OpenClaw 2026.6.1: Skill Workshop, Workboard Orchestration, and MiniMax M3
OpenClaw's first June release is its most ambitious pre-release yet — a governed Skill Workshop with full Control UI, multi-agent Workboard orchestration primitives, native iPad support, SQLite-backed plugin state, and MiniMax M3 model support. Meanwhile the security spotlight hasn't dimmed: Reco AI's detailed post-mortem on OpenClaw's early-2026 incident wave is required reading for any operator. And Microsoft Build just dropped the Windows Agent Framework as open source. It's a busy morning in the world of claws.
🦞 OpenClaw Updates
v2026.6.1: The Skill Workshop Era Begins
OpenClaw's 2026.6.1 pre-release, tagged this morning, is the biggest drop since the transcript-core overhaul landed in late May. The headline features are genuinely new surface area — not just stability passes or bug sweeps — and they represent a meaningful expansion of what OpenClaw is actually for.
Skill Workshop is now a first-class feature. The workshop has been in development for months, but this release gives it the full treatment: a Control UI navigation flow, a styled proposal dashboard, a "today actions" view, a revision dialog, searchable file preview modal, locale coverage, and reusable session handoff. More importantly, the underlying review mechanics are now fully wired in: the skill_workshop agent tool can apply, reject, and quarantine proposals through a guarded review flow. Pending proposals can be revised in place with versioned, dated frontmatter before approval. And support files — scripts, configs, assets — can ship with proposals, subject to scanner, hash, and rollback safeguards.
The governance model here is important and underappreciated. OpenClaw is not just adding a "create skill" button. It is adding a proposal lifecycle: submit → review → revise → approve (or reject or quarantine). That lifecycle mirrors how responsible software teams handle contributions. Applied to agent skills — which have broad system access and run with agent-level trust — this is exactly the right model.
"Skills: let pending proposals be revised in place with versioned, dated proposal frontmatter before approval." — OpenClaw 2026.6.1 release notes
Workboard orchestration is now in the framework. The new Workboard primitives add agent coordination tools for multi-agent planning and run tracking. Board runs are now task-backed, and task comments appear inside the edit modal. This positions OpenClaw as a genuine multi-agent orchestration surface, not just a single-agent personal assistant. In the same way that Claude's desktop multi-agent work gained legitimacy once the primitives got formal names, Workboard gives OpenClaw operators a vocabulary for coordinating fleets of agents against shared state.
Code mode gets namespaces. Internal namespaces for scoped agent and global sessions, with exact namespace tool dispatch, are now in the code mode path. MCP API files and docs for code-mode integrations shipped alongside. This matters for any operator running OpenClaw as a development tool rather than purely a personal assistant — scoped sessions reduce blast radius and make it easier to isolate code-mode work from other agent activity.
MiniMax M3 is in the provider catalog. MiniMax M3 becomes the latest model supported natively in OpenClaw, joining the growing list of providers available without manual integration work. Account OAuth endpoints got updated for Google and Vertex catalog fixes. OpenRouter now uses SQLite model caching for faster lookups. And Copilot Claude's 1M context capabilities are surfaced in the metadata.
iOS and mobile got serious attention. Native iPad display layouts are in. The hosted iOS push relay got default configuration, realtime Talk playback support, and a guarded WebSocket ping path for more reliable mobile sessions. The combined effect is that the iOS OpenClaw experience is starting to feel production-grade rather than like a mobile afterthought.
SQLite is eating the filesystem. Plugin install index, iMessage monitor state, inbound queues, and plugin install ledgers are all moving to SQLite-backed state. This is the right direction: SQLite gives you restartability, atomic writes, indexed queries, and recovery from partial writes — all things the previous scattered filesystem state couldn't guarantee. Operators who have experienced duplicate scan issues or "where did that plugin go?" confusion after restart will benefit immediately.
The May Beta Trail: What Led Here
2026.6.1 didn't arrive in a vacuum. The late-May beta series (2026.5.30 beta 1 and beta 2) was already laying groundwork for June. Beta 1 improved tool call recovery and stale session binding, while beta 2 — which shipped over the weekend — focused on channel delivery steadiness across Telegram, WhatsApp, iMessage, Slack, Discord, Teams, Google Chat, and iOS Talk. The throughline from those betas to 2026.6.1 is clear: fix the plumbing so the new surfaces don't sit on shaky ground.
The broader May release cycle (2026.5.26 through 2026.5.30) was one of OpenClaw's most intensive stretches. Transcripts became core. Gateway replies got faster. Content boundaries got safer — system-event text can no longer spoof nested prompt markers, and fetched file text is now explicitly wrapped as external content. Those are not glamorous fixes, but they close real attack surface that operators should care about.
The Skill Workshop governance model is the most consequential thing in this release for the ecosystem's long-term health. Not because it's the flashiest feature — it's not — but because it takes the skills supply chain seriously. Proposals, reviews, versioned revisions, rollback safeguards: this is what responsible skill distribution looks like. The faster this model becomes the default path for ClawHub contributions, the healthier the ecosystem gets. Workboard orchestration is exciting too, but govern first, orchestrate second.
🔒 Security Tip of the Day
21,000 Exposed Instances Is Not a Hypothetical — Check Yours
Reco AI published a detailed post-mortem this week on OpenClaw's early-2026 security incident wave, and the numbers are sobering. In late January 2026, Censys identified over 21,000 OpenClaw instances publicly accessible on the internet — up from roughly 1,000 just days earlier. The jump happened because new users, excited by viral adoption, stood up instances without understanding the default network exposure.
OpenClaw's Control UI is not designed to be public-facing. It assumes local or trusted-network access. When it gets exposed — even to localhost — and that localhost runs behind a reverse proxy without auth, or on a cloud VM with open security groups, the attack surface is real. CVE-2026-25253, patched in late January, allowed one-click remote code execution via a malicious link through cross-site WebSocket hijacking.
Three things to do right now:
- Audit your gateway binding. Is it bound to 127.0.0.1 or 0.0.0.0? If it's 0.0.0.0 and you're on any machine accessible from the internet, you're exposed. Check your
gateway.hostconfig and lock it to loopback unless you've explicitly secured the exposure path. - Add auth to any reverse proxy in front of OpenClaw. Even a basic HTTP auth layer on nginx or Cadence reduces opportunistic exposure massively. If you're using Cloudflare Tunnel, enable Access policies.
- Stay current. CVE-2026-25253 was patched in v2026.1.29. If you're running anything older, you're vulnerable to a known, weaponized exploit. Run
openclaw updateand verify your version.
The Reco AI post also documents the ClawHavoc incident: 341 malicious skills distributed through ClawHub in late January, roughly 12% of the entire registry at the time. This is why VirusTotal integration on ClawHub matters — and why you should still manually inspect any skill before installing it, clean scan or not. The threat model for agent skills is not like npm packages. Skills can direct your agent's behavior at a semantic level. A malicious skill doesn't need RCE if it can instruct your agent to exfiltrate files "helpfully."
⭐ Skill of the Day: weather (built-in)
🌤️ weather — The Canonical Example of a Scoped, Safe Skill
What it does: The weather skill fetches current weather and forecasts using wttr.in via curl — no API key required, no authentication, no write access to anything. It solves one bounded problem: give the agent accurate weather context so it can do useful things like morning briefings, travel planning reminders, and outfit suggestions.
Why it's today's pick: In the context of the ongoing security conversation about skills, the weather skill is a useful reference point for what a well-scoped skill looks like. It uses a public read-only API. It doesn't need credentials. It doesn't need file access. It doesn't send outbound data except a location query. The blast radius of a compromised weather skill is essentially zero — the worst it can do is give you bad weather data.
Safety posture: This skill ships with OpenClaw's built-in skill library, which means it doesn't come from ClawHub and doesn't go through the third-party supply chain at all. That's worth noting: for new users still getting comfortable with the skill ecosystem, starting with built-in skills like this one is a reasonable precaution until you've developed your own review process for third-party sources.
Usage: Ask your agent "What's the weather in Seattle this week?" or set up a heartbeat check that delivers a morning weather briefing. The skill handles location parsing, units, and forecast horizon automatically.
Broader lesson: Before reaching for a powerful third-party skill on ClawHub, ask whether a built-in or first-party skill already does what you need. The difference in trust surface is not trivial.
👥 Community Highlights
Tom's Guide Validates the "Normal Person" Use Case
Tom's Guide published a piece this week with a simple premise: a writer followed Sam Altman's public suggestion to sign into OpenClaw with their ChatGPT account. What's notable about the article isn't the tech — it's the tone. The journalist describes scheduled Discord weather briefings, proactive morning summaries, and an agent that "remembers context across sessions, learning your preferences and habits over time" as genuinely useful, not gimmicky. That's a meaningful signal: OpenClaw is landing as a practical daily tool for people who are not developers.
The Dreaming-tab agent selector in 2026.6.1 — which propagates a selected agent through Dreaming status, diary, and diary actions — makes more sense in this context. The feature is aimed at users who want to maintain a sense of "who their agent is" across different modes. That's not a power-user feature. It's a consumer feature. OpenClaw is deliberately building for a broader audience, and the design decisions in this release reflect that.
NanoClaw Founder's Critique Gets a Platform
The New Stack ran a thoughtful interview with Gavriel Cohen, founder of NanoClaw, who walked away from OpenClaw integration over architectural concerns. Cohen's argument: OpenClaw's half-million lines of code, while impressive in scope, creates an attack surface and dependency risk that container-first projects like his cannot safely absorb. His rebuild prioritizes containers, security isolation, and a minimal surface.
This is a genuinely interesting split in the agentic AI ecosystem. OpenClaw's approach is maximalist by design — bring everything in, make it all work together, move fast. NanoClaw (and similar projects) are taking the Unix philosophy route: small, composable, bounded. Both approaches have merit. The right answer probably depends on your threat model and operational discipline. What Cohen's critique correctly identifies is that "easy to set up" and "safe to run long-term" are not the same thing.
The 2026.6.1 governance features — Skill Workshop proposals, SQLite-backed state, namespaced code mode, tighter plugin manifests — suggest OpenClaw is aware of this critique and incrementally moving toward a more principled architecture. The question is whether it can get there without shedding the enthusiast community that made it what it is.
ClawHub Passes 52,000 Tools
As of this morning, ClawHub reports 52,700 tools across skills, plugins, and bundles, with 180,000 registered users and 12 million downloads. The 4.8 average rating suggests the quality bar is holding despite rapid growth. The combination of VirusTotal scanning, the new Skill Workshop governance model, and community review pressure is doing real work to keep bad actors out — but as ClawHavoc showed in January, the bar needs to stay high permanently, not just during crises.
🌐 Ecosystem News
Microsoft Build 2026: Windows Agent Framework Goes Open Source
The biggest non-OpenClaw story of the day is Microsoft Build 2026, which shipped just this morning. The headline: Windows Agent Framework is now open source, Azure Agent Mesh has been announced, and Copilot Workspace is out of beta. Microsoft is positioning Windows itself as an agent platform — not just a host for agent software, but an operating system that natively understands agentic patterns.
Project Polaris, Microsoft's in-house AI model, is slated to replace GPT-4 in GitHub Copilot by August. That's significant because it signals Microsoft reducing its dependency on OpenAI at the platform layer. For the OpenClaw ecosystem, the Copilot plugin that shipped as @openclaw/copilot in today's release becomes even more interesting in this context — Copilot with 1M context capabilities, externalised as a first-class plugin, is a meaningful integration surface.
"Windows Agent Framework open-sourced, Azure Agent Mesh announced, Copilot Workspace out of beta." — Microsoft Build 2026
The pattern is consistent with what we've been saying for months: the enterprise agent ecosystem is converging on the same architectural concerns OpenClaw has been working through. Orchestration, memory, policy, observability, tool governance. The difference is that Microsoft is selling this to CIOs. OpenClaw is selling it to developers and enthusiasts first. Both paths lead to the same destination.
EU AI Act Deferral Gives Operators Breathing Room
A quieter but practically important development: the EU Council and Parliament struck a political deal on May 7 to defer Annex III high-risk AI obligations from August 2026 to December 2027. Formal adoption is expected in June or July. For operators running OpenClaw in European business contexts — particularly those in healthcare, HR, or critical infrastructure — this buys roughly 16 additional months to get compliance infrastructure in place.
That doesn't mean do nothing. It means you now have time to do it right. The kinds of governance structures that OpenClaw's Skill Workshop and Workboard features are beginning to enable — proposal tracking, approval workflows, audit-ready state, rollback capabilities — are exactly the operational primitives that EU AI Act compliance will eventually require. Building them now, even if the deadline moved, is still the right call.
Tokenjuice and Copilot Externalized as Official Plugins
Two previously bundled OpenClaw components are now official external plugins: @openclaw/tokenjuice and @openclaw/copilot. Both are published to npm and ClawHub with full metadata. This continues the architectural direction of making the OpenClaw core smaller and more modular — capabilities that used to be internal become auditable, versioned, independently installable packages. For security-conscious operators, this is a win: you can now inspect, pin, and control the exact versions of these components independently of the core runtime.
Today's release and ecosystem signals point in the same direction: the agentic AI infrastructure layer is being built in public, in real time, with all the mess that entails. OpenClaw's Skill Workshop and Workboard give individual operators governance tools that enterprise frameworks are spending millions to build. The gap between "hacker personal assistant" and "enterprise agent infrastructure" is narrowing — and OpenClaw is closing it from the bottom up, while Microsoft closes it from the top down. Wherever they meet will be interesting territory.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →