OpenClaw Nuggets

OpenClaw 2026.6.5 added `security.installPolicy`, a local command hook that can approve or block skill and plugin installs after source material is staged and before install/update continues. Use it when ClawHub, uploaded archives, Git/local skills, dependency installers, or plugins can change your agent surface. The operator rule is simple: stage first, inspect locally, fail closed if the policy command is missing, then smoke-test before trusting the new tool path.

OpenClaw now bundles Parallel as a `web_search` provider. If no other provider is configured, `parallel-free` can work without an account or API key; the paid `parallel` provider uses `PARALLEL_API_KEY` for higher limits and tuning. That makes setup easier, but it also means operators should know which provider is actually serving searches before debugging stale results, missing excerpts, or rate limits.

A recent OpenClaw advisory is a good reminder for anyone letting chat messages trigger elevated tools: mutable usernames and display-style metadata can drift away from the stable sender you meant to trust. For Telegram, the verified GitHub advisory calls out mutable usernames directly; for other channels, treat the same class as an audit pattern, not a blanket claim. Use stable platform IDs where possible, keep name matching opt-in and documented, and smoke-test the channel before resuming unattended work.

OpenClaw 2026.5.30-beta.1 is a useful upgrade candidate, but the release note touches exactly the paths operators depend on when agents run unattended: interrupted tool-call recovery, stale session bindings, channel delivery, provider/plugin timeouts, plugin metadata, gateway runtime state, and device/admin gating. Treat it as a controlled canary, not a blind update. Snapshot first, upgrade one install, then prove the channels and recovery paths you actually use before moving normal work over.

A fresh OpenClaw gateway commit points to a subtle failure mode: a session can be finished while the active-run projection still makes it look stuck `In progress`. Do not start by killing random processes or deleting state. Treat it as a terminal-lifecycle cleanup problem: capture the symptom, check whether the task actually ended, update to a build that includes the fix when available, and keep retry/abort safety separate from the UI's active-session view.

A fresh OpenClaw commit moved compaction planning into a bounded worker-thread path because large transcript planning can monopolize the agent event loop. For operators, the lesson is simple: when a long session freezes around history pruning or summarization, treat transcript size and compaction as a reliability/cost surface, not just a slow model. Snapshot first, reproduce with a small canary, upgrade when the fix is available, and keep expensive long-context runs behind a responsiveness check.

A fresh OpenClaw field signal pointed at an upstream gateway hardening commit that rejects Tailscale-exposed gateways when auth is disabled. Treat that as a useful operator rule even before you depend on the guard: if a gateway is reachable from another device, teammate, tunnel, or shared network, `auth=none` is not a safe steady state. Snapshot first, switch to token/TLS-backed access, and smoke-test from the network path your agents actually use.

OpenClaw's docs now say the BlueBubbles channel is no longer the supported iMessage path. The replacement is the bundled `imessage` plugin running `imsg` locally on a Mac with Messages.app signed in, or through an SSH wrapper from another host. Treat this like an integration cutover, not a casual update: install and permission `imsg`, translate config, smoke-test direct and group messages, then retire the old BlueBubbles server only after the new path works.

A fresh X security cluster is useful because it points to official records, not just chatter. NVD and GitHub advisories list four OpenClaw issues fixed in 2026.4.22: OpenShell filesystem write/read symlink-race escapes, shell expansion hidden in unquoted heredocs, and spoofable loopback MCP owner context. If an older install was exposed to shared users, tunnels, reverse proxies, or untrusted prompts/plugins, treat this as an upgrade-and-exposure review before trusting agent work again.

OpenClaw 2026.5.12 is a broad stabilization release: leaner core installs, more resilient Telegram delivery, smoother Codex/OpenAI paths, harder-to-wedge plugin installs, and gateway/browser security hardening. That is good news, but a wide release can still expose local drift. Treat the upgrade as successful only after the channels, auth routes, plugins, and gateway surfaces you depend on pass a small real-world check.

