OpenClaw Update: Hardening Command Execution and Expanding Voice Integration

The latest set of merges for OpenClaw introduces a significant push toward system hardening, specifically regarding how the platform handles command execution and plugin installations. Alongside these security improvements, the project has expanded its voice capabilities by bringing real-time streaming parity to Telnyx, ensuring that high-performance voice interactions are no longer limited to a single provider.

Merged PRs

• [AI-assisted] fix(gateway): suppress heartbeat tool cards in webchat (Original PR)
• ci: add missing extension and channel labels to labeler.yml (Original PR)
• fix(azure):Drain split provider stream frames (Original PR)
• Keep Codex media tools backed by auth profiles (Original PR)
• feat(voice call): add Telnyx Media Streaming for voice-call realtime (Original PR)
• fix(exec): skip heartbeat wake for subagent sessions (Original PR)
• fix: harden safe-bin argument validation [AI] (Original PR)
• fix: scan plugin runtime entries during install [AI] (Original PR)
• Require auth for sandbox browser CDP relay [AI] (Original PR)
• fix: detect carried exec command forms [AI] (Original PR)
• Reject truncated exec approval commands [AI] (Original PR)
• Enforce inline shell wrapper payload matching [AI] (Original PR)

Key Changes

Security Hardening for Command Execution

A substantial portion of this window's updates focuses on closing loopholes in the system.run and command approval workflows. The goal is to ensure that the system cannot be tricked into executing unauthorized commands via shell expansion or wrapper binaries.

• Shell Wrapper & Payload Validation: New logic now enforces that inline shell wrapper payloads are parsed and evaluated. Previously, a bare wrapper allowlist entry could satisfy approval before the embedded payload was checked. Now, the system recursively evaluates the extracted payload against existing policies.
• Argument Validation: The safe-bin allowlist now rejects POSIX-style parameter expansion tokens to prevent shell transport from rewriting token boundaries before execution.
• Carried Command Detection: The risk detector now follows shell positional carriers (like $0 or $@), ensuring that command-executing tools hidden behind these carriers are flagged for approval.
• Approval Integrity: To prevent a divergence between what a user approves and what the system executes, the gateway now rejects any exec approval request where the sanitized display text would be truncated.

Real-time Voice Expansion

OpenClaw has closed a major parity gap in its voice-call plugin. While Twilio previously supported real-time voice providers (like OpenAI Realtime), Telnyx users were blocked by configuration gates and a lack of streaming infrastructure.

• Telnyx Media Streaming: The system now supports PCMU 8 kHz μ-law streaming for Telnyx. This includes a new StreamFrameAdapter interface that generalizes WebSocket frame parsing and serialization, allowing the real-time bridge to operate independently of the carrier.
• Bidirectional Audio: The implementation supports bidirectional WebSocket tunnels, enabling sub-second voice-turn latency and functional "barge-in" capabilities where the bot stops speaking when the caller interrupts.

System Stability and UX

Several fixes address "noise" in the user interface and efficiency in agent orchestration:

• WebChat Heartbeats: Heartbeat-originated tool events (e.g., read HEARTBEAT.md) are now suppressed in WebChat to prevent the UI from being polluted with system-level background checks.
• Subagent Efficiency: Heartbeat wake-ups are now skipped for subagent sessions. Previously, background exec completions in subagents would trigger spurious wake-ups in the parent session, leading to unnecessary LLM invocations and wasted tokens.
• Sandbox Browser Security: The sandbox browser CDP relay now requires an application-layer credential (token) rather than relying on network source filtering, significantly hardening the browser debugging surface.

Impact

For developers and administrators, these changes mean a significantly more secure execution environment. The move toward "fail-closed" validation for shell commands reduces the risk of prompt injection leading to unauthorized system access.

Users of the voice-call plugin now have a viable alternative to Twilio for real-time AI voice agents, with Telnyx providing a high-performance path for low-latency interactions. Finally, the reduction in spurious heartbeat wake-ups and UI pollution improves both the operational cost of running complex agent hierarchies and the end-user experience in the WebChat interface.