OpenClaw v2026.5.12-beta.6 Release Summary

Key Changes

Security Hardening & Access Control

This release introduces significant security improvements to the Gateway and device pairing flows to prevent unauthorized access and privilege escalation:

• Device Pairing Security: Setup-code bootstrap pairing now requires explicit approval before granting durable node tokens, and it no longer grants operator-role tokens during node setup. Additionally, browser-origin Control UI sessions now require explicit pairing approval rather than silent local pairing.
• Privilege Escalation Guards: The Gateway now enforces admin scope for node device token management (rotation and revocation). Furthermore, trusted-proxy authentication has been hardened to reject host-local non-loopback interface peers, ensuring a distinct proxy trust boundary.
• Command & Tool Gating: Exec approval now rejects commands that would be truncated in the display prompt, preventing a mismatch between what the operator approves and what actually runs. Shell wrapper parsing has also been improved to recognize PowerShell -ec inline commands, ensuring they follow the stricter inline-payload approval path.
• Sandbox Browser Security: The sandbox browser CDP relay now requires an application-layer credential (relay token), replacing the previous reliance on container-observed source filtering.

Agent & Session Management

Improvements to agent reliability and session continuity ensure smoother multi-turn interactions:

• LLM Failover Fix: A critical regression where agents would silently freeze during idle timeouts has been resolved. The system now correctly escalates idle timeouts to model fallback or profile rotation, preventing stuck agent turns.
• Session Lineage & Continuity: ACP (Agent Client Protocol) sessions now expose Gateway lineage metadata (e.g., parentSessionId, spawnDepth), allowing clients to render parent-child session graphs. For Claude CLI users, session-expired recovery now supports bounded transcript reseeding to prevent "conversation amnesia" after session rotation.
• Tool Schema Normalization: To prevent OpenAI-compatible providers from rejecting tool submissions, the system now recursively adds permissive items: {} to array schemas that omit the items field.
• Subagent Optimization: Redundant heartbeat wake-ups for subagent session exec completions are now skipped, reducing spurious LLM invocations on parent sessions.

Plugin SDK & Extensibility

The Plugin SDK has been expanded to support complex workflows and safer installations:

• Workflow Seams: New capabilities allow plugins to register typed session actions, send session-bound attachments, and schedule future session turns through the host scheduler.
• Installation Safety: The plugin installer now scans the entire installed runtime tree, including node_modules, for dangerous code patterns, ensuring that dependency materialization doesn't bypass security scans.
• Managed Dependency Handling: The installer now preserves third-party peer dependencies during recalculations and prunes them correctly upon plugin uninstallation.

Channel Integrations

• Telegram: Added support for localized command menu descriptions via setMyCommands. A bug where single-account setups with explicit empty groups: {} maps would silently drop all group updates has been fixed.
• Slack: Added enforcement of reaction notification policies (off, own, all, allowlist) and ensured that plugin approval buttons are authorized against the plugin approval allowlist rather than the exec approver list.
• iMessage: Fixed an issue where media-only sends would include visible <media:image> placeholder text. The monitor now also ignores Apple .pluginPayloadAttachment blobs to avoid treating link previews as user-provided media.

Impact

For Operators

• Increased Security: You will now see explicit pairing requests for browser-based Control UI connections and setup-code pairings. Admin privileges are now strictly required for managing node tokens.
• Better Diagnostics: The Control UI now displays subagent sessions nested under their parent sessions with a visual └─ prefix, making complex agent hierarchies easier to navigate.
• Reliable Automation: The fix for LLM idle timeouts means agents are far less likely to "freeze" during long-running tasks or provider stalls.

For Plugin Developers

• New Workflow APIs: You can now build more interactive plugins using registerSessionAction and scheduleSessionTurn to create complex, multi-stage agent workflows.
• Stricter Validation: Be aware that plugin installations now include a full scan of the node_modules directory, which may flag certain third-party dependencies.

Upgrade Guide

Breaking Changes & Migration

• iMessage Allowlists: Sender allowlist matching has been restricted. Conversation-scoped IDs (chat IDs/GUIDs) are no longer accepted as proof of sender identity in allowFrom entries. Migration: Update your allowFrom configurations to use normalized sender handles. Conversation IDs should remain in groupAllowFrom or be used as explicit message targets.
• Trusted Proxy Config: If your deployment lists the gateway host's own non-loopback interface address in gateway.trustedProxies, these requests will now be rejected. Migration: Use a distinct proxy peer address or the existing loopback trusted-proxy path.