OpenClaw 2026.5.20 is now a stable, signed release with useful safety work: `openclaw doctor` can warn about plaintext secret-bearing config fields, model status now explains when a session is pinned away from the configured default, xAI gets a device-code OAuth path for headless hosts, Docker images keep the bundled Codex harness through pruning, and cron/gateway diagnostics are less fragile. Treat that as a safer upgrade window, not permission to skip a rollback point: snapshot first, run doctor/status checks, and smoke-test only the integrations you actually depend on.

A field report says `openclaw doctor --fix gateway` can appear clean while auth/profile state still disagrees with what the gateway expects. That lines up with two confirmed OpenClaw failure classes: gateway connection tokens must match exactly, and older auth-profile drift bugs have overwritten fresh credentials from stale gateway memory. Treat repair as incomplete until the gateway accepts a real smoke test.

CVE-2026-45001 reports a guard bypass in OpenClaw's agent-facing gateway `config.patch` and `config.apply` endpoints before 2026.4.20. The risk is not just a broken setting: a prompt-injected model with owner-only gateway-tool access could persist changes to operator-trusted controls such as sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening.

Recent CVE chatter is worth acting on if you expose OpenClaw beyond your laptop. GitHub, NVD, and CVE records now point to several fixed-before-2026.4.10 issues: sandbox noVNC helper-route authentication bypass, Nostr plugin profile-route access control, sandbox browser CDP relay binding too broadly to `0.0.0.0`, and external hook metadata being enqueued as trusted system events. Treat this as an upgrade-and-exposure audit, not a panic reinstall.

Acronis TRU reports an active AI supply-chain campaign that abused Hugging Face and ClawHub/OpenClaw, including 575+ malicious OpenClaw skills across 13 developer accounts. Treat third-party skills like code that can reach your workspace: useful, but not something to install blind in the same profile that holds credentials, production repos, or agent memory.

Infisical's Agent Vault launch is a useful reminder, not a magic shield: agents like OpenClaw and Hermes should not need to hold raw API keys in their context, env, or readable config. A broker/proxy can keep the real credential outside the agent and attach it only on allowed outbound requests. If your current setup already exposed provider, GitHub, Stripe, database, or bot tokens to agents, treat the migration as a controlled auth-change: snapshot first, rotate carefully, and smoke-test before unattended work resumes.

A field report warned that exposed OpenClaw config files can become a model-credit-drain path. The exact incident still needs independent confirmation, but the risk is real: OpenClaw config can contain provider keys, tokens, app secrets, and gateway settings, and a closed GitHub issue showed how raw config exposure can leak plaintext credentials through tool surfaces.

After Anthropic ended Claude auth support for OpenClaw, some former Claude Opus users got pushed toward expensive API usage. If ChatGPT 5.5 is good enough for your routine agent work, direct ChatGPT subscription login in OpenClaw can be the cheaper first test — no Codex-auth detour required.

OpenClaw 2026.5.6 fixed a 2026.5.5 doctor --fix regression that could rewrite valid openai-codex/* ChatGPT/Codex OAuth routes to openai/*, breaking OAuth-only GPT-5.5 setups or moving users onto the API-key route. If your agents started failing right after that update, check the route before changing prompts or reinstalling.

OpenClaw 2026.5.7 tightened two high-impact surfaces: native command handlers now honor owner enforcement, and global Active Memory toggles require admin scope. If you run shared Telegram, Discord, or channel agents, treat the upgrade as a permission-audit moment — not just a version bump.

OpenClaw 2026.5.7 added computed status to `cron list --json` and `cron show --json`, including disabled, running, ok, error, skipped, and idle states. That gives watchdogs and dashboards a first-class health signal instead of expensive log-scraping guesses.

File access often breaks when onboarding switches tools.profile to a restrictive mode such as messaging-only.

If Gmail works once and then stops, the break is usually gateway health, expired credentials, or missing refresh/scope behavior.

If you run OpenClaw in one noisy Discord channel, context gets polluted and output quality drops. Split each project into Brief / Agent / Deliverables / Status.

Multiple agents multiply token burn through retries, long context, and expensive model choices. Measure before scaling.

If an update breaks your workflow, OpenClaw's native verified backup plus a tested rollback path gets you back to green fast.

Nightly updates reduce drift, but only if you can recover fast when an update breaks connectivity or bot access.