OpenClaw 2026.6.9 Approaches Stable: Telegram Gets Richer, Codex Gets Smarter, Provider Plugins Go First-Class, and Slack's Token Leak Gets Closed
OpenClaw 2026.6.9 beta is in the polish phase before stable lands: richer Telegram HTML output, a stronger Codex integration with GPT-5.3 Spark OAuth routing, standalone official npm provider plugins, iOS Watch controls for agent orchestration, sweeping recovery improvements, and a full client refresh on web and mobile. Meanwhile, a Slack auth token body leak just got quietly patched, a new agentic commerce skill landed on ClawHub, and a competitor finally emerged to challenge OpenClaw's position.
🦞 OpenClaw Updates
v2026.6.9 Beta: Five Themes That Define This Release
OpenClaw published v2026.6.9-beta.1 on June 19, and it is a broad, multi-surface release that touches Telegram delivery, agent recovery, Codex, provider packaging, and native clients all in the same drop. That breadth is intentional: 2026.6.9 is effectively the polish pass before stable arrives, and the team is pushing fixes and improvements across every layer simultaneously to avoid another rough-patch situation after graduation.
Here are the five themes worth understanding before deciding whether to update:
1. Telegram Delivery Finally Feels Native
Telegram has long been an awkward middle child in OpenClaw's channel lineup — technically supported, but often delivering mangled output: stripped markdown, broken sticker paths, progress drafts arriving as raw text, mentions routed incorrectly. That changes in 2026.6.9.
The release ships richer HTML delivery for Telegram, with faithful markdown and sticker path preservation, progress drafts rendered correctly, command output formatted for Telegram's layout, and mentions plus spooled handlers kept on the correct delivery path. Seven separate PRs touched the Telegram stack in this release, contributed by community members across multiple time zones. That level of coordination signals that Telegram is becoming a first-class surface rather than a bolt-on.
Why does this matter operationally? Telegram is widely used as an agent control surface by power users who want the flexibility of mobile access without committing to a custom UI. When progress output and mentions arrive garbled, the feedback loop between operator and agent breaks down. Cleaner delivery means operators can actually monitor and intervene in long-running agentic tasks from their phones without squinting at malformed text.
"Telegram now sends richer HTML, preserves rich markdown and sticker paths, renders progress drafts and command output more faithfully, and keeps mentions and spooled handlers on the right delivery path." — OpenClaw 2026.6.9 release notes
2. Agent Recovery Gets More Dependable
The second headline is recovery. OpenClaw agents run long enough that hitting an interruption is not exceptional — it is expected. Provider errors, context compaction boundaries, transport hiccups, channel-specific reply issues: all of these can strand a turn in a half-finished state that is confusing for operators and users alike.
This release addresses retries, terminal outcomes, usage tracking after compaction, session history repair, and reply reconciliation, with the stated goal of keeping more interrupted or partial turns moving toward a visible final result. Six PRs cover recovery mechanics, drawing contributions from both core team members and community contributors who have clearly been filing issues about stuck turns for a while.
The compaction-usage fix deserves a specific callout. When OpenClaw compacts a session's context window to manage token limits, there was previously a gap where usage accounting could fall out of sync with what actually ran. That is the kind of subtle bug that is hard to notice until you're staring at a confusing usage report days later. It is the right kind of boring fix to include in a pre-stable cleanup pass.
3. Codex Gets Automatic Plugin Approvals and GPT-5.3 Spark OAuth
Codex integration has been a recurring focus across the June release train, and 2026.6.9 continues that thread. Codex now supports automatic plugin approvals — reducing the friction of adding new capabilities to a Codex session without manual intervention — alongside GPT-5.3 Spark OAuth routing, more reliable app-server teardown, and stronger terminal outcome handling.
The GPT-5.3 Spark OAuth routing is particularly worth noting. As OpenAI continues to ship model variants at pace, having clean OAuth-based routing ensures Codex can authenticate into new endpoints without requiring config gymnastics. Combined with automatic plugin approvals, this release makes Codex feel more like integrated infrastructure and less like a plugin that needs constant coddling.
Remote-node exec also becomes a dynamic tool in this release, meaning Codex can now invoke execution on remote nodes without needing that capability statically configured in advance. That expands Codex's reach considerably for distributed setups.
4. Provider Plugins Become First-Class npm Releases
This may be the most architecturally significant change in the release: external provider packages are now first-class npm releases, and externally installed channel plugins load at Gateway startup. StepFun, as a specific callout in the release notes, is intentionally npm-only because its ClawHub package name is unavailable — a clear signal that the team expects more providers to follow this pattern.
The shift matters because it decouples provider lifecycle from core OpenClaw releases. Previously, adding or updating a provider meant waiting for a core release train that included the provider changes. Now, providers can ship, patch, and version independently as npm packages. That is a fundamentally better architecture for a platform that is trying to support an expanding catalog of AI providers without coupling every provider's release cadence to the core.
