OpenClaw Update: Enhancing Agent Reliability, Security Hardening, and SDK Expansion

Merged PRs

• fix(agents): surface memory-flush errors safely Original PR
• fix(anthropic): enable Claude CLI session-expired history reseed Original PR
• Allow pnpm source updates to build OpenClaw Original PR
• Require Control UI pairing before proxy-scoped access [AI] Original PR
• Require explicit browser device pairing [AI] Original PR
• feat(telegram): localized command menu descriptions Original PR
• feat(plugin-sdk): export plugin hook types Original PR
• feat(plugins): expose tools in LLM input hook event Original PR
• Harden trusted-proxy source validation [AI] Original PR
• revert(cli): remove global root refusal Original PR
• fix(provider): add opt-in transient retries for provider execution Original PR
• [AI-assisted] fix(agents): normalize array tool schemas Original PR
• fix(plugins): raise default install scan file limit to 25k Original PR
• Revert "Check ClawHub trust before plugin installs" Original PR
• docs(changelog): credit Ziy1-Tan for #79645 Original PR
• fix(security): inline redact into appendSessionTranscriptMessage Original PR
• fix(agents): escalate LLM idle timeout to model fallback after profile rotation Original PR
• feat(scripts): allow worktree heavy-check locks Original PR
• Add dependency release safety evidence and PR awareness Original PR
• cherry-pick #81219 onto release/2026.5.12 for beta.5 Original PR
• fix(agents): make subagent task delivery visible Original PR
• fix(gateway): forward temperature and top_p through OpenAI-compatible HTTP APIs Original PR
• feat(migrate): suppress plan log on embedding, add "Accept recommended" affordance, remove "Skip for now" Original PR
• Check ClawHub trust before plugin installs Original PR

Key Changes

Agent Reliability and LLM Orchestration

One of the most critical fixes in this window addresses a regression where agents would silently freeze mid-turn during LLM idle timeouts. Previously, if the idle watchdog fired, the agent would stop responding without rotating auth profiles or advancing the model fallback chain. The system now correctly escalates these timeouts to the fallback model, ensuring continuity in multi-turn workflows.

Other agent-centric improvements include:

• Subagent Visibility: Task delivery for native sessions_spawn has been moved from hidden system prompts to visible user messages, making subagent tasks auditable in transcripts.
• Tool Schema Normalization: To prevent OpenAI from rejecting tool schemas with missing items in array definitions, the system now recursively adds permissive items: {} to such schemas.
• Provider Retries: A shared transient retry path has been added for opted-in provider read, poll, and download operations to handle HTTP 5xx errors and network timeouts more gracefully.

Security Hardening and Authentication

Significant effort was directed toward closing gaps in the Gateway's authentication and proxy logic:

• Trusted Proxy Validation: The gateway now rejects non-loopback peers that are local interface addresses, preventing host-local addresses from being treated as distinct proxy trust boundaries.
• Control UI Pairing: Trusted-proxy authenticated Control UI sessions now require explicit device pairing before operator scopes are honored, preventing fresh device identities from gaining privileged access silently.
• Browser-Origin Hardening: Browser-origin Control UI sessions are no longer eligible for silent local pairing; they now require explicit pairing approval to mint durable operator access.

SDK and Plugin Ecosystem

For developers, the Plugin SDK has been expanded to provide better type safety and visibility:

• Type Exports: Plugin hook types are now exported via a public openclaw/plugin-sdk/types entrypoint, removing the dependency on fragile internal source paths.
• LLM Input Hooks: The llm_input hook now exposes the tools field, allowing plugins to see which tools are available for a specific LLM call.
• Telegram Integration: Telegram bot menus now support localized command descriptions via language_code, enabling multi-language bot deployments.

Impact

User Experience

Users will notice a significant reduction in "silent freezes" during complex agent tasks, particularly when using models with unstable latency. The migration flow for Codex has also been streamlined with an "Accept recommended" option and the removal of a confusing "Skip for now" trap, making onboarding more intuitive.

Developer Experience

Plugin authors can now build more robust extensions using public SDK types and gain deeper insight into LLM contexts through enhanced hook events. The increase in the default install scan file limit to 25k also resolves onboarding blockers for larger plugins like the Codex plugin.

System Security

The tightened pairing requirements for browser and proxy-based Control UI access significantly reduce the risk of unauthorized operator-level access. By enforcing explicit pairing for these paths, OpenClaw ensures that privileged gateway RPCs are bounded by verified device records.