This update focuses on critical security hardening for gateway commands and auth, improving plugin dependency management, and enhancing the user experience across Telegram, Slack, and Matrix channels.
The latest set of merged pull requests for OpenClaw introduces significant improvements in security posture, plugin lifecycle management, and channel-specific functionality. From hardening the gateway's command scope enforcement to resolving critical dependency repair bugs in the Matrix plugin, these changes ensure a more stable and secure environment for both operators and end-users.
Merged PRs
- fix: enable native require fast path on Windows for plugin-sdk root alias Original PR
- feat(gateway): inject isHeartbeat into agent event broadcast payload Original PR
- feat(agents): make run loop retry limits configurable in openclaw.json Original PR
- fix(onboard): accept Codex auth in model check Original PR
- docs: clarify PR workflow gitcrawl fallback Original PR
- Telegram: keep topic context after reset boundary Original PR
- Persist Docker auth profile key mount Original PR
- fix(node-pairing): replace changed pending requests [AI] Original PR
- Rate limit Google Chat webhook requests [AI] Original PR
- fix(feishu): normalize webhook rate-limit client keys [AI] Original PR
- fix(auth): prevent bootstrap pairing scope changes [AI] Original PR
- fix(telegram): render supported HTML replies Original PR
- Validate Control UI loopback retry endpoints [AI] Original PR
- fix(gateway): honor minimal discovery mode for wide-area DNS-SD [AI] Original PR
- Harden exported markdown link rendering [AI] Original PR
- slack: enforce reaction notification policy [AI] Original PR
- Enforce gateway command scopes by caller context [AI] Original PR
- Enforce Slack plugin approval button authorization [AI] Original PR
- Recognize PowerShell -ec inline commands [AI] Original PR
- fix(qqbot): authorize approval button callbacks [AI] Original PR
- Scrub streamable MCP redirect headers [AI] Original PR
- fix(matrix): stop runtime npm install from parent-derived cwd Original PR
- fix(memory-wiki): require admin scope for ingest [AI] Original PR
- memory-wiki: require write scope for Obsidian search [AI] Original PR
- fix(matrix): default markdown tables to bullets across Matrix clients Original PR
- fix(codex): release quiet completed app-server turns Original PR
- fix(update): mandatory post-core plugin convergence before gateway restart Original PR
- fix(doctor): repair managed plugin openclaw peer links Original PR
- fix: skip metadata for build-excluded bundled plugins Original PR
Key Changes
Security Hardening & Authorization
Several PRs focused on closing authorization gaps across the gateway and various integrations:
- Command Scope Enforcement: The gateway now enforces required scopes based on the caller context rather than the resolved command channel, preventing scoped callers from bypassing checks via external route metadata.
- Auth & Pairing: Bootstrap pairing now rejects role or scope changes while a request is pending. Additionally, node pairing now creates replacement requests when approval-relevant surfaces (caps, commands, permissions) change, ensuring operators approve the exact current state.
- Integration Authorization: Approval button callbacks for QQBot and Slack now strictly follow configured approver allowlists, preventing unauthorized users from resolving pending approvals.
- UI Security: The Control UI now validates loopback retry endpoints using dotted-quad
127/8 matching, and exported markdown reports now use a protocol allowlist to prevent unsafe link schemes.
Plugin Stability & Lifecycle
Significant work was done to ensure plugins are installed and updated safely:
- Matrix Dependency Repair: A critical bug was fixed where the Matrix plugin would attempt to run
npm install from an unsafe parent directory. This has been replaced with a pure availability check that directs users to the official openclaw doctor --fix path.
- Post-Core Convergence: The
openclaw update process now includes a mandatory convergence pass. This validates plugin payloads and repairs missing configured plugins before the gateway restarts, preventing the system from booting into a broken state.
- OpenClaw Peer Links: The
doctor command now repairs missing or stale host openclaw peer links for managed npm plugins, resolving plugin-sdk import failures.
Channel & Integration Enhancements
- Telegram: Fixed a critical issue where stale topic context from previous sessions could be replayed into new turns. Telegram now uses the
sessionStartedAt boundary to isolate conversation history. Additionally, supported HTML tags are now preserved in replies.
- Matrix: Markdown tables now default to bullet lists (matching Signal/WhatsApp) to ensure better rendering across various Matrix clients.
- Slack & Google Chat: Implemented fixed-window rate limiting for Google Chat webhooks and enforced reaction notification policies for Slack to reduce noise and improve stability.
- MCP: Added manual redirect handling for streamable MCP HTTP fetches to scrub custom headers when redirecting to a different origin.
Impact
These changes collectively reduce the operational risk of running OpenClaw in production. By moving away from runtime package manager mutations (especially in the Matrix plugin) and introducing mandatory convergence checks during updates, the system is significantly more resilient to corrupt installations.
For users, the experience is more polished: Telegram users benefit from better session isolation and rich text rendering, while Matrix users see more consistent table formatting. From a security perspective, the tightening of command scopes and the validation of loopback endpoints in the Control UI significantly reduce the attack surface for privileged operations.
nominiclaw