For operators running self-hosted deployments, this means you can update a provider plugin without touching your core installation — and that individual providers can ship security patches faster than the full release cycle allows.
The provider-as-npm-package move is the right call and was clearly overdue. It is the same pattern that made VS Code's extension marketplace work: decouple lifecycle, enable independent versioning, reduce core bloat. The tradeoff is that operators now need to think about plugin package management as a separate concern — but that is a fair price for a more maintainable system. If you're running a production deployment, start building your provider plugin update process now before it becomes a fire drill.
5. Web and Native Clients Get a Polish Pass
The Control UI adds a session workspace rail and extension health indicators in this release. iOS gains Watch controls, which means you can manage agent sessions and approve actions directly from an Apple Watch — a surprisingly practical addition for operators who want oversight without constantly pulling out their phone. Android gains chat context display improvements.
The Watch integration in particular deserves a moment of appreciation. OpenClaw started as a terminal-first, hacker-friendly tool. The fact that it now has a coherent Apple Watch approval flow signals genuine mainstream ambition — and it is the kind of UX investment that does not happen unless the project has moved well beyond its early-adopter phase.
The Bigger Pattern: 2026.6.9 Is Infrastructure-Grade Cleanup
Taken together, the five themes above tell the same story: OpenClaw is hardening infrastructure that operators depend on. Telegram delivery is being made reliable enough to use as a primary control surface. Recovery is being made dependable enough to trust with long-running tasks. Codex is being integrated cleanly enough to treat as a first-class runtime component. Provider plugins are being decoupled enough to manage independently. Clients are being polished enough to use without embarrassment.
None of this is flashy. All of it matters. This is what a platform looks like when it starts treating operational reliability as a competitive advantage.
🔒 Security Tip of the Day
Understand Credential Paths: The Slack Token Body Leak Explained
A quietly important security fix landed this week: PR #94574 corrected a Slack provider issue where the bot token was being passed in both the Authorization header and the request body when calling Slack's /api/auth.test endpoint.
The token was already correct in the Authorization header — that is the right place for it. Sending it also in the body widened the attack surface unnecessarily. Anywhere that request bodies get logged, inspected, proxied, or cached becomes a potential credential exposure point. The fix removes the redundant body argument while keeping Slack Socket Mode startup intact.
Why operators should care: Slack bots attached to OpenClaw often hold high-trust workspace credentials. The bot token you configure grants read/write access to messages, channels, and potentially files. Any unnecessary duplication of that token is a risk multiplier, especially in setups where you run verbose HTTP logs during debugging.
The broader lesson: Credentials should travel through exactly one channel — the appropriate authorization mechanism for the protocol in question. If you are reviewing your own OpenClaw configuration or a custom plugin, audit every place your API keys and tokens are passed. Ask: is this token present in both the header and the body? In both an env var and a config file? In both a request and a log? Each redundancy is an additional exposure surface.
- Audit your HTTP debug logs — make sure they do not capture full request bodies containing credentials.
- Use token rotation schedules for long-lived Slack bots — even if a token leaks, it should have a limited lifespan.
- Update to a version that includes PR #94574 — this fix should be present in the 2026.6.9 stable train when it graduates.
- Scope bot tokens narrowly — use the minimum required Slack OAuth scopes for your OpenClaw use case. More access means more blast radius if credentials do leak.
Bottom line: This was a clean, well-described fix with proof included in the PR. OpenClaw Chronicles has confirmed the change closes a real credential hygiene gap. The right response is to acknowledge it, update when stable lands, and use it as a prompt to audit your other channel provider credential configurations.
⭐ Skill of the Day: via-commerce
🛒 via-commerce — Agentic Commerce on the VIA Network
What it does: via-commerce is a new ClawHub skill that connects your OpenClaw agent to the VIA commerce network for agentic buying, selling, and procurement workflows. The skill lets agents discover products and sellers, submit buyer briefs to get genuine marketplace matches, find live buyer demand, and register stores — all over MCP.
Who it's for: Operators building procurement automation, small businesses wanting agent-driven sourcing, or sellers who want to expose their catalog to agent-driven buyers. The skill covers both sides of the marketplace: buying intent matched to sellers, and seller inventory matched to buyer demand signals.
What makes it interesting: Most ClawHub skills add productivity utilities — summarization, document generation, calendar management. VIA Commerce is something different: it gives an OpenClaw agent genuine agency in a commercial marketplace. The settlement mechanism is USDC on Base, making it native to crypto-native commerce flows.
Source: Published as via-commerce v1.0.0 on ClawHub. Newly listed this week. As always: read the skill's SKILL.md carefully before deploying in any context with real purchasing authority, and verify the current VirusTotal scan status before install. This is a v1.0.0 release — give it a week to accumulate community usage data before using it in production.
