OpenClaw v2026.5.28: Codex 0.134, Claude Opus 4.8, iOS Pro Refresh, and the $1.3M Question
The latest OpenClaw beta delivers Codex CLI 0.134.0, Claude Opus 4.8 support, a rearchitected iOS Pro UI, encrypted PDF extraction, and a brand-new GitHub Copilot agent runtime. Channel delivery gets safer across a dozen platforms. Meanwhile, the ecosystem is buzzing about OpenClaw creator Peter Steinberger's very public $1.3M OpenAI bill — and what it means about always-on agent economics. Google Spark launched, OpenClaw passed 300K stars, and AI agent frameworks everywhere are racing to professionalize.
🦞 OpenClaw Updates
v2026.5.28-beta.1: A Big Pre-Release With a Lot Moving at Once
The v2026.5.28-beta.1 pre-release dropped on May 29 and represents one of the busier betas of the year. Across eight distinct areas — agent runtime, channel delivery, mobile surfaces, input validation, providers, CLI/auth, performance, and QA — the team has pushed a dense set of changes that collectively move OpenClaw meaningfully forward on stability, provider coverage, and mobile maturity.
Let's break down what actually matters:
Codex CLI Updated to 0.134.0
The bundled Codex CLI jumps to version 0.134.0 in this release, keeping native Codex in sync with the upstream @openai/codex package. Alongside that, OpenClaw adds a new Codex Supervisor plugin — a dedicated package for delegated Codex workflows where you want a higher-level orchestrator to coordinate multiple Codex sub-tasks without letting them trample each other's state.
This is paired with a new GitHub Copilot agent runtime, externalizing Copilot as a first-class ACP-compatible agent target. In practice, it means you can now wire GitHub Copilot directly into OpenClaw sessions alongside Codex, Claude, and other agents — treating each as a peer peer in a multi-agent orchestration without custom glue code. That is a significant extensibility unlock for teams already living in the GitHub ecosystem.
The Codex Supervisor plugin and Copilot runtime landing together is not a coincidence. OpenClaw is quietly building a multi-agent coordination substrate where GitHub's tooling can coexist with Anthropic's and OpenAI's without forcing operators to pick lanes. That is the right architectural bet — the future is polyglot agent stacks, not monolithic chatbots.
Claude Opus 4.8, NVIDIA Featured Models, MiniMax Streaming Music
Provider coverage expands meaningfully in this release. Claude Opus 4.8 support lands, keeping OpenClaw current with Anthropic's latest frontier model as it rolls out to API users. Fal Krea image model schemas are added, extending the roster of image generation backends accessible natively through the image_generate tool. NVIDIA featured model catalogs are wired in, making it easier to browse and select from NVIDIA's curated model lineup. And MiniMax streaming music responses are now supported — a niche but interesting capability for agents doing real-time audio generation workflows.
Also notable: provider-backed voice model catalogs. OpenClaw now pulls voice model listings from providers dynamically rather than maintaining a static local registry, which means new TTS voices appear without requiring a client update. That is a small QoL detail that quietly matters a lot for voice-heavy deployment patterns.
iOS Pro UI: The Most Ambitious Mobile Push Yet
The iOS app gets what the release notes call a "broad refresh" in this beta, touching the Pro Command surface, Chat, Agents, Settings, hosted push relay defaults, and realtime Talk playback. This is not a cosmetic update — the underlying architecture now wires UI state directly to gateway sessions and realtime Talk, which means the iOS app can properly track, steer, and display what the agent is doing in real time.
The push relay default change is also important. By defaulting to the hosted push relay, OpenClaw significantly reduces the setup friction for new iOS users who do not want to operate their own relay infrastructure. It is a tradeoff — you are routing notifications through OpenClaw's infrastructure instead of your own — but for the vast majority of personal deployments, that is the right default.
Thanks to contributors @Solvely-Colin and @ngutman for driving the mobile improvements in this cycle.
Channel Delivery Gets a Comprehensive Safety Audit
One of the most underappreciated parts of this release is the breadth of channel delivery fixes. The notes list improvements across outbound plugin hooks, Matrix room IDs, iMessage reactions and approvals, Slack final replies, Discord recovered tool warnings, WhatsApp profile auth roots, Telegram polling, and Microsoft Teams service URL trust checks.
That is every major messaging surface getting a specific hardening pass in a single release. The pattern suggests the team did a structured audit of delivery edge cases rather than fixing them piecemeal. The Microsoft Teams service URL trust check fix is particularly worth flagging — Teams bots that accept unvalidated service URLs can be manipulated to send messages to attacker-controlled endpoints, so this is a real security fix, not just a reliability tweak.
Encrypted PDF Extraction via ClawPDF
OpenClaw now supports extracting text from encrypted PDFs using ClawPDF — its first-party PDF processing library. This is a frequent pain point for enterprise users who deal with password-protected documents, legal contracts, and compliance materials. The update also surfaces MCP structured content in agent tool results, which improves how tool responses from Model Context Protocol-compatible servers appear in agent context.
