Notra Logo
Notra
OpenClaw

OpenClaw Changelog - February 21-28, 2026

Notra Logo

This changelog is generated by Notra for demonstration purposes. Notra is not affiliated with OpenClaw.

This week closes a prompt injection vulnerability in context compaction, adds external secrets management with exec providers and SOPS support, and significantly expands Android device integration and Feishu document capabilities. The Feishu improvements include markdown table rendering, document chunking, media extraction, and full CRUD operations on tables. Android now supports motion detection, pedometer, calendar, contacts, and device diagnostics. Security fixes harden auth boundaries across channels, tighten system.run approval binding, and prevent unauthorized DM command execution.

Highlights

External secrets management framework

Credential handling moves off inline .env files. The new architecture supports exec-based providers (1Password, Vault, secretive), file-backed configs, and SOPS integration for automated secret lifecycle management without process restarts.

Feishu documents with markdown tables and full CRUD operations

Document write/append now renders markdown tables as native Feishu tables, chunks large payloads to avoid API errors, supports positional insertion and color markup, and enables comprehensive table operations: merge cells, insert/delete rows and columns, embed media.

Post-compaction prompt injection vulnerability removed

The Layer 3 audit injection created fake system messages after context compaction to force file reads. Deleted entirely. Layers 1 and 2 (compaction summary and AGENTS.md context refresh) remain intact for legitimate recovery. Fixes #27697, #26851, #20484, #22339, #25600.

Android device capabilities: motion, pedometer, calendar, contacts, camera, diagnostics

New handlers unlock motion activity classification, step counting, calendar read, contact queries, photo access, notification actions, and device status reporting. Completes parity with Node.js device API surface.

Cron job delivery hardened with explicit account routing and session isolation

Fixed main-target cron jobs to deliver notifications by passing target=last heartbeat flag. Added --account flag for delivery routing. Prevented false-positive delivery states for queued announces. Cleared delivery routing metadata on isolated session creation.

More Updates

Security

  • Removed post-compaction audit injection vulnerability - Deleted Layer 3 audit that injects fake system messages via prompt injection after context compaction. Preserves legitimate Layers 1 and 2 recovery flows. Fixes #27697, #26851, #20484, #22339, #25600.
  • External secrets management framework - Provider-based architecture supporting exec-backed, file-backed, and SOPS providers for credential lifecycle management without inline .env storage.
  • Harden node system.run approvals against symlink rebind attacks - Tighten exec approval binding to prevent execution of attacker-controlled symlinked binaries.
  • Enforce v1 node exec approval binding and generate host env policy - Centralize system.run binding logic and environment variable generation for consistent approval enforcement.
  • Feishu webhook rate-limit state bounding - Limit unauthenticated webhook rate-limit tracking to prevent memory exhaustion attacks on public endpoints.
  • Explicit group auth boundaries across all channels - Reject dmPolicy=\"allowlist\" with empty allowFrom across Telegram, Discord, Slack, Signal, IRC, iMessage, BlueBubbles, Teams, Google Chat, WhatsApp; add doctor warnings with remediation.
  • Prevent unauthorized open-mode DM commands via hardened auth composition - Centralize dm/group allowlist policy composition to prevent command injection in open-mode DMs.
  • Preserve turn-origin messageChannel in agent runs - Prevent session confusion and unauthorized message routing via proper origin tracking.
  • Harden plugin route auth path canonicalization - Prevent directory traversal in plugin routes via strict path normalization.
  • Typing lifecycle and cross-channel suppression hardening - Enforce proper typing indicator cleanup across channel boundaries.
  • Harden compaction and reset safety - Add regression tests and guards for agent compaction and workspace reset operations.
  • Mattermost monitor media SSRF fallback - Avoid raw fetch in media download fallback path.
  • Teams file-consent timeout hardening - Complete file upload async handling with proper timeout enforcement.
  • BlueBubbles attachment SSRF host whitelisting - Allow explicitly configured hosts for attachment downloads.

