OpenClaw 2026.5.28: Security Boundaries Harden, Codex Gets More Reliable, Pixverse Video Lands, and the Gateway Gets Faster
Today's OpenClaw release drops one of the most focused security updates of the May cycle: group prompt metadata is locked out of system prompts, Tailscale no-auth exposure is blocked, node/device-role approvals now require admin authority, and Codex app-server runs get significantly more stable. Meanwhile, Pixverse video generation ships as a new first-class provider, DeepInfra gets a full credential-aware model catalog, and ClawHub improves plugin display metadata — all while the broader AI world wrestles with what "agentic" actually means in 2026.
🦞 OpenClaw Release: v2026.5.26-beta.3 / v2026.5.28
The freshest release tagged on GitHub this morning continues the intensive May hardening cycle that started with the big 2026.5.22 Gateway performance overhaul. This time, the headline theme is security boundaries and Codex reliability — two areas that matter more the more you trust your agent with real work.
Security: The Most Important Changes This Release
Several security-focused pull requests landed in today's release, each addressing a real attack surface:
- Group prompt metadata out of system prompts: Untrusted group prompt text is now routed outside the system prompt. This is a significant prompt-injection mitigation — when agents participate in group chats (Discord, Slack, Teams), arbitrary group message metadata can no longer ride the system-prompt trust bus. PR #87144.
- Repeated trailing hostname dots normalized: A subtle but exploitable issue: hostnames with repeated trailing dots (e.g.
attacker.com..) could bypass hostname validation. Now normalized. PR #87305. - Side-effecting command wrappers blocked: Certain wrappers around shell commands that produce side effects are now rejected outright. This prevents a class of abuse where tools try to smuggle shell execution behind innocuous-looking API calls. PR #87292.
- No-auth Tailscale exposure rejected: OpenClaw will now refuse Tailscale configurations that expose the gateway without authentication. If you're using Tailscale to make your agent accessible remotely — you should be requiring auth. Now it's enforced. PR #87308.
- Node/device-role approvals require admin authority: Role escalation for nodes and devices now gatekept behind admin authority, not just owner status. PR #87146.
- Microsoft Teams service URL trust blocked: Untrusted Teams service URLs no longer get elevated treatment. PR #87154.
- /allowlist configWrites origin policy enforced: The allowlist for config writes now has an enforced origin policy, preventing config manipulation from unexpected sources. PR #87334.
The group-prompt-metadata change is the most important one in this entire batch. As OpenClaw agents increasingly live in multi-user group channels — Discord servers, Slack workspaces, Teams — the risk that malicious group messages try to inject instructions into the system prompt is very real. This isn't a theoretical attack; it's been demonstrated in other agentic systems. The fix is exactly the right approach: treat group metadata as untrusted and keep it out of the privileged context window. Update immediately if your agent participates in any group channels you don't fully control.
Codex App-Server: Finally Getting Reliable
The Codex integration — which powers native Codex threads, app-server sessions, and the increasingly capable ACP flows — gets a significant reliability pass:
- Codex runtime models resolve first before generic routing, so the right model is used from the start rather than falling back to incorrect defaults. PR #87383.
- Workspace memory routed through tools instead of being injected directly, which is both more consistent and more auditable. PR #87403.
- Shared app-server clients survive startup and spawned-helper failures — previously, a helper crash could take down the entire app-server client. PR #87375.
- Native hook relay generations survive restarts and rotate on fresh fallbacks — this fixes a class of "stuck Codex session" bugs that surfaced after gateway restarts. PR #72574.
- False runtime live switches avoided — Codex sessions won't incorrectly report being "live" when they're in a transitional state. PR #87428.
Thanks to contributor @yetval for the Codex reliability work across these PRs.
If you've been frustrated by Codex sessions that seem to lose state after a gateway restart, or threads that silently fall back to the wrong model, these fixes are for you. The pattern of "shared clients surviving helper failures" is particularly important for anyone running multi-agent setups where a sub-agent crash shouldn't cascade. This is the kind of boring-but-essential reliability work that makes or breaks production agent deployments.
Provider Expansion: Pixverse Video and Full DeepInfra Catalog
Two provider improvements worth calling out:
Pixverse video generation is now a first-class OpenClaw provider, including API region selection, docs, and external plugin packaging support. If you want your agent to generate video clips — Pixverse joins the growing roster of multimodal providers in the OpenClaw ecosystem. This isn't just a checkbox; video generation as a tool your agent can invoke opens up genuinely new workflows for content creation, documentation, and demonstration generation.
DeepInfra model catalog now loads the full credential-aware model set during onboarding, rather than showing only a subset. Configured API-key catalogs are preserved across sessions, and pricing/default model metadata stays aligned. If you've been using DeepInfra for cost-effective inference and found the model picker confusing, this should be a noticeable improvement. Thanks to contributor @ats3v.
OpenAI-compatible embedding providers are now core — not just plugin-level features. This means any OpenAI-compatible embedding endpoint (local or hosted) can now be configured for memory search without requiring a custom plugin. Huge for self-hosters running local embedding models. Thanks to contributor @dutifulbob.
Gateway and Reply Path Performance
The Gateway performance work from 2026.5.22 (which famously dropped /models latency from ~20 seconds to 5ms) continues:
- Session reads, plugin metadata fingerprints, auth env snapshots, auto-enabled plugin config, tool-search catalogs, and stable metadata caches all do less hot-path rediscovery
- Visible replies no longer inherit hidden cleanup timeouts — this one matters if you've ever seen a reply get cut off prematurely in edge cases
Thanks to contributor @keshavbotagent for this work.
ClawHub: Plugin Display Metadata Improvements
ClawHub — which now hosts 52.7K tools and counting — gets a UX improvement: plugin display metadata is now richer, so catalog and package listings use cleaner, more readable names instead of raw npm package identifiers. This makes ClawHub browsing noticeably better, especially as the catalog grows. Thanks to contributor @thewilloftheshadow. PR #87354.
Channel Delivery Fixes
The usual round of channel-specific fixes rounds out the release:
- Telegram sendMessage actions now use durable outbound delivery — messages that previously could fail silently on transient network issues will now retry correctly.
- iMessage suppresses duplicate native exec approval prompts and sends — if you've seen double-send or duplicate approval dialogs on iMessage, this is fixed.
- Slack keeps delivered final replies during late cleanup — edge case where the cleanup phase was wiping out replies that had already been delivered.
- Matrix mention previews and finals are stricter, reducing noisy partial-delivery states.
- Discord guild requester checks are tighter, and recovered Discord tool-warning artifacts are kept out of successful replies.
- Google Chat stops thread sends in DMs — previously could incorrectly try to send threaded replies to DMs where threads don't apply.
🔒 Security Tip of the Day
Lock Down Your Tailscale Gateway Exposure
Today's release blocks no-auth Tailscale gateway exposure at the OpenClaw level — but even before this fix, the behavior was documented. Here's what operators should know about securing remote agent access:
The threat model: If your OpenClaw gateway is accessible over Tailscale without authentication requirements, anyone on your tailnet (or with access to a compromised tailnet device) can interact with your agent without any additional credential check. Given that agents have access to your files, messages, and tools, this is a significant privilege escalation vector.
What to do right now:
- Update to the latest OpenClaw release — the no-auth Tailscale exposure rejection is now enforced at the gateway level
- Enable Tailscale ACLs to restrict which devices on your tailnet can reach your gateway's port
- Use
openclaw gateway /ownerto confirm your owner-only protections are set correctly - If you're running the gateway on a shared Tailscale network (e.g. a work network), consider using a dedicated personal tailnet for your OpenClaw instance
- Audit your
/allowlistregularly — know who has exec and config-write access
Bottom line: Treat your OpenClaw gateway like a private API endpoint. It has access to everything you've connected to it. Auth isn't optional.
⭐ Skill of the Day: weather
🌤️ weather — Current Conditions and Forecasts
What it does: A clean, dependency-light skill that fetches current weather and multi-day forecasts for any location using the wttr.in API. Covers temperature, precipitation probability, wind, and UV index. Works for travel planning, calendar-aware weather alerts, and daily briefings. Returns structured data that your agent can summarize conversationally.
Source: Bundled with OpenClaw's core skills set — available from the official openclaw/openclaw repository and listed in the ClawHub skills catalog.
Security profile: Read-only, no credentials required, no external API keys. Fetches from wttr.in, a well-known open weather service. Safe to install without elevated concern — no file writes, no system access, no token storage. The kind of skill you can install with confidence.
Install: openclaw skills install weather
Why we like it today: With OpenClaw's heartbeat system, you can configure your agent to proactively check the weather and flag relevant conditions — "Hey, it's going to rain during your afternoon meeting time" or "Air quality is poor today." That's the kind of ambient awareness that distinguishes a genuinely useful agent from a fancy chatbot. Simple skill, high practical value.
👥 Community Highlights
The $1.3M Token Bill — Still Reverberating
Creator Peter Steinberger's public screenshot showing $1,305,088.81 in OpenAI API charges over 30 days continues to generate conversation across the tech community. The figure — first reported by The Next Web and Tom's Hardware — initially shocked people, but the nuanced read is more interesting: Steinberger is running a large multi-agent deployment that processes enormous volumes of messages across hundreds of channels. His per-message cost is actually quite reasonable at scale; it's the volume that produces the headline number.
What the community has latched onto is the broader lesson: agent cost monitoring is a first-class operational concern, not an afterthought. The OpenClaw ecosystem's response has been tooling — better usage visibility in the gateway, per-session cost tracking, and model fallback configurations that route cheaper models when the full frontier model isn't needed.
"The token bill isn't the story. The story is that someone built something valuable enough that $1.3M in API costs was worth it." — Community consensus on the Clawd Discord
Containerization Story Gains Momentum
Sally Ann O'Malley's presentation on "OpenClaw in Containers" — which demonstrated the OpenClaw installer's Docker and Kubernetes deployment paths — continues to get pickup in the DevOps community. The ability to deploy OpenClaw as a containerized service with workspace templates baked in is a genuine enterprise enabler. Docker runtime workspace templates are packaged and smoke-tested in this release, which is a direct response to the containerization interest the presentation generated.
ClawHub Crosses 52.7K Tools
The ClawHub registry now lists 52.7K tools with 180K users and 12M downloads — remarkable growth for an ecosystem that didn't exist in its current form a year ago. The plugin display metadata improvement in today's release is partly a response to catalog discovery friction: as the registry grows, making package names readable becomes more important than it was at 10K tools.
🌐 Ecosystem News
The Agentwashing Problem Gets Worse
Gartner's latest analysis identifies roughly 130 genuine agentic AI vendors among thousands making the "agentic" claim in their marketing. The term "agentwashing" — applying the agentic label to products that are, at best, sophisticated chatbots with API calls — is getting louder coverage as enterprise buyers start experiencing the gap between pitch and reality.
For OpenClaw operators, this matters in a practical way: when evaluating third-party tools and integrations that claim to be "agent-compatible," the agentwashing filter is worth applying. Does the tool actually support multi-step autonomous operation? Does it handle tool calls, memory, and error recovery? Or does it just have a chat interface? The distinction increasingly matters for real workflows.
OpenClaw is one of the few tools in this space that earns the "agentic" label honestly. Real tool calls, real memory, real multi-channel operation, real cron scheduling, real sub-agent spawning. The agentwashing wave is going to make it harder for legitimate platforms to be heard — but it also means that actually running agents (rather than just talking about them) becomes an increasingly strong differentiator for organizations that get it right.
Camunda ProcessOS: Business Processes as Agentic Workflows
Camunda announced ProcessOS at CamundaCon — an AI-powered intelligence layer that discovers, re-engineers, and continuously optimizes business processes as agentic workflows. Currently in closed beta (started May 20, 2026), it represents the enterprise workflow automation market's acknowledgment that autonomous execution is the direction. For OpenClaw operators building business process automation on top of the platform, ProcessOS-style thinking is worth watching: the pattern of "discover what's happening, propose improvements, execute changes" maps well to what sophisticated OpenClaw agent setups can already do.
ServiceNow: AI Security and Governance at Knowledge 2026
ServiceNow launched "Autonomous Security and Risk" at Knowledge 2026, built around the integration of Armis and Veza, and expanded AI Control Tower into a broader governance product for discovering, observing, governing, and securing AI agents across the enterprise. The framing — an "AI Control Tower" — is essentially the enterprise version of what OpenClaw's gateway does for personal and small-team deployments. The enterprise market is converging on the same insight: you need a control plane for your agents, not just individual agent tools.
Illinois AI Safety Law: First State Independent Audit Requirement
Illinois became the first U.S. state to require independent AI safety audits, per reporting from today's AI news cycle. For operators running OpenClaw in any kind of commercial or organizational context, state-level AI regulation is moving faster than federal. The Illinois model — requiring third-party safety audits — may become a template others follow. Start thinking about your agent's audit trail and logging now, before it's a compliance requirement.
The Illinois audit requirement is a signal, not just a local rule. OpenClaw's observable execution model — with logged tool calls, session history, cron audit trails, and gateway diagnostics — positions it well for exactly this kind of accountability requirement. If you're running agents in an organizational context, the investment in proper OpenClaw logging and session hygiene you're making now will pay off when compliance questions arrive. Build the audit trail as a standard practice, not as a retrofit.
📊 By the Numbers
- 52.7K — Tools listed on ClawHub
- 180K — ClawHub users
- 12M — ClawHub total downloads
- 4.8 — ClawHub average tool rating
- $1,305,088.81 — Peter Steinberger's OpenAI API bill over 30 days (still the number everyone's talking about)
- 7+ — Security-focused PRs in today's release
- 130 — Genuine agentic AI vendors (per Gartner, out of thousands claiming the label)
🔧 Quick Ops Notes
If you're using Tailscale for remote access: Update today. The no-auth exposure rejection is now enforced. If you had a config that relied on unauthenticated Tailscale access (bad idea regardless), you'll need to add proper auth before upgrading or your gateway startup will reject the config.
If you run Codex threads: The model routing and app-server client stability fixes are a meaningful quality-of-life improvement. Upgrade and restart your gateway — the changes require a clean restart to take effect.
If you're using DeepInfra: Re-run the onboarding model browser or openclaw models --provider deepinfra to see the full catalog. Previously you might have been missing a significant portion of available models.
If you're interested in video generation: The Pixverse provider is now available. Add your Pixverse API key in Gateway settings under Providers → Pixverse. Region selection (US/EU/AP) is supported.
Need help hardening your OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture review, security hardening, custom skill development, and ongoing operational support. We help teams go from "we have an agent" to "we run agents safely at scale."
Contact SEN-X →