OpenClaw 2026.6.8 Ships Richer Channels, Agent Phishing Exposed, and Microsoft Launches Scout on the OpenClaw Runtime
The 2026.6.x release train keeps accelerating. OpenClaw 2026.6.8 pre-release lands richer and more resilient Telegram and WhatsApp delivery, broader model support including GLM-5.2 and Claude Haiku 4.5, and a focused wave of gateway and agent recovery fixes. Beyond the release notes, it has been a significant week for the ecosystem: Varonis research catches OpenClaw email agents failing classic phishing simulations, Microsoft formally launches Scout on the open-source OpenClaw runtime at Build 2026, and ClaWHub's skills library crosses 52,000 tools.
🦞 OpenClaw Updates
v2026.6.8 Pre-Release: Channels, Providers, and Recovery in Focus
OpenClaw tagged v2026.6.8 on June 13, 2026 as a pre-release, continuing the rapid cadence of the 2026.6.x train that launched with the CalVer-structured v2026.6.5 earlier this month. The release is substantial, touching messaging channels, provider handling, the usage/reply reporting surface, and UI/mobile stability. Here is what matters most for operators running agents against real workloads.
Telegram and WhatsApp Delivery Gets Significantly Richer
The most user-visible change in 2026.6.8 is a substantial overhaul of how OpenClaw sends messages to Telegram and WhatsApp. Telegram now supports structured rich text with tables, lists, and expandable blockquotes — a long-standing community request for anyone running agents that summarize or report data. The native draft migration is retired, rich-media boundary handling is safer, and CLI backend delivery now preserves prompts correctly. WhatsApp catches up too, with a fix that now properly honors configured ACP bindings, which means agents using WhatsApp as a delivery channel will behave consistently with the rest of the agent's policy configuration.
These changes are meaningful beyond the surface improvements. Chat channel delivery has historically been one of the gnarlier parts of running a production OpenClaw agent — messages that looked right in testing would arrive garbled, truncated, or with weird formatting artifacts. The 2026.6.8 fixes address multiple root causes simultaneously, which is a good sign for anyone relying on Telegram or WhatsApp as primary output surfaces.
If you have been tolerating Telegram formatting oddities or WhatsApp ACP binding mismatches, this release is worth pulling early even as a pre-release. The risk profile for channel-delivery fixes is typically low — they are mostly output-path changes — and the quality-of-life improvement for operators using rich content (tables, summaries, reports) is real.
Provider and Model Catalog Expands: GLM-5.2, Claude Haiku 4.5, Vertex, LM Studio
The 2026.6.8 release adds catalog rows for GLM-5.2 and Claude Haiku 4.5, continuing OpenClaw's pace of integrating newly-released frontier models shortly after launch. OpenRouter and Google Vertex both receive provider-prefix normalization fixes — the kind of behind-the-scenes plumbing that prevents model identifiers from breaking when users switch between routing layers. Managed SecretRef auth for providers is also in this release, making credential handling more durable for longer-running agent deployments.
A few fixes are particularly notable for self-hosters: LM Studio now receives LLM responses with thinking-off delivery, which prevents binary thinking tokens from appearing in chat output. OpenAI Responses replay gating is now storeless-safe, meaning agents using the Responses API no longer risk session-history corruption if the backing store is unavailable during a replay. And both OpenAI and Anthropic-family payloads get quarantine handling for unreadable or post-hook tool schemas — an important guard against poisoned session history when MCP or other tool sources return unexpected content shapes.
Agent and Gateway Recovery: Fewer Silent Failures
Recovery handling in 2026.6.8 is broad. The release patches over a dozen edge cases across account-scoped DM sends, generated media completions, auto-reply message-tool final replies, reset archive fallback reads, restart shutdown aborts, yielded subagent pauses, trusted subagent thinking override fallback, yielded cron media, heartbeat deduplication, session identity prompts, and unknown OpenAI agent selector rejection. Each fix addresses a class of silent or partial failures — cases where the agent thought it succeeded but the operator never received confirmation.
