🚀 What's New
- Docker GPU Passthrough — Local GPU workloads inside sandboxed agents
- Outbound Proxy — Operator-managed proxy routing with strict validation
- Gateway Cold-Start Optimizations — Faster startup, trace timings, max-RSS reporting
- DeepInfra Provider — New bundled provider with image gen, TTS, video, embeddings
- Codex Computer Use — Local Codex/Claude adapters, marketplace discovery
- Tencent Yuanbao Channel — New external channel plugin
- QQBot Overhaul — Group chat, C2C streaming, chunked upload
- Discord & Telegram — Private-by-default replies, multi-bot routing
- Plugin SDK Refactor — Startup declarations, manifest-driven catalogs
- Security Hardening — Redaction, token cleanup, macOS hardening
⚙️ Infrastructure & Deployment
Docker GPU Passthrough
- Opt-in
sandbox.docker.gpus config
- Enables local GPU workloads inside sandboxed agents
- Requires host runtime with
--gpus support
Outbound Proxy
- Operator-managed via
proxy.enabled + proxy.proxyUrl
- Strict
http:// forward-proxy validation
- Loopback-only Gateway bypass; dispatcher cleanup on exit
Gateway Cold-Start Optimizations
- Channels start without blocking on primary-model prewarm
plugins.enabled=false skips auto-discovery and runtime-deps staging- Lightweight
runtimeContexts for bundled channels
- Startup trace timings and max-RSS reporting added
🔧 New Provider: DeepInfra
- Bundled provider with
DEEPINFRA_API_KEY onboarding
- Dynamic OpenAI-compatible model discovery
- Image generation & editing
- Media understanding
- Text-to-speech (TTS)
- Text-to-video
- Memory embeddings
- Provider-owned base URL policy
DeepInfra expands OpenClaw's inference provider ecosystem beyond existing bundled providers.
💻 Codex Computer Use
- New CLI commands:
/codex computer-use status and /codex computer-use install
- Marketplace discovery with optional auto-install
- Fail-closed MCP server checks before Codex-mode turns
- ACPX runtime now bundles and launches Codex/Claude adapters locally
- Eliminates reliance on live
npx resolution
"Local adapter bundling reduces external dependency fragility and improves cold-start reliability for Codex workflows."
📢 Channels & Integrations
Tencent Yuanbao
- New external channel plugin:
openclaw-plugin-yuanbao
- Quick-start docs at
docs/channels/yuanbao.md
QQBot
- Full group chat support with history and @-mention gating
- Activation modes, per-group config, FIFO queue
- C2C
stream_messages with StreamingController lifecycle
- Unified
sendMedia with chunked upload for large files
Discord
- Group/channel replies are private by default
- Restore legacy auto-posting with
messages.groupChat.visibleReplies: "automatic"
Telegram
- Multi-bot approval routing
- Sticky Bot API network fallbacks
--thread-id support for cron jobs
🛠️ Plugin SDK & Runtime
- Explicit Startup Declarations: Bundled plugins migrate to
activation.onStartup metadata
- Manifest-Driven Model Catalogs:
modelCatalog.aliases and modelCatalog.suppressions wired into planning
- Provider catalogs for Qianfan, Xiaomi, NVIDIA, Cerebras, Mistral, Moonshot, DeepSeek, Tencent TokenHub, StepFun, BytePlus, Volcano Engine, Fireworks, and Together AI moved into plugin manifests
- New SDK Surfaces:
plugin-sdk/channel-route, agent-runtime-test-contracts, channel-test-helpers, channel-target-testing, plugin-test-api
- Legacy Compatibility: Restored root exports for older external plugins
🔐 Security, Auth & Privacy
- Control UI Redaction: Tool-call args, results, exec output, and secret patterns redacted before streaming to Control UI. Fixes #72283.
- Session Redaction:
sessions_history recall redaction stays enabled even when general log redaction is disabled.
- Console Sink: Sensitive tokens (
sk-*, Bearer/Authorization) redacted at subsystem console sink. Fixes #73284.
- Trusted Proxy: Explicit
trustedProxy.allowLoopback for same-host reverse proxies (fail-closed). Fixes #59167, #17761.
- Device Auth: Clears stale device tokens, stops reconnecting on mismatch. Fixes #71609.
- macOS: Managed Gateway services stop before package replacement; LaunchAgent secrets load from owner-only env files. Fixes #72996.
- Legacy Env: Warns when
CLAWDBOT_* or MOLTBOT_* variables are present.
📊 Release Velocity
| Release | Date | Time Since Previous |
|---|
| v2026.4.24 | Apr 25 | — |
| v2026.4.25 stable | Apr 27 | ~2 days |
| v2026.4.26 | Apr 28 | ~13 hours |
| v2026.4.27 | Apr 29 | ~24 hours |
OpenClaw has shipped 4 stable releases in 5 days.
30+ total releases since the release train began.
🎯 Strategic Takeaways
- Infrastructure maturation: GPU passthrough, proxy support, and cold-start optimization signal enterprise-readiness.
- Provider ecosystem expansion: DeepInfra joins a growing list of bundled inference providers.
- Channel diversity: Yuanbao (China), QQBot, Discord privacy defaults, Telegram cron threads — global reach.
- Security-first posture: Multiple redaction layers, token cleanup, and macOS hardening address production concerns.
- Plugin SDK evolution: Manifest-driven catalogs and explicit startup declarations improve long-term maintainability.
📈 Community Signals
- Reddit user reported v2026.4.26 update breaking existing installs when jumping from 2026.4.5 — rapid release cadence creates migration friction for users on older versions.
- Facebook group comment: "Every release they're tightening the security layer. This is what responsible AI development looks like."
⚠️ Pain Points
- Breaking changes in plugin SDK (deprecated implicit sidecar loading)
- Large version jumps may cause compatibility issues for users on older releases
- Discord private-by-default change may confuse users relying on legacy auto-posting
🔄 Migration Notes
- Update to v2026.4.27 via your package manager or
openclaw update
- Review
proxy.enabled if you need outbound proxy routing
- Discord users: set
messages.groupChat.visibleReplies: "automatic" to restore legacy behavior
- Plugin developers: migrate to
activation.onStartup metadata
- Check for deprecated
CLAWDBOT_* or MOLTBOT_* env vars