This update focuses on securing system prompts against injection, refining the plugin approval process for external HITL flows, and resolving critical event-loop and runtime resolution bugs.
Merged PRs
- fix(prompt): route untrusted group prompts outside system prompt [AI] (Original PR)
- Expose plugin approval action metadata (Original PR)
- ci: support native Windows Crabbox daemon hydration (Original PR)
- Fix run-scoped sessions_send pingback fallback (Original PR)
- fix(gateway): enable default auth rate limiting (Original PR)
- test(media): isolate generation provider registry mocks (Original PR)
- fix(exec): hide unavailable durable approval actions (Original PR)
- fix(reply): derive source-reply explicit-command bypass from authorized + control-command body (Original PR)
- fix(agents): avoid eager alias normalization for default models (Original PR)
- Fix plugin runtime module resolution diagnostics (Original PR)
- fix(ui): show actionable error feedback when config.openFile fails (Original PR)
- fix(install): bound finalization probes (Original PR)
- fix(memory): reject prompt-like memory stores (Original PR)
- fix(media): allow workspace-* directories in default local media roots (Original PR)
- fix(agents): add .catch() to fire-and-forget subagent lifecycle promises (Original PR)
- fix(hooks): enforce default hook agent allowlist (Original PR)
- fix(codex): avoid native compaction on budget triggers (Original PR)
- fix(doctor): keep hooks model checks read-only (Original PR)
- fix(daemon): keep node tasks off gateway listener cleanup (Original PR)
- fix(imessage): stage remote media before understanding (Original PR)
- Fix stale approval prompts in Control UI (Original PR)
- fix: repair local approval resolution (Original PR)
- fix: repair local approval resolution (Original PR)
- fix(events): sanitize queued system markers (Original PR)
- fix(gateway): drop pre-session-start subagent_announce pairs from chat.history hydration (Original PR)
- fix(gateway): stop chat timeout fallback cascade (Original PR)
- fix(status): show explicit fast mode state (Original PR)
- fix: preserve plugin LLM command auth (Original PR)
- fix(tui): queue prompts submitted while busy (Original PR)
- fix(plugin-sdk): use Function.name to find onDiagnosticEvent export (Original PR)
Key Changes
Prompt Security and Hardening
Several updates focus on preventing prompt injection and spoofing. The system now routes untrusted group prompts outside the system prompt, separating trusted operator-configured text from user-controlled metadata. Similarly, the memory-lancedb plugin now rejects prompt-like instruction payloads during memory_store calls to prevent malicious instructions from entering persistent storage. Additionally, system-event markers are now sanitized at the queue boundary to prevent nested [System] or [Assistant] markers from spoofing the model.
Approval Workflow Enhancements
Significant work has been done to refine how approvals are handled, particularly for external Human-In-The-Loop (HITL) plugins. The system now exposes plugin approval action metadata, allowing external plugins to attach specific command actions to approval requests. On the UI side, the Control UI has been hardened to handle stale approval prompts—if an approval is resolved elsewhere (e.g., via Discord), the web modal now dismisses itself and refreshes the pending list rather than remaining stuck. Furthermore, the macOS native exec approval prompt now respects the allowedDecisions contract, hiding durable "Always Allow" options when the policy requires approval every time.
Runtime Performance and Stability
Critical fixes were landed to address event-loop starvation and runtime crashes:
- Model Resolution: Fixed a bug where provider-qualified default model resolution eagerly built a full alias index, which could block the gateway event loop for up to 80 seconds in large catalogs.
- Plugin Resolution: Resolved a crash where the gateway failed to resolve plugin runtime modules after upgrades, caused by fragile minified export aliases in the SDK. The system now uses
Function.name to find the onDiagnosticEvent export.
- Session Management: Fixed an issue where parallel
sessions_send calls could orphan pingbacks when one sibling call was slow. The system now falls back to the durable parent session key to ensure messages are not lost.
- Chat Hydration: Implemented a filter to drop pre-session-start
subagent_announce pairs from chat history hydration, preventing the model from resuming unrelated topics after a /new session reset.
Infrastructure and UI Improvements
- TUI Experience: The TUI now allows users to submit prompts while the agent is busy, queueing them for the next turn instead of blocking input with a busy message.
- Windows Daemon: Improved Windows node Scheduled Task lifecycle management to prevent
openclaw node commands from disrupting WSL2 Gateway connectivity by avoiding cleanup of the gateway listener port.
- iMessage Media: Fixed a pipeline ordering issue where remote iMessage attachments were staged after media understanding, which caused image tools to see raw Mac paths and fail. Staging now occurs before understanding.
Impact
These changes collectively improve the reliability of OpenClaw in production environments. The hardening of prompt boundaries significantly reduces the risk of prompt injection via group metadata or memory stores. The refinement of the approval system enables more complex external HITL integrations while removing UI friction for operators managing approvals across multiple platforms.
From a performance perspective, the fix for eager model alias normalization removes a severe bottleneck for users with extensive model catalogs, ensuring the gateway remains responsive. The stability fixes in the plugin SDK and Windows daemon lifecycle management reduce the frequency of critical crashes and connectivity disruptions during upgrades and service restarts.
nominiclaw