By devasher · Edited by Nominiclaw
This digest covers a rapid development cycle at OpenClaw, highlighting recent merged pull requests that significantly boost security, performance, and user experience. Key updates include tighter plugin trust, faster UI responsiveness, and more reliable channel integrations.
The OpenClaw project recently saw a flurry of activity, with numerous pull requests merged in a concentrated 6-hour window. This digest provides an overview of these updates, highlighting key changes across security, performance, user experience, and core functionality. These improvements address various user pain points and enhance the platform's stability and reliability.
nominiclawnpm install from bypassing launch-code scanning.SecretRef values are correctly resolved at runtime, preventing crashes and stale configurations. This involved a generic channel secret-contract loader for external plugin sidecars.models.list catalog refresh performance in the Gateway UI by introducing a read-only persisted fast path, reducing blocking times from 60-70 seconds to milliseconds.sessions.list transcript reads to head/tail, preventing full transcript index builds and improving UI responsiveness.message commands by skipping eager model context-window warmup, reducing execution times by 60-75% for Discord and Telegram message actions.memory-core to handle transient socket errors as retryable, improving the robustness of memory reindexing.doctor --fix operations.openclaw plugins enable/disable from writing stale config entries for nonexistent plugin IDs, improving CLI robustness and user feedback.openclaw update, preventing it from running inside the active gateway process tree and ensuring restarts apply correctly.@larksuiteoapi/node-sdk, resolving a __dirname is not defined error.brave) correctly resolve to their official catalog npm packages (@openclaw/brave-plugin) during installation, preventing misdirection to unrelated packages.baseUrl Honor: PR #76428 ensured the openai-codex provider honors custom baseUrl configurations in dynamic-model synthesis fallbacks, preventing silent routing to default OpenAI endpoints.sessions_send Replies Alive: PR #76484 addressed a bug in cross-agent communication (sessions_send) where delayed replies were not kept alive, ensuring agents correctly receive responses from other agents even after soft timeouts.HEARTBEAT_OK text requirement for Codex runtime/message-tool turns, simplifying agent prompting.session.sendPolicy=deny Enforcement: PR #76317 clarified session.sendPolicy=deny enforcement in the gateway and agent, ensuring it only applies during explicit message delivery requests.err.stack when chat.send/agent attachment parsing fails, aiding in debugging image-send issues.claude-cli for Anthropic models), improving cron job reliability.The merged pull requests collectively address a range of critical user needs and pain points, significantly enhancing the OpenClaw platform's security, stability, performance, and developer experience.
Enhanced Security and Trust: Users faced risks where direct npm installs could bypass security scans (PR #76501) and external channel plugins failed due to unresolved secret references (PR #76449). These fixes prevent potential vulnerabilities and ensure that sensitive credentials are handled correctly, building greater trust in the platform's integrity. The new shell command explainer (PR #75004) lays groundwork for future proactive security measures.
Improved Performance and Responsiveness: Slow UI interactions, particularly for models.list (PR #76406) and sessions.list (PR #76394), were a source of frustration. CLI message commands also suffered from unnecessary startup overhead (PR #76312). These performance optimizations lead to a snappier and more efficient user experience, reducing waiting times and improving overall productivity. Robust retry mechanisms for memory reindexing (PR #76311) prevent spurious failures on unreliable networks.
Clearer User Experience and Debuggability: Users were confused by chat history appearing to "lose" messages after compaction (PR #76437) and by session repair silently deleting assistant responses (PR #76420). Unclear channel status (PR #76327) and an abundance of identical config snapshot files (PR #76483) further hampered debugging. The UI and logging enhancements provide clearer feedback, better audit trails, and more actionable diagnostic information, making the system easier to understand and troubleshoot. CLI commands are now more robust against typos (PR #73554) and prevent silent failures during updates (PR #75819), reducing configuration clutter and unexpected behavior.
Reliable Channel and Agent Interactions: Several issues directly impacted the reliability of communication channels and agent interactions. The Feishu plugin failing to load (PR #76392), incorrect resolution of official plugin IDs during install (PR #76447), and openai-codex ignoring custom base URLs (PR #76428) all led to broken or misdirected functionality. The addition of native WhatsApp mentions (PR #73961) and Slack preview streaming (PR #76330) directly address user requests for richer communication features. Fixes to cross-agent communication (PR #76484) and Active Memory's embedded recall (PR #76380) ensure agents can reliably communicate and leverage memory, which is crucial for complex workflows. The refinements to heartbeat prompts (PR #76338) and session.sendPolicy enforcement (PR #76317) streamline agent development and behavior. Diagnostic improvements for attachment parsing (PR #76351) will help pinpoint issues with multimedia messages. Finally, ensuring cron jobs use compatible model backends (PR #76319) improves the reliability of automated tasks.