OpenClaw Development Digest: Security Hardening, Agent Reliability, and UI Refinements

The OpenClaw platform continues to evolve with a strong focus on security, agent reliability, and user experience. A recent 6-hour development window saw a flurry of merged pull requests that collectively address critical vulnerabilities, enhance core agent functionality, and refine interactions across various interfaces like the Terminal User Interface (TUI) and chat bridges.

These updates are crucial for maintaining a trustworthy and efficient AI orchestration environment. They ensure that users can operate OpenClaw with greater confidence in its security posture, experience more consistent and reliable agent behavior, and benefit from a smoother, more accurate user interface.

Merged PRs

• PR #77410 · fix: pass claude cli thinking effort
• PR #76923 · fix(gateway): add safe restart coordinator
• PR #77413 · fix(gateway): clamp unbound websocket auth scopes [AI]
• PR #75280 · Feat/main session durable delivery pr
• PR #74454 · fix: block SystemRoot/WINDIR in workspace .env and harden reg.exe path resolution [AI-assisted]
• PR #77411 · Gate zalouser startup name matching [AI]
• PR #76377 · fix(device-pair): require pairing scope for pair command [AI]
• PR #74458 · fix(security): block workspace env from overriding Windows system root paths [AI]
• PR #77328 · fix #77296: [Bug]: Plugin manifest skills field not published to agent skill discovery paths
• PR #75609 · [plugin sdk] Project session extension slots
• PR #77212 · fix(qqbot): keep private commands off framework surface [AI]
• PR #77356 · fix(memory): prevent memory-hit starvation in corpus=all by capping per-corpus results (#77337)
• PR #75928 · feat(cron): surface run diagnostics in status
• PR #75600 · [plugin sdk] Harden finalize retry and run context cleanup
• PR #77330 · fix(telegram): clean up tool-only previews
• PR #77335 · fix(tui): preserve code spans, code blocks, and dotted/hyphenated identifiers
• PR #77199 · fix(tui): abort run during pre-event waiting gap

Key Changes

The recent updates span several critical areas of the OpenClaw ecosystem, from foundational security to nuanced user interface refinements.

Security and Hardening

Several significant security vulnerabilities were addressed, particularly impacting Windows environments and various integration channels:

• Windows Environment Variable Hijacking: Two critical fixes (PRs #74454 and #74458) prevent malicious workspace .env files from hijacking Windows system root paths (SystemRoot, WINDIR). This could have led to local code execution by redirecting trusted executables like reg.exe, icacls.exe, and whoami.exe to attacker-controlled binaries. The fix blocks these variables and hardens path resolution to always point to canonical system locations.
• Gateway WebSocket Authentication: PR #77413 clamps unapproved operator scopes in trusted-proxy Control UI WebSocket sessions, ensuring that client-requested scopes are only retained if backed by an approved baseline, thus strengthening Gateway RPC authorization.
• Channel-Specific Authorization:
  • Zalouser: PR #77411 gates zalouser startup name matching behind an explicit dangerouslyAllowNameMatching flag, preventing unintended resolution of display-name entries for allowlists and groups by default.
  • Device Pairing: PR #76377 now requires the operator.pairing scope for all /pair management actions on chat surfaces, preventing unauthorized device enrollment state changes.
  • QQBot: PR #77212 ensures that QQBot private-only authenticated slash commands remain exclusively on the QQBot message-flow path, preventing their unintended exposure through the generic plugin command registry.
• Plugin SDK Hardening: PR #75600 enhances plugin SDK reliability by adding bounded retry handling for before_agent_finalize hooks and ensuring proper cleanup of plugin run contexts.

Agent and Plugin Core Enhancements

Improvements to the core agent and plugin infrastructure aim to boost functionality and reliability:

• Claude CLI Thinking Effort: PR #77410 integrates OpenClaw's resolved thinking levels with Claude Code's native --effort flag. This allows users to control Claude's thinking budget via OpenClaw's UI and bridges, addressing a previous limitation where