Agent Runtime: Steadier Subagent Isolation and Lock Release
Several important agent runtime fixes land in this beta. Subagents now properly maintain cwd/workspace separation from their parent sessions, preventing a class of bugs where spawned sub-agents would inherit or pollute workspace state. Hook context stays prompt-local, meaning plugin hooks can no longer leak context across session boundaries. Session locks now release on timeout abort, preventing the stuck-session syndrome that plagued some operators in the late-April rough patch. And Codex app-server helper failures no longer tear down shared runtime state — a cascading failure mode that previously could kill an entire gateway session when a Codex sub-component crashed.
The subagent isolation and lock-release fixes are the most operationally important changes in this release for anyone running multi-agent workflows. If you have been experiencing stuck sessions or unexpected state leakage between agents, upgrade to this beta — these fixes directly address those failure modes. The PR numbers referenced (#87218, #86875, #87409) suggest this was a coordinated multi-engineer effort, not a quick patch.
ClawHub Gets Plugin Display Names and Skill Trust Surfaces
The ClawHub marketplace integration improves with plugin display names — making browsing skills and plugins more human-readable — plus dedicated skill verification and trust surfaces. With 52.7K tools, 180K users, and 12M total downloads, ClawHub is increasingly the default discovery layer for OpenClaw operators. Making trust metadata visible at the point of discovery is exactly where that information is most useful.
🔒 Security Tip of the Day
Channel Delivery Trust: Why Service URL Validation Matters
The Microsoft Teams service URL trust check fix in v2026.5.28-beta.1 is a window into a broader class of security issue: delivery endpoint trust. When your agent sends a message, it needs to verify that the destination URL it received in an incoming event or webhook payload is actually a legitimate platform endpoint — not a URL injected by an attacker who abused a webhook or crafted a malicious incoming message.
This attack class is sometimes called open redirect exploitation in agent systems. An attacker sends a message to your agent through a compromised channel that contains a spoofed service URL. If the agent blindly trusts that URL and posts responses to it, the attacker can intercept your agent's replies — potentially capturing context, tool results, or sensitive information your agent was relaying back.
Here is the practical playbook for defending against this:
- Keep OpenClaw updated — the v2026.5.28 Teams fix and the broader channel audit in this release are directly addressing this class of issue.
- Limit which channels your agent is active on — each channel integration is an additional trust boundary. Only enable the ones you need.
- Review outbound plugin hook configurations — plugins that make external HTTP calls on delivery events are particularly sensitive to URL injection.
- Monitor your gateway logs for unexpected outbound requests — delivery errors and unusual service URL patterns will often appear there before you notice them in behavior.
- For Teams specifically: verify your bot registration's allowed reply URLs in Azure AD and confirm you are not accepting service URLs outside Microsoft's documented ranges.
Bottom line: as OpenClaw becomes a message hub connecting multiple platforms, every channel integration is a potential delivery trust boundary. The security model is not just about what your agent can access — it is also about where your agent's outputs can be sent.
⭐ Skill of the Day: weather
🔧 weather — Current Forecasts via wttr.in
What it does: The built-in weather skill fetches current conditions and multi-day forecasts using the wttr.in service via simple curl requests. It handles locations, rain probability, temperature (C or F), and travel planning queries. The skill works entirely through public HTTP — no API key required, no credentials to manage, no external account to provision.
Why we like it this week: It is a perfect example of a skill that is correctly scoped. It does exactly one thing. It accesses exactly one endpoint. It makes no write operations. It stores no credentials. From a security review standpoint, it is about as clean as a skill gets. And it actually works — which is more than you can say for many API-dependent skills that break when upstream services change their schema.
Safety verification: The weather skill is a core OpenClaw bundled skill maintained by the OpenClaw team at ~/.openclaw/skills/weather/. Because it is part of the main distribution rather than a third-party ClawHub install, it follows the same review and QA process as the gateway itself. No VirusTotal scan needed — the provenance is the OpenClaw release process. That said, if you are using a ClawHub-distributed weather skill from a third party, the same supply-chain hygiene rules apply: check the scan, read the SKILL.md, confirm what it actually calls.
Best use case: Pair it with a morning heartbeat job. Have your agent check local weather before your commute window and surface rain or temperature alerts proactively — without you needing to ask.
Example prompt: What's the weather in San Francisco this weekend? Will I need an umbrella?
👥 Community Highlights
Peter Steinberger's $1.3M API Bill — And What It Actually Means
The biggest community conversation this week is not a technical one. OpenClaw creator Peter Steinberger shared a screenshot showing $1,305,088.81 in OpenAI API charges over 30 days. The number went viral across The Next Web, Tom's Hardware, Let's Data Science, and dozens of developer forums.
The reactions have ranged from awe to alarm to dark comedy, but the serious framing matters: this is what always-on agent infrastructure costs at even relatively modest organizational scale. Steinberger is not burning $1.3M frivolously — OpenClaw's own development, dogfooding, integration testing, and community support infrastructure all run on top of the API. The figure is a real-world data point about what it means to operate AI agents as infrastructure rather than as occasional tools.
