2026.2.12

Fri, 13 Feb 2026 03:17:54 +0100

OpenClaw 2026.2.12

Changes

CLI: add openclaw logs --local-time to display log timestamps in local timezone. (#13818) Thanks @xialonglee.
Telegram: render blockquotes as native
tags instead of stripping them. (#14608)
Config: avoid redacting maxTokens-like fields during config snapshot redaction, preventing round-trip validation failures in /config. (#14006) Thanks @constansino.

Breaking

Hooks: POST /hooks/agent now rejects payload sessionKey overrides by default. To keep fixed hook context, set hooks.defaultSessionKey (recommended with hooks.allowedSessionKeyPrefixes: ["hook:"]). If you need legacy behavior, explicitly set hooks.allowRequestSessionKey: true. Thanks @alpernae for reporting.

Fixes

Gateway/OpenResponses: harden URL-based input_file/input_image handling with explicit SSRF deny policy, hostname allowlists (files.urlAllowlist / images.urlAllowlist), per-request URL input caps (maxUrlParts), blocked-fetch audit logging, and regression coverage/docs updates.
Security: fix unauthenticated Nostr profile API remote config tampering. (#13719) Thanks @coygeek.
Security: remove bundled soul-evil hook. (#14757) Thanks @Imccccc.
Security/Audit: add hook session-routing hardening checks (hooks.defaultSessionKey, hooks.allowRequestSessionKey, and prefix allowlists), and warn when HTTP API endpoints allow explicit session-key routing.
Security/Sandbox: confine mirrored skill sync destinations to the sandbox skills/ root and stop using frontmatter-controlled skill names as filesystem destination paths. Thanks @1seal.
Security/Web tools: treat browser/web content as untrusted by default (wrapped outputs for browser snapshot/tabs/console and structured external-content metadata for web tools), and strip toolResult.details from model-facing transcript/compaction inputs to reduce prompt-injection replay risk.
Security/Hooks: harden webhook and device token verification with shared constant-time secret comparison, and add per-client auth-failure throttling for hook endpoints (429 + Retry-After). Thanks @akhmittra.
Security/Browser: require auth for loopback browser control HTTP routes, auto-generate gateway.auth.token when browser control starts without auth, and add a security-audit check for unauthenticated browser control. Thanks @tcusolle.
Sessions/Gateway: harden transcript path resolution and reject unsafe session IDs/file paths so session operations stay within agent sessions directories. Thanks @akhmittra.
Gateway: raise WS payload/buffer limits so 5,000,000-byte image attachments work reliably. (#14486) Thanks @0xRaini.
Logging/CLI: use local timezone timestamps for console prefixing, and include ±HH:MM offsets when using openclaw logs --local-time to avoid ambiguity. (#14771) Thanks @0xRaini.
Gateway: drain active turns before restart to prevent message loss. (#13931) Thanks @0xRaini.
Gateway: auto-generate auth token during install to prevent launchd restart loops. (#13813) Thanks @cathrynlavery.
Gateway: prevent undefined/missing token in auth config. (#13809) Thanks @asklee-klawd.
Gateway: handle async EPIPE on stdout/stderr during shutdown. (#13414) Thanks @keshav55.
Gateway/Control UI: resolve missing dashboard assets when openclaw is installed globally via symlink-based Node managers (nvm/fnm/n/Homebrew). (#14919) Thanks @aynorica.
Cron: use requested agentId for isolated job auth resolution. (#13983) Thanks @0xRaini.
Cron: prevent cron jobs from skipping execution when nextRunAtMs advances. (#14068) Thanks @WalterSumbon.
Cron: pass agentId to runHeartbeatOnce for main-session jobs. (#14140) Thanks @ishikawa-pro.
Cron: re-arm timers when onTimer fires while a job is still executing. (#14233) Thanks @tomron87.
Cron: prevent duplicate fires when multiple jobs trigger simultaneously. (#14256) Thanks @xinhuagu.
Cron: isolate scheduler errors so one bad job does not break all jobs. (#14385) Thanks @MarvinDontPanic.
Cron: prevent one-shot at jobs from re-firing on restart after skipped/errored runs. (#13878) Thanks @lailoo.
Heartbeat: prevent scheduler stalls on unexpected run errors and avoid immediate rerun loops after requests-in-flight skips. (#14901) Thanks @joeykrug.
Cron: honor stored session model overrides for isolated-agent runs while preserving hooks.gmail.model precedence for Gmail hook sessions. (#14983) Thanks @shtse8.
Logging/Browser: fall back to os.tmpdir()/openclaw for default log, browser trace, and browser download temp paths when /tmp/openclaw is unavailable.
WhatsApp: convert Markdown bold/strikethrough to WhatsApp formatting. (#14285) Thanks @Raikan10.
WhatsApp: allow media-only sends and normalize leading blank payloads. (#14408) Thanks @karimnaguib.
WhatsApp: default MIME type for voice messages when Baileys omits it. (#14444) Thanks @mcaxtr.
Telegram: handle no-text message in model picker editMessageText. (#14397) Thanks @0xRaini.
Telegram: surface REACTION_INVALID as non-fatal warning. (#14340) Thanks @0xRaini.
