Back to OpenClaw News v2026.2.3: Cron Overhaul & Channel Security Fixes
February 4, 2026 Release Security

v2026.2.3: Cron Overhaul & Channel Security Fixes

Major cron job rework brings announce delivery mode and auto-cleanup. Critical security fixes for channel metadata leakage and media handling.

Share

🦞 OpenClaw Updates

Release v2026.2.3: The Cron Job Overhaul

OpenClaw v2026.2.3 delivers a comprehensive rework of the cron job system — one of the most heavily-used features for agent automation:

  • Announce delivery mode: Isolated cron jobs can now post results via announce delivery — a cleaner, more reliable way to deliver scheduled task results to channels
  • Auto-cleanup: One-shot jobs are now deleted after success by default (use --keep-after-run to preserve)
  • ISO 8601 support: Schedule jobs with standard ISO 8601 timestamps via schedule.at
  • Duplicate prevention: Fixed cases where isolated runs could send duplicate messages

Critical Security Fixes

This release includes important security hardening across multiple channels:

  • Untrusted Slack/Discord channel metadata kept out of system prompts — preventing prompt injection via channel names/topics
  • Sandboxed media paths enforced for message tool attachments
  • Gateway URL overrides now require explicit credentials to prevent credential leakage
  • WhatsApp login tool gated to owner senders only
  • Voice call webhook verification hardened with host allowlists

Source: GitHub Release Notes

SEN-X Take

The channel metadata prompt injection fix is particularly important. If your agent is in a Slack channel where anyone can change the topic, an attacker could inject instructions into the topic that the agent would treat as context. This release closes that vector. Update immediately if you use Slack or Discord channels.

🔒 Security Tip of the Day

Beware of Prompt Injection via Channel Metadata

Before v2026.2.3, Slack channel topics and Discord channel descriptions could be included in your agent's system prompt context. An attacker who could edit these fields could inject instructions.

Even after upgrading: Audit which channels your agent monitors. Restrict your agent to channels where you control who can edit metadata. Use access groups to limit which Slack channels trigger agent responses.

⭐ Skill of the Day: browse

🔧 browse

What it does: Complete guide for creating and deploying browser automation functions. Unlike playwright-mcp which provides raw browser control, this skill focuses on structured browsing patterns — form filling, data extraction, and multi-step web workflows.

Install: npx clawhub@latest install browse

Source: github.com/openclaw/skills (verified on ClawHub, listed in awesome-openclaw-skills under Browser & Automation)

Why we like it: Complements playwright-mcp by providing higher-level abstractions. Good for agents that need to interact with specific web applications in a structured, repeatable way.

👥 Community Highlights

The Cloudflare AI Gateway onboarding support in this release makes it easier to route all model requests through Cloudflare's proxy — adding caching, rate limiting, and request logging without changing your model provider. Several community members reported significant cost savings using Cloudflare's cache for repetitive agent queries.

🌐 Ecosystem News

Moonshot/China Support: This release adds Moonshot (.cn) auth and preserves China base URLs, reflecting OpenClaw's growing international adoption. The Chinese developer community has been particularly active, contributing Feishu/Lark support and zh-CN documentation.

Need help with OpenClaw deployment?

SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.

Contact SEN-X →
← Back to all articles