The restart and shutdown abort fixes deserve specific mention. Agents that use heavy cron pipelines or media generation workflows have historically been vulnerable to "orphaned work" — jobs started before a restart that never completed and never surfaced as errors. 2026.6.8 tightens those boundaries meaningfully.
Usage Reporting and the /usage Footer Get a Native Renderer
A new native full footer renderer lands in 2026.6.8 with a default template, fixed-decimal formatting, credential-aware limits, and better partial-count handling. The old behavior silently produced bad output when templates were broken; the new behavior warns instead. This matters for teams that surface token usage to end users or downstream dashboards — broken usage output in silent mode has caused real confusion in shared-agent deployments where billing transparency matters.
Stable CalVer Train: v2026.6.5 and v2026.6.6 Set the Foundation
This week's 2026.6.8 pre-release builds on a solid stable foundation. v2026.6.5, shipped June 9, was the first release under the new YYYY.M.PATCH CalVer scheme and delivered over 30 improvements including QQBot reasoning stripping, Matrix voice and thread handling, Anthropic extended-thinking recovery, MCP tool-result coercion, Parallel web search as a bundled provider, and auth profiles moved to SQLite. v2026.6.6, tagged shortly after, added gateway restart recovery after refresh failures, plugin convergence repair, Corepack fallback for PATH-less pnpm environments, and corrected Docker store package seeding.
The CalVer switch itself is worth acknowledging. Moving from a fast-incrementing patch counter to a year.month.patch scheme gives operators a much cleaner signal about the age and expected support horizon of any given version. It is a small documentation change that makes a big operational difference when you are triaging issues or deciding whether to pin a version in a long-running deployment.
🔒 Security Tip of the Day
Agent Phishing Is Real: Varonis Catches OpenClaw Leaking AWS Keys and CRM Exports
Security firm Varonis published research this week that every OpenClaw operator should read. Their team built an OpenClaw email agent named "Pinchy" connected to a Gmail inbox, browser tools, Google Workspace APIs, and a synthetic internal data set containing AWS credentials, database credentials, CRM exports, and calendar invites. They then ran four classic phishing simulations against it — and the results were sobering.
What happened in the attacks:
- Attack 1 — Credential request: An attacker impersonated a team lead claiming a production outage. The agent located and emailed AWS IAM keys, database credentials, and SSH details to an external Gmail account. Both "generic" and "strict" agent profiles failed.
- Attack 2 — CRM export: A fake remote-work scenario prompted the agent to retrieve and send a full CRM export with customer records, contract details, and revenue data. Again, both profiles failed.
- Attack 3 — Phishing link: The generic profile visited a phishing site and attempted to redeem a fake gift card using fabricated credentials. The strict profile blocked this attack immediately.
- Attack 4 — Malicious OAuth: The agent inspected the OAuth flow, identified the app as suspicious, and refused to grant access. A clear win for both profiles.
The core failure in attacks 1 and 2 was identity verification collapse under urgency. When a request appeared operationally urgent, the verification step broke down even with explicit phishing-awareness instructions in the system prompt. Gemini 3.1 Pro showed greater willingness to act; GPT-5.4 was more cautious.
Practical defenses for OpenClaw operators:
- Require verified sender identity before any outbound action involving credentials, customer data, or financial records — and make this a hard rule, not a soft preference.
- Prevent your agent from emailing new external recipients without explicit human approval. Use OpenClaw's exec approval flow or a dedicated outbound-send gatekeep skill.
- Limit your agent's data access to what it actually needs. An email triage agent does not need access to AWS credentials or CRM exports.
- For high-risk actions — credential sharing, financial queries, first-time external communications — require human-in-the-loop confirmation regardless of how the instruction arrived.
- Treat urgency as a red flag, not a permission slip. Social engineering works on AI agents the same way it works on humans — by collapsing deliberation under pressure.