BlueBubbles: fix webhook auth bypass via loopback proxy trust. (#13787) Thanks @coygeek.
Slack: change default replyToMode from "off" to "all". (#14364) Thanks @nm-de.
Slack: detect control commands when channel messages start with bot mention prefixes (for example, @Bot /new). (#14142) Thanks @beefiker.
Signal: enforce E.164 validation for the Signal bot account prompt so mistyped numbers are caught early. (#15063) Thanks @Duartemartins.
Discord: process DM reactions instead of silently dropping them. (#10418) Thanks @mcaxtr.
Discord: respect replyToMode in threads. (#11062) Thanks @cordx56.
Heartbeat: filter noise-only system events so scheduled reminder notifications do not fire when cron runs carry only heartbeat markers. (#13317) Thanks @pvtclawn.
Signal: render mention placeholders as @uuid/@phone so mention gating and Clawdbot targeting work. (#2013) Thanks @alexgleason.
Discord: omit empty content fields for media-only messages while preserving caption whitespace. (#9507) Thanks @leszekszpunar.
Onboarding/Providers: add Z.AI endpoint-specific auth choices (zai-coding-global, zai-coding-cn, zai-global, zai-cn) and expand default Z.AI model wiring. (#13456) Thanks @tomsun28.
Onboarding/Providers: update MiniMax API default/recommended models from M2.1 to M2.5, add M2.5/M2.5-Lightning model entries, and include minimax-m2.5 in modern model filtering. (#14865) Thanks @adao-max.
Ollama: use configured models.providers.ollama.baseUrl for model discovery and normalize /v1 endpoints to the native Ollama API root. (#14131) Thanks @shtse8.
Voice Call: pass Twilio stream auth token via instead of query string. (#14029) Thanks @mcwigglesmcgee.
Feishu: pass Buffer directly to the Feishu SDK upload APIs instead of Readable.from(...) to avoid form-data upload failures. (#10345) Thanks @youngerstyle.
Feishu: trigger mention-gated group handling only when the bot itself is mentioned (not just any mention). (#11088) Thanks @openperf.
Feishu: probe status uses the resolved account context for multi-account credential checks. (#11233) Thanks @onevcat.
Feishu DocX: preserve top-level converted block order using firstLevelBlockIds when writing/appending documents. (#13994) Thanks @Cynosure159.
Feishu plugin packaging: remove workspace:* openclaw dependency from extensions/feishu and sync lockfile for install compatibility. (#14423) Thanks @jackcooper2015.
CLI/Wizard: exit with code 1 when configure, agents add, or interactive onboard wizards are canceled, so set -e automation stops correctly. (#14156) Thanks @0xRaini.
Media: strip MEDIA: lines with local paths instead of leaking as visible text. (#14399) Thanks @0xRaini.
Config/Cron: exclude maxTokens from config redaction and honor deleteAfterRun on skipped cron jobs. (#13342) Thanks @niceysam.
Config: ignore meta field changes in config file watcher. (#13460) Thanks @brandonwise.
Cron: use requested agentId for isolated job auth resolution. (#13983) Thanks @0xRaini.
Cron: pass agentId to runHeartbeatOnce for main-session jobs. (#14140) Thanks @ishikawa-pro.
Cron: prevent cron jobs from skipping execution when nextRunAtMs advances. (#14068) Thanks @WalterSumbon.
Cron: re-arm timers when onTimer fires while a job is still executing. (#14233) Thanks @tomron87.
Cron: prevent duplicate fires when multiple jobs trigger simultaneously. (#14256) Thanks @xinhuagu.
Cron: isolate scheduler errors so one bad job does not break all jobs. (#14385) Thanks @MarvinDontPanic.
Cron: prevent one-shot at jobs from re-firing on restart after skipped/errored runs. (#13878) Thanks @lailoo.
Daemon: suppress EPIPE error when restarting LaunchAgent. (#14343) Thanks @0xRaini.
Antigravity: add opus 4.6 forward-compat model and bypass thinking signature sanitization. (#14218) Thanks @jg-noncelogic.
Agents: prevent file descriptor leaks in child process cleanup. (#13565) Thanks @KyleChen26.
Agents: prevent double compaction caused by cache TTL bypassing guard. (#13514) Thanks @taw0002.
Agents: use last API call's cache tokens for context display instead of accumulated sum. (#13805) Thanks @akari-musubi.
Agents: keep followup-runner session totalTokens aligned with post-compaction context by using last-call usage and shared token-accounting logic. (#14979) Thanks @shtse8.
Hooks/Plugins: wire 9 previously unwired plugin lifecycle hooks into core runtime paths (session, compaction, gateway, and outbound message hooks). (#14882) Thanks @shtse8.
Hooks/Tools: dispatch before_tool_call and after_tool_call hooks from both tool execution paths with rebased conflict fixes. (#15012) Thanks @Patrick-Barletta, @Takhoffman.
Discord: allow channel-edit to archive/lock threads and set auto-archive duration. (#5542) Thanks @stumct.
Discord tests: use a partial @buape/carbon mock in slash command coverage. (#13262) Thanks @arosstale.
Tests: update thread ID handling in Slack message collection tests. (#14108) Thanks @swizzmagik.

