running loopback after short reachability miss → second-run start/open works reliably. #53004

ClawHub

macOS Auth Path Fixes

Skill browsing now stays authenticated on macOS

macOS App Support
XDG Config Path
Auth Token Resolved
Authenticated Browse
Fix 1 — #53034

Honor macOS auth config & XDG auth paths for saved ClawHub credentials so openclaw skills stays signed in.

Fix 2 — #52949

Read local ClawHub login from Application Support path & still honor XDG on macOS for both default and XDG setups.

Fix 3 — #52949

Resolve local auth token for gateway skill browsing & switch browse-all to search — stops 429s & empty lists.

Plugins

Message Tool Schema Fix

Discord components & Slack blocks are optional again — #52970 / #52962

Broken schema (required)
message({
  action: 'send',
  channel: 'discord',
  // components REQUIRED →
  // pin/react fails schema!
  components: { ... }
})

pin, unpin, react flows all failed validation. Feishu media attachments silently dropped.

Fixed schema (optional)
message({
  action: 'pin',
  channel: 'discord',
  // components optional →
  // all flows pass schema ✓
})
// Feishu media → outbound path ✓

Discord components & Slack blocks optional. Feishu file/image sends routed correctly.

Gateway

Pricing Infinite Recursion Fix

openrouter/auto bootstrap no longer recurses indefinitely — #53035

Root Cause

openrouter/auto pricing refresh called itself recursively during gateway bootstrap, causing a stack overflow before cached pricing could populate.

Impact

OpenRouter auto routes can now populate cached pricing correctly and usage.cost is reported accurately again.

Affected Users

Anyone using openrouter/auto as their routing model saw $0.00 cost on all requests and potential gateway hangs at startup.

Models

Mistral Fix & Doctor Migration

Deterministic 422 errors eliminated — #52599

Problem

Bundled Mistral max-token defaults were set to context-window size — the full context limit.

Persisted provider configs from older installs carried these inflated values, causing Mistral 422 rejects on every request.

Fix

Lowered bundled Mistral max-token defaults to safe output budgets.

openclaw doctor --fix now repairs old persisted configs automatically — no manual edits required.

Also Fixed

web_search now uses the active runtime provider instead of stale/default selection. #53020

Agent turns consistently hit the provider you actually configured.

Security

Security Hardening

Exec approvals • Gateway auth • Canvas routes

Exec Approvals

Shell-wrapper positional-argv allowlist now rejects single-quoted $0/$n tokens, disallows newline-separated exec, and still accepts exec -- carrier forms.

Gateway Auth

Canvas routes now require authentication. Agent session reset requires admin scope. Anonymous canvas access and non-admin reset requests fail closed.

Defense in Depth

Three independent hardening points closing different attack surfaces: CLI injection, API auth bypass, and admin privilege escalation.

Gateway

Gateway Stability

Probe false-negatives • Supervision lock crash-loop

Probe False-Negative — #52927

Before: Successful gateway handshakes timed out as unreachable while post-connect detail RPCs were still loading on slow devices.

After: Slow devices report a reachable RPC failure instead of a false-negative dead gateway.

Supervision Lock — #52922

Before: Lock conflicts under launchd/systemd caused duplicate processes to exit as failures, crash-looping the supervisor.

After: Duplicate process enters a retry wait while the healthy gateway owns the lock — no more crash-loops.

Matrix & Release

Matrix & Install Fixes

Startup crash eliminated • Bundled plugins preserved

Matrix Crash — #52909 / #52891

Root cause: Duplicate resolveMatrixAccountStringValues runtime-API exports under Jiti caused a Cannot redefine property crash at startup.

Fix: Deduplicated exports — bundled Matrix installs start cleanly.

Release / npm Install

Before: Previously released bundled plugins and Control UI assets were stripped from npm publishes.

After: Bundled plugins & UI assets are preserved in npm publishes. Release checks now fail if shipped artifacts are missing.

v2026.3.23 Summary

Pure stability patch — safe to upgrade immediately

Browser Attach ClawHub Auth Plugin Schema Gateway Pricing Mistral Tokens Security Gateway Stability Matrix Crash npm Install
13+
Fixes
0
Breaking Changes
3
Security Fixes

npm update -g openclaw

Then run: openclaw doctor --fix