Features & Enhancements

  • Feishu Docx table creation and image/file upload actions - Full Feishu document operations with native table support, file attachment operations, and seamless image upload.
  • Feishu markdown table and positional insert support - Render GFM markdown tables as native Feishu tables with adaptive column widths; add positional markdown insertion after block IDs.
  • Feishu color markup and table operations - Apply color/bold via [red]text[/red] markup syntax; merge cells, insert/delete rows and columns.
  • Feishu embedded post media extraction - Extract and download embedded video/media files from rich text posts.
  • Feishu parent/root message context for quotes - Add ParentMessageId and RootMessageId to inbound context; parse interactive card content in quoted messages.
  • Feishu group sender allowlist support - Global groupSenderAllowFrom for sender-level group access control independent of message channel policy.
  • Feishu wildcard group policy fallback - Honor channels.feishu.groups[\"*\"] fallback with exact-match and case-insensitive precedence.
  • Feishu local image path auto-conversion - Auto-convert local image path text to image message type in outbound dispatch.
  • Feishu merge_forward message parsing - Parse merged forwarded messages for full conversation context.
  • Feishu reaction event support - Created and deleted reaction events now trigger inbound message context updates.
  • Feishu DM skip reply-to reference - Use message.create instead of message.reply in DMs to avoid visible quote references while preserving typing indicators.
  • Feishu ocx chat ID session routing fix - Properly distinguish group vs DM sessions using chat_mode field instead of ID prefix assumptions.
  • Feishu replyInThread configuration - Route message replies to threads when configured.
  • Feishu code block and share_chat message parsing - Extract text from code blocks and shared chat references.
  • Feishu interactive card action callback support - Handle card.action.trigger callbacks from interactive cards.
  • Feishu streaming card header support - Optional colored header parameter for streaming cards matching non-streaming card appearance.
  • Feishu WebSocket proxy agent support - Pass HttpsProxyAgent to WSClient for proxy environment WebSocket connectivity.
  • Feishu large document chunking - Chunk markdown for write/append to avoid API 400 errors; skip heading detection in fenced code blocks.
  • Feishu quota optimization flags - New configuration options for quota-aware operation.
  • Feishu user_id fallback for sender identity - Fall back to user_id when open_id is unavailable.
  • Feishu audio opus format for voice bubbles - Send opus audio format for feishu voice bubble support.
  • Feishu document auto-permission grant - Automatically grant document permissions to requesting users.
  • Feishu media payload attachment sending - Send media payloads as document attachments for proper file handling.
  • Feishu probeFeishu result caching - Cache API probe results with 10-minute TTL to reduce redundant API calls.
  • Feishu typing indicator error logging - Replace console.log with runtime log for typing indicator failures.
  • Feishu group policy enforcement gaps - Respect groupConfig.enabled flag; fix log messages for group allowlist rejection.
  • Feishu sequential block insertion - Insert document blocks sequentially to preserve order when writing/appending large documents.
  • Android voice reliability enhancements - Rotate playback token per assistant reply; retry talk config after transient failures; cancel in-flight speech when speaker muted.
  • Android voice speaker toggle - Add speaker toggle in voice tab for audio output routing control.
  • Android voice final reply speaking - Speak final voice replies in mic capture flow for complete audio interaction.
  • Android capability discovery and device handlers - Motion activity classification, pedometer tracking, calendar queries, contact reading, photo access, system notifications.
  • Android device diagnostics and notification actions - Expose device status, battery, and notification action commands via node runtime.
  • Android camera list and device selection - List available cameras and select camera device for capture operations.
  • Android canvas capability refresh - Refresh scoped canvas URLs for new A2UI sessions with proper parameter binding.
  • Device timestamp context - Add human-readable timestamp field to conversation info JSON for time-aware agents.
  • Cron account routing - Add --account flag for explicit delivery account routing in cron jobs.
  • Android onboarding enforcement - Enforce custom model context minimum in onboarding; block onboarding advance until special setup completion; add missing capability setup surfaces.
  • German locale support (de) - Add German language support.
  • Tool call name whitespace normalization - Normalize whitespace-padded tool call names before dispatch.
  • Browser URL alias support - Accept url alias for open and navigate actions.
  • Codex model API schema - Add openai-codex-responses to ModelApiSchema for proper Codex routing.
  • TTS voice-bubble channel coverage - Enable opus format and voice bubbles for Feishu and WhatsApp.
  • External link verification in signup flows - Email-link completion flows with clear status handling.
  • Device-auth v2 migration diagnostics - Add specific detail codes for device auth migration issues.
  • MiniMax provider authHeader default - Default authHeader to true for MiniMax API provider.
  • Slack /agentstatus alias - Native Slack alias support for agent status command.

Bug Fixes

  • Ollama autodiscovery hardening - Auto-discover Ollama models without API key; demote zero-models warn log to debug.
  • Ollama context window unification - Inject num_ctx for OpenAI-compatible transport; discover per-model context; cap discovery concurrency.
  • Ollama skip discovery when explicit models configured - Prevent redundant discovery when explicit model list already exists.
  • Ollama API provider default to native - Default explicit-model provider API to native ollama instead of OpenAI compat mode.
  • LanceDB custom baseUrl and dimensions support - Add custom OpenAI BaseURL and embedding dimensions for vector search configuration.
  • Browser navigate renderer swap targetId resolution - Resolve correct targetId after Chrome renderer swap (e.g., chrome-extension to https).
  • Browser URL alias support - Accept url alias for open and navigate tool schemas.
  • Podman Quadlet setup fixes - Fix sed escaping in path substitution; add User mapping to resolve container UID mismatches.
  • Model reasoning preservation in fallback - Preserve reasoning output during provider fallback resolution.
  • Google Gemini OAuth provider handling - Add google provider to reasoning tag detection; add forward-compat fallback for gemini-3.1 models.
  • Google Fonts CSP allowlist - Allow Google Fonts stylesheet and font CDN origins in Control UI CSP.
  • Ollama CLI apiKey config without provider - Seed Ollama provider on apiKey config set.
  • Browser fill field type default - Default missing fill field type to 'text' for form interactions.
  • Node default canvas node resolution - Resolve default node when multiple canvas-capable nodes connected.
  • Cron main-target session wake routing - Pass heartbeat target=last for main-session cron jobs to restore notification delivery.
  • Cron delivery state false-positives - Mark queued announce paths as undelivered instead of delivered when no direct send confirmed.
  • Cron completion direct send gating - Enable direct send for text-only announce delivery completion.
  • Cron session isolation and delivery state clearing - Clear delivery routing metadata when creating isolated cron sessions.
  • Cron messaging tool gating - Disable messaging tool when delivery.mode is none.
  • Cron delivery target resolution - Condition requireExplicitMessageTarget on resolved delivery to prevent tool errors.
  • Cron next wake scheduling for isolated jobs - Schedule nextWakeAtMs correctly for isolated sessionTarget cron jobs.
  • Browser sandbox docker no-sandbox rollout - Enable no-sandbox mode in browser Docker container.
  • Browser relay reconnect resilience - Improve relay connection resilience for browser transport.
  • Android notification wake deduping - Skip heartbeat wake on deduped notifications to prevent duplicate processing.
  • Android notification session canonicalization - Canonicalize notification wake session routing.
  • Android notification scope to session - Scope notification wakeups to proper session context.
  • Android voice final reply speaking in mic flow - Speak final voice replies during talk-mode interaction.
  • Android motion sampling stabilization - Stabilize motion sampling and gate pedometer command properly.
  • Android camera invoke parameter JSON parsing - Parse camera and screen invoke params as JSON objects.
  • Telegram allowlist DM migration - Repair DM allowlist migrations across account channels.
  • Telegram reply media context - Include replied media files in reply context for forwarded messages.
  • Telegram stop-created preview finalization - Refactor preview finalization to prevent duplicate sends on edit failure.
  • Telegram outbound chunking - Enforce shared outbound chunking and preserve whitespace in HTML retry chunking.
  • Discord thread binding lifecycle - Migrate thread bindings to idle and max-age lifecycle with proper persistence.
  • Discord slash command options validation - Validate Discord slash command option payloads.
  • Discord /acp native option payload - Avoid invalid /acp option payload generation.
  • Matrix sender label preservation - Preserve sender labels in Matrix BodyForAgent context.
  • NextCloud Talk account lifecycle - Keep startAccount pending until abort to prevent restart loops.
  • Google Chat account lifecycle - Keep startAccount pending until abort to prevent restart loops.
  • Gateway TLS probe with self-signed certificates - Support wss:// scheme in gateway status probe for TLS-enabled bind=lan.
  • Gateway auto-discovery of OpenClaw-managed services - Detect OPENCLAW_LAUNCHD_LABEL and OPENCLAW_SYSTEMD_UNIT for supervised mode.
  • Gateway stale PID cleanup before restart - Clean stale gateway PIDs before triggerOpenClawRestart to prevent port conflicts.
  • Gateway delivery recovery backoff eligibility - Fix delivery queue blockage by continuing on backoff overrun instead of breaking.
  • LaunchD CA certificate propagation - Add NODE_EXTRA_CA_CERTS to LaunchAgent environment for TLS verification.
  • LaunchD ThrottleInterval - Add ThrottleInterval plist entry to prevent launchd restart loops.
  • CLI gateway --force resilience - Make gateway --force resilient to lsof EACCES failures.
  • CLI gateway run --auth help - List all supported auth modes in gateway run help.
  • Plugin npm pack recovery - Recover npm pack archive when stdout is empty.
  • Plugin npm install error clearing - Clear npm install error when npm package not found.
  • Node24 executable name support - Accept node24 in argv reparse for Node.js 24 compatibility.
  • Compaction reasoning preservation - Preserve reasoning in model fallback resolution during compaction.
  • Compaction opaque identifier preservation - Preserve opaque identifiers in compaction summaries.
  • Memory readonly sync recovery - Support readonly sync recovery for remote memory access.
  • Delivery queue head-of-line blocking fix - Change break to continue in backoff recovery to prevent permanent blockage.
  • Session outbound context forwarding - Forward resolved session context in agent delivery for proper routing.
  • Assistant usage snapshot preservation - Preserve assistant usage snapshots during compaction cleanup.
  • TUI streamed text preservation during tool transitions - Preserve already-streamed assistant text when tool calls are triggered.
  • Chat timestamp context - Make agents time-aware with message timestamps in conversation info.
  • Android clipboard output cleanup - Clear relevant-memories scaffolding from web UI.
  • Gemini 3 Pro tier normalization - Normalize bare gemini-3-pro model IDs to include -low or -high tier for Antigravity API.
  • Gemini 3.1 forward-compat models - Add forward-compat fallback for gemini-3.1-pro and gemini-3.1-flash models in Google CLI OAuth.
  • OpenAI Responses server-side compaction - Auto-enable compaction support for OpenAI Responses.
  • Custom provider onboarding verification timeout - Increase timeout from 10s to 30s and reduce max_tokens from 1024 to 1 for local model verification.
  • Codex transport websocket-first default - Default codex transport to websocket-first for improved reliability.
  • Outside-workspace error distinction - Distinguish outside-workspace errors from not-found in fs-safe for clear user messages.
  • File system path traversal safety - Handle outside-workspace error in media store with proper scoping.
  • Feishu proxy SSRF bypass - Add Feishu proxy agent pass-through for SSRF guard while respecting explicit proxies.
  • Gateway webUI CSP Google Fonts issue - Remove CSP-blocked Google Fonts import that was never loading.
  • Onboard custom model context enforcement - Enforce minimum custom model context in onboarding flow.
  • Docker CLI symlink fix - Replace npm link with root CLI symlink for permission-safe CLI access.
  • Windows path namespace normalization - Normalize namespaced paths for proper containment checks.
  • Browser application error wrapping - Stop wrapping application errors with generic \"Can't reach\" message.

Performance Improvements

  • Android mic conversation update churn reduction - Reduce unnecessary conversation state updates during microphone interaction.
  • Feishu cron probeFeishu result caching - Cache probe results with 10-minute TTL to reduce redundant Feishu API calls.

Infrastructure

  • Update server-cron.ts and models-config.providers.ts - Maintenance updates to cron and model configuration.
  • appcast sparkle version floor enforcement - Enforce lane floor for calver appcast entries to prevent downgrade loops.
  • macOS Sparkle build monotonicity - Make default Sparkle build version monotonic across same-day releases.
  • CI Windows timeout configuration - Add timeout for Windows checks job to prevent hangs.
  • Dependabot npm deprecation warning fixes - Remove global Google auth pnpm overrides; make @discordjs/opus optional peer.
  • npm global install deprecation - Reduce npm deprecation warnings through dependency pinning and peer configuration.
  • CI DNS resolution health check - Monitor CI GitHub App token health.
  • Gateway config reference alignment - Expand config reference coverage for channels plugins and providers.
  • Security policy documentation - Clarify command-risk reports and obfuscation parity scope.

Testing & Documentation

  • Regression test suite expansion - Add extensive regression coverage for compaction, reset, auth boundaries, device capabilities, and mail flows.
  • Android integration test infrastructure - Full integration test suite for live Android device capabilities with preconditions and pitfall documentation.
  • Feishu docx test mocking - Add documentBlockDescendant mock for feishu docx tests.
  • GitHub issue templates - Add regression bug template with routing for issue triage.
  • ACP operator playbook expansion - Expand /acp operator documentation with complete playbook.
  • Device auth migration diagnostics documentation - Add troubleshooting guide for device auth v2 migration.
  • SOPS migration and secrets documentation - Complete secrets reference, CLI guide, and migration documentation.
  • Docker Dependabot interval - Keep Docker Dependabot updates weekly for security patches.
Notra LogoPowered by Notra
Notra Logo
Notra
Turn your daily work into publish-ready content!
© 2026 Notra. All rights reserved.
LinkedinGitHub
Product
FeaturesPricingShowcaseDocs
Legal
Privacy PolicyTerms of ServiceLegal Notice