View full changelog

2026.2.9

Mon, 09 Feb 2026 13:23:25 -0600

2026.2.2

Tue, 03 Feb 2026 17:04:17 -0800

OpenClaw 2026.2.2

Changes

Feishu: add Feishu/Lark plugin support + docs. (#7313) Thanks @jiulingyun (openclaw-cn).
Web UI: add Agents dashboard for managing agent files, tools, skills, models, channels, and cron jobs.
Memory: implement the opt-in QMD backend for workspace memory. (#3160) Thanks @vignesh07.
Security: add healthcheck skill and bootstrap audit guidance. (#7641) Thanks @Takhoffman.
Config: allow setting a default subagent thinking level via agents.defaults.subagents.thinking (and per-agent agents.list[].subagents.thinking). (#7372) Thanks @tyler6204.
Docs: zh-CN translations seed + polish, pipeline guidance, nav/landing updates, and typo fixes. (#8202, #6995, #6619, #7242, #7303, #7415) Thanks @AaronWander, @taiyi747, @Explorer1092, @rendaoyuan, @joshp123, @lailoo.

Fixes

Security: require operator.approvals for gateway /approve commands. (#1) Thanks @mitsuhiko, @yueyueL.
Security: Matrix allowlists now require full MXIDs; ambiguous name resolution no longer grants access. Thanks @MegaManSec.
Security: enforce access-group gating for Slack slash commands when channel type lookup fails.
Security: require validated shared-secret auth before skipping device identity on gateway connect.
Security: guard skill installer downloads with SSRF checks (block private/localhost URLs).
Security: harden Windows exec allowlist; block cmd.exe bypass via single &. Thanks @simecek.
fix(voice-call): harden inbound allowlist; reject anonymous callers; require Telnyx publicKey for allowlist; token-gate Twilio media streams; cap webhook body size (thanks @simecek)
Media understanding: apply SSRF guardrails to provider fetches; allow private baseUrl overrides explicitly.
fix(webchat): respect user scroll position during streaming and refresh (#7226) (thanks @marcomarandiz)
Telegram: recover from grammY long-poll timed out errors. (#7466) Thanks @macmimi23.
Agents: repair malformed tool calls and session transcripts. (#7473) Thanks @justinhuangcode.
fix(agents): validate AbortSignal instances before calling AbortSignal.any() (#7277) (thanks @Elarwei001)
Media understanding: skip binary media from file text extraction. (#7475) Thanks @AlexZhangji.
Onboarding: keep TUI flow exclusive (skip completion prompt + background Web UI seed); completion prompt now handled by install/update.
TUI: block onboarding output while TUI is active and restore terminal state on exit.
CLI/Zsh completion: cache scripts in state dir and escape option descriptions to avoid invalid option errors.
fix(ui): resolve Control UI asset path correctly.
fix(ui): refresh agent files after external edits.
Docs: finish renaming the QMD memory docs to reference the OpenClaw state dir.
Tests: stub SSRF DNS pinning in web auto-reply + Gemini video coverage. (#6619) Thanks @joshp123.

View full changelog