Update broke my setup

Installing skills or plugins? Add an install-policy gate.

OpenClaw 2026.6.5 added `security.installPolicy`, a local command hook that can approve or block skill and plugin installs after source material is staged and before install/update continues. Use it when ClawHub, uploaded archives, Git/local skills, dependency installers, or plugins can change your agent surface. The operator rule is simple: stage first, inspect locally, fail closed if the policy command is missing, then smoke-test before trusting the new tool path.

OpenClaw allowlists: use stable sender IDs, not names.

A recent OpenClaw advisory is a good reminder for anyone letting chat messages trigger elevated tools: mutable usernames and display-style metadata can drift away from the stable sender you meant to trust. For Telegram, the verified GitHub advisory calls out mutable usernames directly; for other channels, treat the same class as an audit pattern, not a blanket claim. Use stable platform IDs where possible, keep name matching opt-in and documented, and smoke-test the channel before resuming unattended work.

Trying OpenClaw 2026.5.30 beta? Smoke-test recovery first.

OpenClaw 2026.5.30-beta.1 is a useful upgrade candidate, but the release note touches exactly the paths operators depend on when agents run unattended: interrupted tool-call recovery, stale session bindings, channel delivery, provider/plugin timeouts, plugin metadata, gateway runtime state, and device/admin gating. Treat it as a controlled canary, not a blind update. Snapshot first, upgrade one install, then prove the channels and recovery paths you actually use before moving normal work over.

Session stuck ‘In progress’? Check terminal cleanup first.

A fresh OpenClaw gateway commit points to a subtle failure mode: a session can be finished while the active-run projection still makes it look stuck `In progress`. Do not start by killing random processes or deleting state. Treat it as a terminal-lifecycle cleanup problem: capture the symptom, check whether the task actually ended, update to a build that includes the fix when available, and keep retry/abort safety separate from the UI's active-session view.

Tailscale-exposed gateway? Do not leave `auth=none`.

A fresh OpenClaw field signal pointed at an upstream gateway hardening commit that rejects Tailscale-exposed gateways when auth is disabled. Treat that as a useful operator rule even before you depend on the guard: if a gateway is reachable from another device, teammate, tunnel, or shared network, `auth=none` is not a safe steady state. Snapshot first, switch to token/TLS-backed access, and smoke-test from the network path your agents actually use.

OpenClaw before 2026.4.22? Audit sandbox and MCP exposure.

A fresh X security cluster is useful because it points to official records, not just chatter. NVD and GitHub advisories list four OpenClaw issues fixed in 2026.4.22: OpenShell filesystem write/read symlink-race escapes, shell expansion hidden in unquoted heredocs, and spoofable loopback MCP owner context. If an older install was exposed to shared users, tunnels, reverse proxies, or untrusted prompts/plugins, treat this as an upgrade-and-exposure review before trusting agent work again.

Updated to OpenClaw 2026.5.12? Smoke-test the paths you use.

OpenClaw 2026.5.12 is a broad stabilization release: leaner core installs, more resilient Telegram delivery, smoother Codex/OpenAI paths, harder-to-wedge plugin installs, and gateway/browser security hardening. That is good news, but a wide release can still expose local drift. Treat the upgrade as successful only after the channels, auth routes, plugins, and gateway surfaces you depend on pass a small real-world check.

Updated to OpenClaw 2026.5.20? Check secrets, model drift, and Codex.

OpenClaw 2026.5.20 is now a stable, signed release with useful safety work: `openclaw doctor` can warn about plaintext secret-bearing config fields, model status now explains when a session is pinned away from the configured default, xAI gets a device-code OAuth path for headless hosts, Docker images keep the bundled Codex harness through pruning, and cron/gateway diagnostics are less fragile. Treat that as a safer upgrade window, not permission to skip a rollback point: snapshot first, run doctor/status checks, and smoke-test only the integrations you actually depend on.

OpenClaw before 2026.4.20? Lock down config mutation.

CVE-2026-45001 reports a guard bypass in OpenClaw's agent-facing gateway `config.patch` and `config.apply` endpoints before 2026.4.20. The risk is not just a broken setting: a prompt-injected model with owner-only gateway-tool access could persist changes to operator-trusted controls such as sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening.

Self-hosted OpenClaw older than 2026.4.10? Audit it now.

Recent CVE chatter is worth acting on if you expose OpenClaw beyond your laptop. GitHub, NVD, and CVE records now point to several fixed-before-2026.4.10 issues: sandbox noVNC helper-route authentication bypass, Nostr plugin profile-route access control, sandbox browser CDP relay binding too broadly to `0.0.0.0`, and external hook metadata being enqueued as trusted system events. Treat this as an upgrade-and-exposure audit, not a panic reinstall.

Installing random ClawHub skills? Quarantine first.

Acronis TRU reports an active AI supply-chain campaign that abused Hugging Face and ClawHub/OpenClaw, including 575+ malicious OpenClaw skills across 13 developer accounts. Treat third-party skills like code that can reach your workspace: useful, but not something to install blind in the same profile that holds credentials, production repos, or agent memory.

Giving agents real API keys? Broker them instead.

Infisical's Agent Vault launch is a useful reminder, not a magic shield: agents like OpenClaw and Hermes should not need to hold raw API keys in their context, env, or readable config. A broker/proxy can keep the real credential outside the agent and attach it only on allowed outbound requests. If your current setup already exposed provider, GitHub, Stripe, database, or bot tokens to agents, treat the migration as a controlled auth-change: snapshot first, rotate carefully, and smoke-test before unattended work resumes.

Exposed openclaw.json? Rotate before agents run.

A field report warned that exposed OpenClaw config files can become a model-credit-drain path. The exact incident still needs independent confirmation, but the risk is real: OpenClaw config can contain provider keys, tokens, app secrets, and gateway settings, and a closed GitHub issue showed how raw config exposure can leak plaintext credentials through tool surfaces.

ChatGPT/Codex route broke after update?

OpenClaw 2026.5.6 fixed a 2026.5.5 doctor --fix regression that could rewrite valid openai-codex/* ChatGPT/Codex OAuth routes to openai/*, breaking OAuth-only GPT-5.5 setups or moving users onto the API-key route. If your agents started failing right after that update, check the route before changing prompts or reinstalling.

After 2026.5.7, check who can run the sharp tools

OpenClaw 2026.5.7 tightened two high-impact surfaces: native command handlers now honor owner enforcement, and global Active Memory toggles require admin scope. If you run shared Telegram, Discord, or channel agents, treat the upgrade as a permission-audit moment — not just a version bump.

Update broke your setup? Roll back in 2 minutes

If an update breaks your workflow, OpenClaw's native verified backup plus a tested rollback path gets you back to green fast.

Keep OpenClaw updated without losing bot access

Nightly updates reduce drift, but only if you can recover fast when an update breaks connectivity or bot access.