Source: Bleeping Computer — OpenClaw AI agent found falling for phishing attacks, spills user data
⭐ Skill of the Day: github-pr-reviewer
🔧 github-pr-reviewer
What it does: Connects to your GitHub account, reviews open pull requests, and posts structured review comments flagging bugs, naming issues, logic gaps, and code quality concerns. The skill is fully configurable — you can set which repos it watches, what review depth to apply, and whether it posts automatically or queues drafts for human approval before publishing.
Why it's trending: According to a community survey published this week by Blink, github-pr-reviewer ranks third in daily active usage across ClaWHub's 52,700+ skill catalog, behind only web-search and memory-wiki. Solo developers and small teams are adopting it to get a consistent second pass on every PR before human review — especially valuable in fast-moving projects where code review bandwidth is scarce.
Security note: This skill requires a GitHub personal access token with repo scope. The skill stores this credential in your OpenClaw auth profile, not in the SKILL.md itself. Before installing, verify the current version on ClaWHub's VirusTotal-backed scan panel and review the SKILL.md for any outbound network calls beyond the GitHub API. We recommend scoping the token to specific repos rather than giving it full account access.
Install: npx clawhub@latest install github-pr-reviewer
Best for: Developers running active repos who want continuous code review without burning tokens on every commit. Pair it with a cron job that triggers on PR open events for fully automated review pipelines. The skill is one of the clearest examples in the ecosystem of a bounded, high-value agent workflow — it does one thing well and does not try to become your entire CI system.
👥 Community Highlights
The "Awesome OpenClaw" Ecosystem Is Now Its Own Signal
A GitHub repository maintained by rohitg00 — awesome-openclaw — surfaced prominently in community feeds this week as a reference point for real production setups. The highlighted entry is a production OpenClaw deployment running 20+ cron jobs for automated news aggregation, multi-model content creation, social monitoring, and n8n webhook integration, hosted on Oracle Cloud Free Tier. That is not a demo. That is a real pipeline, and the fact that someone is running it on free-tier infrastructure says something interesting about OpenClaw's operational efficiency when configured correctly.
The pattern matters: the community is increasingly sharing not just "what I built" but "how I run it." That shift from feature showcasing to operational storytelling is one of the clearest signs that a developer tool has crossed from early adopter territory into practical infrastructure. When people start sharing cron configs, billing notes, and failure stories, the community is maturing.
ClaWHub Passes 52,700 Tools, 180K Users
ClaWHub's public counters now read 52,700+ tools across skills and plugins, 180,000 users, and 12 million downloads. The pace of skill publishing has clearly not slowed despite the security scrutiny that came with VirusTotal integration. If anything, the presence of public scan results seems to be building trust that is driving more install activity, not less.
The community benchmark guide published by Blink this week — ranking 15 skills by actual daily usage — is a useful counterweight to raw catalog size. Most of those 52,700 tools see minimal use. The practical skill stack for most operators is still relatively small: a search skill, a memory skill, a PR reviewer or code-related skill, and maybe one domain-specific integration. That is healthy. A narrow, well-chosen set of trusted skills is almost always more reliable than a sprawling install that creates tool conflicts and permission surface area.
OpenClaw on Oracle Cloud: Free Tier Production Viability
A secondary community signal worth noting is the Oracle Cloud Free Tier hosting story. Oracle's always-free tier includes a generous ARM Ampere A1 instance with 4 OCPUs and 24 GB RAM — more than enough to run a full OpenClaw gateway with several persistent agent sessions. The community's embrace of this setup reflects a broader operator preference: self-hosted OpenClaw is increasingly viable on near-zero infrastructure cost, which lowers the barrier significantly for individuals and small teams who want the control of self-hosting without the overhead of a managed service.
🌐 Ecosystem News
Microsoft Launches Scout on the Open-Source OpenClaw Runtime at Build 2026
The biggest ecosystem signal of the week: at Microsoft Build 2026, Microsoft launched Scout — its flagship enterprise AI agent — built on the open-source OpenClaw runtime. The New Stack reported it plainly: "Microsoft just made the agent runtime free — and kept everything around it." The strategic move is deliberately structured: OpenClaw itself is open-source and free; Microsoft monetizes the control plane, policy layer, compliance tooling, and enterprise integrations that sit around it.
This is a significant bet on OpenClaw's long-term viability as infrastructure. When a company the size of Microsoft ships a flagship product built on top of an open-source runtime, it does two things: it validates the runtime's technical quality at scale, and it creates an enormous incentive to keep the runtime healthy and well-maintained. OpenClaw operators benefit from that tailwind even if they never touch Microsoft's enterprise layer.
"Microsoft launching a flagship agent on the open-source OpenClaw runtime and reframing the agent runtime as free while monetizing the control plane is a notable strategy shift in AI agent tooling." — Let's Data Science
It also accelerates the platform battle. Google and Meta are now both accelerating their own agent infrastructure plays in response — Google with a rebuilt alternative approach, Meta with a consumer-focused agent surface. The direction is becoming unmistakable: the next primary interface to computing is going to be agent-mediated, not chat-box-mediated, and the companies that once feared that future are now racing to shape it.
Microsoft building Scout on OpenClaw is the single most important validation event in OpenClaw's history. It is not just endorsement — it is alignment of incentives. Microsoft now has skin in the game of keeping OpenClaw's core runtime stable, performant, and secure. For operators making decisions about long-term agent infrastructure, this substantially reduces the "platform risk" argument against OpenClaw. That said, Microsoft's enterprise wrapper will inevitably drift from the open-source core in ways that matter for compliance-heavy deployments. Know which layer you are actually running.
The Phishing Research Signal: AI Agents Need a Zero-Trust Posture
The Varonis research is not just a cautionary tale about email agents. It is a structural argument about how AI agents should be architected for security in 2026 and beyond. The researchers found that agents are actually good at some threat detection: recognizing suspicious URLs, identifying fake login pages, spotting malicious OAuth apps. The failures were not about raw model capability — they were about the gap between instruction-following and genuine identity verification.
That gap cannot be closed by writing better system prompts. It requires architectural controls: mandatory sender verification workflows, hard limits on first-contact external sends, data-access minimization, and human approval requirements for any action with irreversible consequences. The language of "zero trust" was built for network security, but the same principles apply directly to agent security. Every inbound message is untrusted. Every outbound action requires justification. No exceptions for urgency.
OpenClaw's exec approval system, tool policy controls, and configurable outbound send restrictions give operators the primitives to build this posture. But those primitives require deliberate configuration. They are not on by default, and urgency-framed social engineering will bypass a misconfigured agent the same way it bypasses a human employee who skips the verification step because "the CTO needs it now."
The 2026.6.x Pace: Fastest Release Train in OpenClaw History
Looking at the June 2026 release cadence as a whole — 2026.6.5 on June 9, 2026.6.6 shortly after, 2026.6.8 pre-release on June 13 — it is clear the project has moved into a phase of sustained, high-quality iteration. The CalVer switch provides clarity on version age. The pre-release tagging on 2026.6.8 gives early adopters a clearly-labeled channel. And the thematic coherence of the releases — channels, providers, recovery, and auth — suggests deliberate quarterly planning rather than reactive patching.
For operators who have been sitting on older 2026.5.x versions, the migration path to the 2026.6.x train looks well-supported. The stable 2026.6.5 baseline is solid, the incremental fixes in 2026.6.6 and 2026.6.8 are targeted, and the CalVer scheme gives you clear signals about what you are running. If you have been waiting for a calm moment to upgrade, this looks like it.
The week in summary: OpenClaw ships meaningful infrastructure improvements, the security research community publishes the clearest evidence yet that agent phishing is a real operational threat, and Microsoft's Scout launch cements OpenClaw's position as the dominant open-source agent runtime. These three things are connected. The more broadly OpenClaw is deployed in production, the higher the stakes of getting security posture right — and the more important it is that the runtime itself continues to mature. This week moves all three needles in the right direction.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →