Bot It OutBot It Out
Back to Newsletter
v2026.5.2OpenClawSecurity

Thread binding overhaul, gateway restart controls, git-based plugin installs, and Grok 4.3.

This release consolidates thread-spawn configuration into a single `threadBindings.spawnSessions` key (migrated automatically by `doctor --fix`), adds force-restart and wait flags for the gateway, introduces first-class git-based plugin installs, and brings Grok 4.3 as the default xAI chat model. Security hardening includes ClawPack response verification and BlueBubbles SSRF protection.

New features

New features

  • OpenClawGit-based plugin installs (`git:` prefix) with ref checkout and automatic update support.
  • OpenClaw`openclaw gateway restart --force` and `--wait <duration>` flags for controlled restarts.
  • OpenClaw`openclaw plugins list --json` now includes dependency install state.
  • OpenClawGoogle Meet `end-active-conference` command and `test-listen` transcription health check.
  • OpenClawDiscord interaction persistence across gateway restarts until expiration.
  • OpenClawGrok 4.3 added as default xAI chat model.
  • OpenClawOptional `skipOptionalBootstrapFiles` setting for selective workspace file skipping during agent setup.
Improvements

Improvements

  • OpenClawPlugin loading scoped to effective plugin IDs — faster startup with fewer unnecessary preloads.
  • OpenClawPath guard acceleration: fast-path POSIX containment checks avoid repeated resolution work.
  • OpenClawTool descriptor caching: plugin tools captured at prompt-time skip runtime loading during planning.
  • OpenClawACPX and OpenTelemetry diagnostics externalized to optional `@openclaw/` packages for smaller core.
  • OpenClawBlueBubbles `replyContextApiFallback` opt-in for multi-instance deployments.
  • OpenClawOpenAI-compatible TTS now supports `extraBody`/`extra_body` passthrough.
Fixes

Fixes

  • SecurityClawPack response headers and downloaded bytes now verified before plugin installation.
  • SecurityBlueBubbles reply-id shape validated and part-index prefixes stripped before API requests (SSRF protection).
Breaking changes

Breaking changes

  • OpenClawThread binding configuration consolidated: legacy `subagent`/`ACP` thread-spawn toggles replaced by single `threadBindings.spawnSessions` key. Run `openclaw doctor --fix` to migrate automatically.
Notes

Notes

  • OpenClawLegacy `Body` message envelope field deprecated in favor of `BodyForAgent` as primary inbound model text.
  • OpenClawMajor dependency updates: Zod 4.4.1, TypeBox 1.1.37, Matrix SDK 41.4.0, OpenAI SDK 6.35.0.
← Older: v2026.4.26

Running an older version?

Upgrade your instance from the dashboard to get everything above.

Open Dashboard