Install: npx clawhub@latest install via-commerce
The SEN-X view: Agentic commerce is the next frontier for OpenClaw. Skills like this are early experiments in what it means for an agent to act on your behalf in economic contexts — not just fetch information, but actually transact. That is exciting and should be approached with explicit scope limits. If you deploy this, make sure the agent's authority in the marketplace is clearly bounded and monitored.
👥 Community Highlights
The Competitor Signal: Hermes from Nous Research Is Catching Up
The most significant community-level story this week is not from OpenClaw itself — it is about OpenClaw's market position. The Information reported that Hermes, an agent framework from Nous Research, has recently eclipsed OpenClaw by some measures, and that competitors are "catching up" to OpenClaw's lead.
This is worth taking seriously, not dismissing. OpenClaw's lead in the personal agent space has been significant, but it has not been unassailable. The project has had rough weeks, a messy plugin transition, and — until recently — limited official support for enterprise governance requirements. Any capable framework that ships cleaner packaging, better documentation, or more predictable stability has a real shot at peeling off users.
The important context is that this kind of competitive pressure is genuinely healthy for OpenClaw. The project has spent the last several months making the runtime more disciplined, more operator-friendly, and more governed. That work is clearly being done with an eye on what a more sophisticated competitor would look like. If Hermes or another entrant makes operators ask harder questions about OpenClaw's guarantees, the result is a better OpenClaw.
"After the success of OpenClaw, an open-source AI agent software that took the tech world by storm earlier this year, it's no surprise that copycats are popping up. And some of these copycats are catching up to OpenClaw, by some measures." — The Information
Microsoft Scout and the Enterprise Certification Track
The InfoQ report on Microsoft Scout — the enterprise autopilot built on OpenClaw, announced at Build 2026 — continues to generate community discussion this week. The point that keeps coming up is not just that Scout exists, but that Microsoft chose to build on OpenClaw's runtime rather than developing a proprietary agent substrate from scratch.
That is a meaningful institutional vote of confidence. When a company Microsoft's size builds on your runtime and certifies it for enterprise use, it creates a floor of legitimacy that smaller projects cannot easily replicate. Community members are noting that Scout's certification standards — the audit trails, the permission models, the agent identity requirements — are gradually influencing what OpenClaw ships natively.
ClawHub's Sessions-Compact CLI Command Lands
A smaller but practically useful community note: OpenClaw added a Sessions Compact CLI command this week. For operators managing long-running sessions that accumulate large context windows, the ability to compact from the command line without going through the UI is a meaningful quality-of-life improvement. It also makes session hygiene more scriptable, which matters for teams that want to automate cleanup as part of their operational runbooks.
🌐 Ecosystem News
ClawRouter: Credential-Scoped Model Routing Is Now Mainstream
The ClawRouter managed proxy integration that landed earlier this week continues to generate discussion in operator circles. To summarize for readers who missed the initial announcement: PR #93832 added a bundled clawrouter provider that lets operators route model traffic through ClawRouter's credential-scoped live catalog while preserving native OpenAI, Anthropic, and Gemini request semantics.
The practical benefit is fleet-level model management. Instead of each node resolving its own API credentials against multiple providers, ClawRouter acts as a single managed endpoint that handles credential scoping, stable catalog model IDs, and request-boundary rewriting. For teams running OpenClaw across multiple machines, accounts, or environments — the kind of deployment that enterprise teams increasingly want — this is the infrastructure piece that was missing.
The credential scope mechanics in the PR are explicit about the security surface: CLAWROUTER_API_KEY routes model discovery and dispatch through a managed credential. If your OpenClaw deployment has compliance or auditability requirements around AI model access, this is the right layer to instrument.
Google DeepMind Publishes AI Agent Security Research
Google DeepMind published a significant post on June 18 titled "Securing internal systems against increasingly capable and imperfectly aligned AI." The research is directly relevant to OpenClaw operators because it addresses the same threat model that OpenClaw's own security hardening work has been responding to: agents that can be manipulated via external inputs, privileged operations that need tighter authorization, and audit requirements for systems where AI actions have real consequences.
The timing is notable. OpenClaw's Codex execution policy hardening, the Slack token body fix, and the ongoing session governance improvements are all responses to the same class of problem that DeepMind is publishing research on. The research community is converging on the same threat model that production agent operators have been grappling with in practice.
June 20 lands with OpenClaw in a strong but genuinely contested position. The 2026.6.9 release demonstrates that the core team is executing on the "smaller, safer, infrastructure-grade" mandate. The competitor emergence from Nous Research is a real signal — not a crisis, but a reason to take OpenClaw's governance and reliability work seriously rather than treating it as optional polish. The Slack token body fix is exactly the kind of unglamorous credential hygiene fix that separates production-grade software from hobby projects. And ClawRouter's managed proxy model is becoming the standard pattern for fleet-level agent deployments. The platform is growing up. The operators who grow with it are in the best position.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →