OpenClaw Update: Strengthening Security Boundaries and Refining Provider Discovery

Merged PRs

• fix(imessage): keep pasted links, ignore Apple preview blobs Original PR
• Fix stale diagnostic lanes for reply runs Original PR
• fix(update): suppress handoff newer-config warning Original PR
• fix(plugins): scan installed dependency runtime code [AI] Original PR
• Inherit tool restrictions for delegated sessions [AI] Original PR
• fix(telegram): detect same-bot token rotation via fingerprinted offset state Original PR
• fix(commitments): write json output to stdout Original PR
• browser: enforce navigation checks for act interactions [AI] Original PR
• fix(providers): discover self-hosted wildcards from configured endpoints Original PR
• Validate node exec event provenance [AI] Original PR
• fix(config): reject auto-managed meta.lastTouched* paths in config set/unset Original PR
• Trust installed Codex for its private task runtime Original PR
• fix(plugins): retry npm alias override installs Original PR
• fix(whatsapp): drain debounced inbound before close Original PR
• [AI-assisted] fix(gateway): clarify invalid config recovery hints Original PR
• Limit hook CLI tool authority [AI] Original PR
• Require admin scope for node device token management [AI] Original PR
• Restrict chat sender allowlist matching [AI] Original PR

Key Changes

Security Hardening and Access Control

Several PRs focused on narrowing the attack surface and ensuring that privileged tools are not leaked to unauthorized sessions:

• Delegated Session Restrictions: Delegated child sessions now inherit tool-deny contexts from their callers, preventing subagents from gaining a broader tool surface than the user who spawned them.
• Node Execution Provenance: The gateway now validates node exec lifecycle events, requiring a matching pending system.run invoke to prevent unmatched events from triggering heartbeat wakes.
• iMessage Gating: Sender allowlist matching has been restricted to normalized sender handles. Conversation IDs are no longer accepted as proof of sender identity, preventing participants in an allowed conversation from being mistakenly treated as allowed senders.
• Node Device Management: Rotating or revoking node-role device tokens now strictly requires admin authority, preventing pairing-scoped operator sessions from escalating privileges.
• Hook Authority: Externally sourced hook agent turns routed through a CLI backend now use non-owner tool authority, ensuring external ingress does not grant owner-level loopback access.

Provider and Plugin Infrastructure

• Dynamic Model Discovery: Self-hosted vLLM and SGLang providers now support wildcard visibility (e.g., vllm/*). OpenClaw can now dynamically discover advertised models from configured endpoints, removing the need for users to manually maintain exhaustive model lists in their config.
• Plugin Security: The plugin installation process now scans the installed runtime tree, including node_modules, to ensure that dependency runtime files are subject to the same code scanning as the plugin entry code.
• Codex Runtime Fixes: The @openclaw/codex package now has trusted access to its private task runtime, resolving MODULE_NOT_FOUND errors that previously caused OpenAI/Codex primary routes to fail and fall back to Anthropic.
• NPM Install Reliability: Added a retry mechanism for managed NPM installs that fail due to alias override comparator errors in older NPM versions, ensuring smoother onboarding for users on legacy environments.

Stability and UX Improvements

• Telegram Token Rotation: The Telegram poller now detects token rotation (via BotFather /revoke) by fingerprinting the token. This prevents the bot from going "deaf" due to stale update offsets being applied to a new token epoch.
• WhatsApp Inbound Draining: The WhatsApp listener now drains debounced inbound messages before closing the socket, ensuring that replies to batched messages are sent before the connection is severed.
• Config Management: The CLI now explicitly rejects attempts to manually set meta.lastTouchedVersion or meta.lastTouchedAt, as these are auto-managed fields. Additionally, invalid-config startup errors now provide clearer recovery hints, including pointers to .bak backups.

Impact

These changes significantly improve the operational security of OpenClaw by enforcing strict inheritance of tool restrictions and validating the provenance of node events. For self-hosted users, the ability to use wildcards for vLLM and SGLang providers drastically reduces configuration overhead and ensures that the model list remains current as servers are updated.

From a reliability standpoint, the fixes for Telegram token rotation and WhatsApp connection draining resolve critical edge cases where messages were silently dropped or replies failed during shutdown. The hardening of the plugin installation pipeline and the resolution of the Codex runtime loading issue ensure a more robust and secure extension ecosystem.