OpenClaw shipped version 2026.3.22 with ClawHub, OpenShell plus SSH sandboxes, side-question flows, and more search and model options, then followed with a 2026.3.23 patch. Teams get a broader plugin surface, but should patch quickly and review plugin trust boundaries as the ecosystem grows.
/btw side-question flow, and OpenShell plus SSH sandboxes.openclaw/plugin-sdk/*, and sandbox rules block more JVM, glibc, and .NET hijacking attempts.The 2026.3.22 release is a broad platform update, not a single feature drop. OpenClaw's release post highlights five engineering-relevant changes: ClawHub as a plugin marketplace, more model backends with "per-agent reasoning," /btw for side questions, OpenShell plus SSH sandboxes, and search integrations for Exa, Tavily, and Firecrawl.
The beta notes in the prerelease add the implementation detail the headline post skips. Plugin installation now prefers ClawHub over npm for safer package handling; the Chrome extension relay path is gone and users must run openclaw doctor --fix to migrate; and the plugin SDK has been reworked around openclaw/plugin-sdk/*, with message discovery now requiring describeMessageTool(...). The same beta also deprecates the bundled nano-banana-pro wrapper in favor of a native model path and swaps in a Matrix plugin built on the official matrix-js-sdk.
A small but relevant governance point: amid speculation around the launch, founder Steipete said in a correction post that "OpenAI did not buy the project" and that OpenClaw is run by an independent foundation.
The 2026.3.23 patch reads like a fast stabilization release for a very large launch. According to the patch notes, OpenClaw added a DeepSeek provider plugin, Qwen pay-as-you-go API support, OpenRouter auto-pricing, and an Anthropic thinking-order change, alongside fixes across Discord, Slack, Matrix, the web UI, and Chrome MCP.
Steipete said in a postmortem note that a release step for the web control UI assets was missed, leaving the current release unable to load that UI correctly until users moved to beta or waited for a refreshed build. In the follow-up thread, he said the team is "automating the whole release pipeline" and adding end-to-end tests for web, while another reply called macOS release and Apple's notarization flow "the hardest part of automating." A separate post in the GitHub sponsorship note says OpenClaw also hit GitHub free-tier limits while automating releases.
There are already early signs that the plugin surface is being used to connect external agent stacks. Steipete wrote in a plugin note that Harold connected a Codex app server with OpenClaw, calling it "the power of plugins."
Posted by fs_software
The article criticizes OpenClaw (formerly Clawdbot/Moltbot) as insecure despite its hype and capabilities in automating tasks like calendar and email management. Key vulnerabilities include: malware in ClawdHub skills (e.g., most-downloaded skill was info-stealing malware discovered by 1Password's Jason Melier; Snyk found 283 risky skills out of 3,984); prompt injection risks amplified by agent access; compromised integrations exposing credentials; and over 30,000 exposed instances due to localhost auth bypass. It advises consumers to avoid it due to immature ecosystem, though some patches like VirusTotal scanning have been added.
OpenClaw is expanding its plugin and sandbox surface while critics are arguing that its trust model is still immature. The Composio write-up linked from the HN-covered article alleges malware in marketplace skills, prompt-injection risk amplified by agent permissions, compromised integrations, and more than 30,000 exposed instances from localhost auth bypasses; it also notes some mitigations, including VirusTotal scanning.
Posted by fs_software
Relevant for builders of AI agents and tool-using systems: the thread focuses on the security consequences of broad account access, the practical value of per-tool/per-function permissions, and whether containerization or separate identities actually reduce risk. It also highlights an enterprise adoption issue—M365/Teams support—as part of product design and rollout.
The HN discussion summarized in the thread is more useful than the headline for deployment teams. Commenters argued for "limited scope permissions" and "per-function permissions" instead of blanket account access, while another noted that a containerized filesystem is only "a slightly more secure version" if the underlying account and tool permissions stay broad. That matters because OpenClaw's own beta changelog shows the team hardening sandboxes against JVM, glibc, and .NET hijacking attempts, but sandboxing and plugin distribution solve different layers of the risk model.
OpenClaw's maintainer asked users to switch to the dev channel and stress normal workflows before a large release that may break plugins. Watch harness speed, context plugins, and permission boundaries closely while the SDK refactor lands.
releaseCursor shipped Instant Grep, a local regex index built from n-grams, inverted indexes, and Bloom filters that drops large-repo searches from seconds to milliseconds. Faster candidate retrieval shortens the coding-agent loop, especially when ripgrep-style scans become the bottleneck.
breakingChatGPT now saves uploaded and generated files into an account-level Library that can be reused across conversations from the web sidebar or recent-files picker. It removes repetitive re-uploading and makes past PDFs, spreadsheets, and images part of a persistent working context.
breakingEpoch AI says GPT-5.4 Pro elicited a publishable solution to one 2019 conjecture in its FrontierMath Open Problems set, with a formal writeup planned. Treat it as an early milestone worth reproducing, not blanket evidence that frontier models can already automate math research.
breakingClaude can now drive macOS apps, browser tabs, the keyboard, and the mouse from Claude Cowork and Claude Code, with permission prompts when it needs direct screen access. That makes legacy desktop workflows automatable, and Anthropic is pairing the push with more background-task support for longer agent loops.
OpenClaw 2026.3.22 🦞 🏪 ClawHub plugin marketplace 🤖 MiniMax M2.7, GPT-5.4-mini/nano + per-agent reasoning 💬 /btw side questions 🏖️ OpenShell + SSH sandboxes 🌐 Exa, Tavily, Firecrawl search This release is so big it needs its own table of contents. github.com/openclaw/openc…
OpenClaw 2026.3.23 🦞 🧪 DeepSeek provider plugin ☁️ Qwen pay-as-you-go ♻️ OpenRouter auto pricing + Anthropic thinking order 🖥️ Chrome MCP waits for tabs 🔧 Discord/Slack/Matrix + Web UI fixes Upgrade before your agent does it for you. github.com/openclaw/openc…