"OpenClaw made the always-on agent feel personal by making it live somewhere you could point at — a Mac mini on a shelf, drawing seven watts, running while you sleep." — The New Stack
The key insight buried in the coverage: local inference is not just a privacy story. It is an economics story. A well-configured OpenClaw deployment that routes routine, low-complexity tasks to a local model (like Ollama-backed Gemma or Llama) and reserves API calls for genuinely hard inference can dramatically cut monthly costs without meaningful capability loss. The $1.3M headline is a useful forcing function for the community to get serious about model routing strategy.
Steinberger sharing that screenshot was a deliberately provocative move — and a smart one. It reframes the OpenClaw conversation from "cool personal assistant" to "serious infrastructure with real operational costs." The community needed that reframe. Agents that run 24/7 need a cost model, not just a capability model. If you are not thinking about model routing, local inference, and per-task cost budgets, you will eventually have a moment like this. Start thinking about it now, before the bill surprises you.
OpenClaw Passes 300,000 GitHub Stars — Then Google Launches Spark
The milestone was massive: OpenClaw crossed 300,000 GitHub stars, making it one of the fastest-growing repositories in GitHub's history. For a project that started as an experimental personal assistant runner on a Mac mini, that number represents something genuinely unprecedented in the agent framework space.
Then, within days, Google launched Gemini Spark — widely seen as a direct competitive response to OpenClaw's always-on personal agent model. The New Stack published a detailed Gemini Spark vs. OpenClaw comparison that broke down the architectural differences: Spark runs in the cloud with Google's infrastructure, while OpenClaw runs on your hardware under your control. Both are always-on. Both integrate broadly with communication channels and tools. But they represent fundamentally different trust models.
The OpenClaw community's reaction was mostly calm confidence: the local-first approach is not just a technical preference, it is a philosophical commitment that a significant cohort of users actively chose. Google entering the space validates that OpenClaw identified a real category — but it does not necessarily take the same users.
Orca Adds OpenClaw to Its Trading Infrastructure Stack
In an interesting deployment story, trading infrastructure startup Orca announced that it is building its intelligent market participation platform on top of OpenClaw automation infrastructure. Combining OpenClaw's agent orchestration with Nodepay-powered sentiment intelligence, Orca is targeting algorithmic trading use cases that require real-time autonomous decision-making within defined policy bounds.
This is a reminder that OpenClaw's user base is not homogeneous. The same framework that powers a journalist's research assistant or a developer's coding workflow is also being embedded in financial infrastructure. That breadth is a strength — and a responsibility. As always, deployment context should drive your security posture far more than the software's defaults.
🌐 Ecosystem News
Hermes Agent Claims Top Developer Mindshare — Temporarily
A Forbes piece this week flagged that Hermes Agent — featuring built-in memory and continuity as core primitives rather than bolt-ons — has been making noise in developer rankings, with some metrics showing it edging past OpenClaw in raw install velocity for a brief period. The framing around "overtaking" was predictably hyperbolic, but the underlying signal is real: memory as a first-class architectural component is the next major differentiation vector in agent frameworks.
OpenClaw's Active Memory system, which got scope tightening in recent releases, is the project's answer to this challenge. But the competitive pressure from memory-native frameworks is useful — it is pushing the broader ecosystem to treat agent continuity as an engineering problem rather than an afterthought.
State of AI Agent Memory 2026: Memory Is Now Infrastructure
Mem0's State of AI Agent Memory 2026 report landed this week and is worth a read. The headline conclusion: in 2026, agent memory is a first-class architectural component with its own benchmark suite, research literature, and measurable performance gaps between approaches. Short-term context windows, long-term vector storage, episodic recall, and procedural memory are now treated as distinct engineering concerns — not variations on the same problem.
For OpenClaw operators, the practical takeaway is that how you configure your agent's memory architecture matters as much as which model you use. MEMORY.md files, daily note patterns, and session continuity strategies are not just organizational conveniences — they are meaningful architectural choices that affect what your agent can do and how reliably it does it.
AI Agents in DevOps: Autonomous Pipelines Are Real Now
DevX published a solid overview of AI agents in DevOps in 2026, documenting real-world deployments where autonomous agents handle CI/CD pipeline decisions, incident triage, and dependency update workflows. The pattern that keeps appearing: agents are most useful at the interface between human decision-making and automated execution — handling the information gathering, context assembly, and option surfacing, while keeping humans in the loop for consequential choices.
That pattern maps cleanly to OpenClaw's approval-gate model. The project's exec approval system, tool policy controls, and session lock mechanics are all implicitly designed for the DevOps deployment pattern — agents that have real access to real systems, but cannot execute consequential actions without explicit human confirmation.
The broader ecosystem story this week is a single coherent arc: agent systems are becoming infrastructure, and infrastructure has different requirements than demos. Cost models, memory architecture, delivery trust, multi-agent coordination, and governance are all becoming first-class engineering concerns. OpenClaw's trajectory — steadier runtime, safer channels, better mobile, broader providers — is the right response. The project is not slowing down to play it safe; it is professionalizing to play it serious.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →