OpenClaw 2026.6.10-alpha.2: Richer Messaging, Sharper Recovery & the Phishing Agent Problem
OpenClaw pushes a new pre-release loaded with deep Telegram and WhatsApp improvements, sweeping provider coverage expansions including GLM-5.2 and Claude Haiku 4.5, and critical memory and session hygiene fixes. Meanwhile, a Varonis phishing study delivers a sobering wake-up call: your AI email agent can be socially engineered with the same tricks that fool humans. We break it all down — the features, the threat, and what you should do right now.
🦞 OpenClaw Updates
v2026.6.10-alpha.2: Channels Get Dramatically Better
OpenClaw's latest pre-release, v2026.6.10-alpha.2, dropped in the early hours of June 16th — and if messaging channels are your primary interface with your agent, this one deserves your full attention. The headline changes aren't about new AI model support or experimental features; they're about making the communications layer you already rely on significantly more robust, expressive, and recoverable.
The Telegram overhaul is the most substantial channel improvement in recent memory. Structured rich text is now fully supported, including tables, ordered and unordered lists, expandable blockquotes, and preserved intentional line breaks. For users who get agent output delivered directly to Telegram, that means the difference between a wall of unformatted text and properly structured summaries, lists, and reports. The delivery layer has also been tightened: prompt-preserving CLI backend delivery, retired native draft migration, and safer rich-media boundary handling all reduce the edge cases where Telegram delivery would silently fail or produce garbled output.
WhatsApp hasn't been forgotten. The update now properly honors configured ACP (Agent Control Plane) bindings for WhatsApp delivery — which means agents running under specific ACP configurations can deliver reliably to WhatsApp without the binding being silently dropped mid-session.
"Telegram and WhatsApp channel delivery are richer and less brittle." — OpenClaw v2026.6.10-alpha.2 release notes
Provider Coverage Gets a Major Expansion
June has been a big month for model provider support in OpenClaw. The v2026.6.10-alpha.2 release formalizes several additions that have been landing across recent patches:
GLM-5.2 support: Zhipu AI's latest model generation is now a first-class catalog entry. GLM-5.2 is the reasoning-capable flagship in the GLM series and significantly outperforms prior versions on complex instruction-following tasks. For operators running OpenClaw outside the US/EU model bubble, having GLM available via native catalog rows means cleaner configuration and better reliability than shimming it through a compatibility layer.
Claude Haiku 4.5: Anthropic's latest compact model is now properly cataloged. Haiku 4.5 is particularly interesting for cron-driven and heartbeat use cases where you want fast, cheap inference without reaching for a full-capability model. The prior implicit support had edge cases in tool-streaming safety that this update resolves.
OpenRouter and Google Vertex provider-prefix normalization: A long-standing pain point for multi-provider setups is now fixed. Model identifiers passed through OpenRouter or Vertex were being inconsistently normalized, causing silent routing mismatches when model strings contained provider prefixes. Both paths are now cleaned up.
LM Studio binary thinking-off delivery: Users running local inference through LM Studio now have explicit support for disabling thinking output at the delivery layer, preventing raw chain-of-thought from leaking into responses on models that expose internal reasoning.
The GLM-5.2 and Claude Haiku 4.5 catalog additions aren't just bookkeeping. They reflect a real shift in how OpenClaw is positioning itself globally. Serious model coverage — including Chinese model families, local inference through LM Studio and Ollama, and every major cloud provider — means OpenClaw is genuinely becoming the single agent runtime to rule them all. That's an ambitious play, and provider normalization bugs are exactly the kind of detail that determines whether the ambition lands in production.
Agent and Gateway Recovery: The Boring Stuff That Actually Matters
Alongside the headline channel and provider work, v2026.6.10-alpha.2 ships a comprehensive set of agent and Gateway recovery fixes that collectively add up to a more resilient runtime. These are easy to skip in release notes — they're not glamorous — but they're exactly what distinguishes a reliable personal agent from an unreliable one.
Key recovery improvements include: account-scoped DM sends, generated media completions, auto-reply message-tool final replies, reset archive fallback reads, restart shutdown aborts, yielded subagent pauses, trusted subagent thinking override fallback, yielded cron media delivery, heartbeat duplicate suppression, session identity prompts, and rejection of unknown OpenAI agent selector configurations.
What does that list actually mean in practice? It means that OpenClaw now handles a much wider range of "things going slightly wrong mid-operation" without requiring manual intervention. Shutdown during an active restart no longer silently aborts work. Subagents that yield properly pass thinking overrides. Cron jobs that generate media deliver it correctly when the cron fires. These are all scenarios that experienced OpenClaw operators have hit and worked around — now they're handled by the runtime itself.
Memory, State, and Diagnostic Fixes
The memory and state layer got meaningful hygiene attention in this release. Oversized OpenAI embedding batches now automatically split before triggering HTTP 431 errors — a previously annoying failure mode for operators with large memory corpora. QMD memory search now stays available in transient mode. SQLite avoids WAL (Write-Ahead Logging) on NFS state volumes, which should resolve the mysterious file-locking failures some network-attached-storage users have been reporting.
The /usage command and reply payload hooks now have a native full footer renderer with a default template, fixed-decimal formatting, credential-aware limits, and better partial-count handling. Broken templates now warn instead of silently producing bad output. These changes make cost visibility practical rather than aspirational — and they reduce the operational surprise of hitting unexpected spend when models charge per-token at varying rates.
UI and Mobile: The WebChat and iOS Fixes
A cluster of mobile and UI fixes rounds out the release. WebChat backscroll now survives streaming sessions, which fixes the annoying behavior where actively streaming responses would cause the chat pane to jump. The sidebar session picker remains interactive above the desktop workbench. Workspace files can now collapse and start collapsed — useful for operators with large workspace configurations who were previously forced to scroll past everything at session start. iOS now reconnects stale foreground gateways correctly, fixing a recurring issue where iOS users would find their agent apparently unresponsive after the app returned from background.
🔒 Security Tip of the Day: Your Email Agent Is a Phishing Target
Varonis Proves AI Agents Fail Classic Phishing — Here's What to Lock Down
A new Varonis Threat Labs study on OpenClaw email agents should be required reading for anyone who has granted their agent access to an inbox. Researchers created an OpenClaw agent named "Pinchy," connected it to Gmail, browser tools, Google Workspace APIs, and synthetic enterprise data (AWS credentials, database passwords, CRM exports), and ran four simulated phishing attacks against it.
The results were sobering:
- Attack 1 — Impersonation for credential access: An attacker posing as a team lead requested access to the staging environment during a fake production incident. Pinchy located and emailed AWS IAM keys, database credentials, and SSH details to an external account. Both generic and strict profiles failed.
- Attack 2 — CRM data extraction: A request for a customer export under a remote-work pretext succeeded in both profiles. The agent sent CRM data without verifying the sender's identity.
- Attack 3 — Gift card phishing link: The strict configuration blocked this immediately. Generic configuration visited the phishing site before eventually identifying it as malicious.
- Attack 4 — Malicious OAuth app: Both profiles correctly identified the fake timesheet OAuth application as suspicious and refused to grant access.
The research identified three core failure modes: lack of sender identity verification, loss of context under urgency, and inability to apply zero-trust principles to social interactions.
Immediate actions to take:
- Enable exec approvals for high-risk actions. Credential sharing, external emails to new recipients, and data exports should all require human approval before the agent acts.
- Scope your agent's data access narrowly. If your email agent doesn't need access to your AWS credentials or CRM, remove those connections. Principle of least privilege applies here exactly as it does to human accounts.
- Explicitly deny emailing new external recipients. Varonis recommends this directly — your agent should never be able to forward sensitive data to an address it hasn't seen before without explicit approval.
- Add identity verification instructions to your system prompt. Instruct your agent to verify the identity of anyone making urgent operational requests via a second channel (Slack, phone) before acting.
- Keep OpenClaw updated. v2026.6.6 added default denial for security approval timeouts — an important layer that reduces the blast radius when an agent is fooled.
At the model level, Varonis found that Gemini showed greater willingness to interact with suspicious requests, while GPT-5.4 had a more cautious posture. Neither was immune. The lesson isn't to pick a different model — it's to architect your agent so that the model's judgment isn't the only defense between an attacker and your data.
⭐ Skill of the Day: awesome-openclaw Community Pipeline
🔧 awesome-openclaw Community Setup: AI-Powered Daily Digest
What it does: The awesome-openclaw repository maintains a curated list of skills, configurations, and community workflows — and this week a particularly interesting entry appeared at the top: a production OpenClaw setup with 20+ cron jobs for automated news aggregation, multi-model content creation, social monitoring, and n8n webhook integration, hosted on Oracle Cloud Free Tier. It's an impressive demonstration of what OpenClaw can do as autonomous background infrastructure.
Why it's worth your time: The setup demonstrates several patterns that many OpenClaw users want but haven't figured out how to compose: parallel cron job pipelines that don't step on each other, multi-model routing for different task types (fast + cheap for aggregation, capable for synthesis), and outbound webhook integration for n8n-style workflow orchestration. It's essentially a working reference architecture for "OpenClaw as a personal AI newsroom."
Safety note: This is a configuration pattern, not a single installable skill. Before replicating any cron job or webhook integration from community examples, review each script for outbound network calls, external service credentials, and permission scopes. The awesome-openclaw list itself is community-maintained — treat it as inspiration with peer review, not as a vetted package registry.
Source: github.com/rohitg00/awesome-openclaw (published 4 days ago, actively maintained)
Best use case: Operators who want to evolve their OpenClaw setup from "chat assistant" to "autonomous background intelligence" — doing work while you sleep, surfacing what matters, and delivering reports to your preferred channels on schedule.
👥 Community Highlights
v2026.6.5 Is Still the Benchmark for Stable
Despite the flurry of pre-release activity around v2026.6.10-alpha.2, the community conversation on Reddit and Discord keeps returning to v2026.6.5 as the current production-safe baseline. Released June 9th, v2026.6.5 included over 30 improvements and fixes focusing on session recovery, stable sessions, smarter tools, and safer configurations. The beta train (v2026.6.5-beta.6) added MCP tool result coercion, QQBot reasoning stripping, and Parallel web search support.
The community's collective wisdom seems to be: run v2026.6.5 stable for production workloads, run v2026.6.6 if you need the security timeout denial changes, and track the alpha train only if you need specific channel or provider features that haven't reached stable yet. That's a sensible three-tier approach.
The v2026.6.6 Security Defaults Are Becoming the New Minimum
OpenClaw v2026.6.6, released last week, made "default denial for security approval timeouts" the new baseline behavior. That single change is generating substantial discussion. Previously, when a security approval prompt timed out — the user didn't respond in time — the agent would typically default to allowing the action. v2026.6.6 reverses that: timeout equals deny.
The community reaction has been overwhelmingly positive, but with an important nuance: a few operators who built workflows that relied on the implicit "allow on timeout" behavior found their automation breaking silently. The lesson is that security defaults are infrastructure changes, and it's worth auditing your approval-gated flows after any update that touches approval timeout behavior.
Microsoft Scout on OpenClaw: The Agent Runtime Becomes Free Infrastructure
The broader ecosystem context this week is dominated by a signal from Microsoft Build 2026: Microsoft launched Scout on open-source OpenClaw, cementing the idea that the agent runtime itself is now free and open, and the control plane — governance, compliance, enterprise integration — is where the business is.
This is a significant moment for the OpenClaw project. Having Microsoft build a major enterprise product on top of it is validation at the highest level. It also changes the competitive dynamics: OpenClaw is no longer just a hacker-friendly personal assistant framework competing with Langchain and AutoGPT. It's foundational infrastructure for enterprise agent deployments. The fact that the runtime is open-source and free is now a feature, not an accident.
🌐 Ecosystem News
Akamai's Agentic Security Framework: Zero Trust Comes for AI Agents
On June 15th, Akamai announced a unified agentic security framework specifically designed for AI-driven interactions and commerce. The timing is not coincidental — it arrives directly in the wake of multiple phishing and data exposure studies targeting AI agents, including the Varonis work covered above. Akamai's framework focuses on identity, intent, and trust verification for every agent-initiated request: exactly the verification layer that the Varonis research showed was missing from standard OpenClaw email agent configurations.
For OpenClaw operators, Akamai's framework represents a potential enterprise-grade overlay: if you're running OpenClaw in a context where agents are initiating financial transactions, accessing sensitive APIs, or communicating externally on behalf of users, layering a dedicated identity and trust verification plane on top makes sense. The DIY version is exec approvals and strict prompt policies; Akamai is betting organizations will pay for a managed version of that same posture.
IT Business Today: AI Agents Are Making Security Teams Nervous — and That's Appropriate
A piece published today in IT Business Today captured the current enterprise mood on AI agents succinctly: "Organizations will need permission controls, isolated execution environments, continuous monitoring, and detailed audit trails that show exactly what an AI agent did and why it did it." That's not a hypothetical future need — it's what mature OpenClaw operators are already building, manually, right now.
The gap between "here's how to install OpenClaw" and "here's how to run OpenClaw in a way your security team would sign off on" remains large. That gap is where SEN-X does its best work — and it's also where most of the interesting product development in the ecosystem is heading.
This week's news forms a coherent pattern. OpenClaw is adding better channel delivery and richer provider support (more surface area, more capability). At the same time, the security research is showing that more capable agents with email, credential, and data access are meaningfully exploitable by social engineering. The answer isn't to make agents less capable — it's to make the trust and approval architecture match the capability level. That means exec approvals on sensitive actions, narrow data scoping, sender verification instructions in your system prompt, and staying current on security-focused releases like v2026.6.6. The agents are getting smarter. The attacks are too. The governance layer needs to keep pace with both.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →