OpenClaw Update: Security Hardening, CLI Performance, and Integration Stability

The latest set of merged pull requests for OpenClaw demonstrates a strong push toward security hardening and developer experience. Key improvements range from closing potential XSS vulnerabilities in the UI to optimizing the CLI's memory footprint and ensuring that third-party integrations like Slack and Telegram are more resilient and private.

Merged PRs

• fix(agents): cap heartbeat context hint fallback Original PR
• perf(cli): cache stable subcommand help Original PR
• fix(ollama): preserve tool call ids Original PR
• fix(config): append numeric bound hints to ceiling/floor validation errors Original PR
• fix(diffs): replace iconMarkup string with ToolbarIconName enum to el… Original PR
• fix(memory): stop recall tracking when dreaming is disabled Original PR
• fix(diagnostics-otel): suppress exporter rejection crashes Original PR
• perf: speed up secrets and nodes help startup Original PR
• fix(pdf): time out idle remote PDF reads Original PR
• [Fix] Reject slow node event sends Original PR
• fix(doctor): detect Codex bwrap namespace denials Original PR
• fix(update): prune stale local bundled plugin shadows Original PR
• fix(slack): suppress reasoning payloads in non-streaming delivery paths Original PR
• fix(config): validate browser sandbox bind sources Original PR
• doctor: constrain legacy plugin cleanup paths Original PR
• Fix Telegram isolated polling stall watchdog Original PR
• [Fix] Keep node systemd tokens out of unit files Original PR
• fix(whatsapp): reject symlinked credential files Original PR

Key Changes

Security Hardening

Several PRs focused on reducing the attack surface and protecting sensitive data:

• XSS Prevention: In the diffs extension, createToolbarButton previously accepted a raw string for iconMarkup, which was assigned directly to innerHTML. This was replaced with a sealed ToolbarIconName enum to ensure only pre-approved SVG strings are rendered.
• Credential Protection:
  • WhatsApp: The system now rejects symlinked creds.json files and symlinked credential-directory parents to prevent unauthorized access or redirection of session data.
  • Linux Node Daemon: A critical fix ensures that OPENCLAW_GATEWAY_TOKEN is no longer inlined into systemd unit files, moving it to owner-only protected environment files to prevent same-host users from recovering the operator secret.
• Path Validation: The openclaw doctor --fix command now uses realpath containment checks to ensure legacy plugin cleanup only occurs within approved OpenClaw roots, preventing accidental deletion of files outside the managed directory.

CLI Performance Optimizations

To improve the responsiveness of the CLI, the team implemented a precomputed help fast path:

• Subcommand Help: Commands like doctor --help, models --help, and plugins --help no longer require a full CLI registration. This reduced RSS usage from ~320MB to ~95MB and slashed response times from ~350ms to ~85ms.
• Secrets & Nodes: Similar optimizations were applied to secrets --help and nodes --help, with secrets --help seeing a dramatic drop from 800ms to 23ms.

Integration & Tooling Fixes

• Slack: Fixed a leak where Claude model "reasoning" payloads were appearing as visible messages in non-streaming delivery paths (e.g., slash commands or fallback paths).
• Telegram: The isolated polling ingress now correctly honors the pollingStallThresholdMs setting, allowing the watchdog to restart silent workers instead of hanging indefinitely.
• PDF Tool: Added an idle-read timeout for remote PDF loads to prevent sessions from becoming "zombies" when a remote server stops sending data after the headers.
• Ollama: Tool call IDs are now preserved through the replay path, which is essential for Gemini/Ollama Cloud to maintain hidden thought-signature handles across turns.

Impact

For the end user, these changes result in a significantly more stable and secure environment. The most immediate impact is the CLI's snappiness, making help documentation instantly accessible. Security-conscious operators will benefit from the hardened credential handling in WhatsApp and Linux systemd deployments, reducing the risk of local privilege escalation or credential theft.

From a reliability standpoint, the fixes for Telegram polling and remote PDF reads eliminate two major sources of "stuck" sessions, reducing the need for manual gateway restarts. Additionally, the Slack integration now correctly hides internal model reasoning, ensuring that only the final, polished answer reaches the channel, maintaining a professional user experience.