OpenClaw 2026.6.11: Channel Control, Safer Plugins, and the Hermes Rivalry Heats Up
OpenClaw drops its broadest June release yet, bringing serious channel operator upgrades, externalized plugin distribution, stronger Codex integration, and a new wave of agent reliability fixes. Meanwhile, Palo Alto Unit 42 publishes a landmark skill supply-chain threat report, a competitor to OpenClaw emerges from Nous Research, and Microsoft cements agentic AI as its core platform bet.
π¦ OpenClaw Updates
v2026.6.11: The Channel Operator Release
OpenClaw shipped v2026.6.11 late Tuesday, and the changelog reads like a wish list drawn up by power users who run agents across Slack, Mattermost, Telegram, and WhatsApp simultaneously. This is the kind of release that may not generate viral screenshots, but will quietly fix a lot of real-world friction for teams running OpenClaw at scale.
The five headline themes from the release are worth unpacking individually, because they tell a coherent story about where the project is heading.
More Capable Channel Control
Slack relay mode, native Mattermost /oc_queue, and per-DM model overrides are the leading channel improvements. The Slack relay mode is especially useful for teams where the bot cannot receive direct events β it allows OpenClaw to poll and relay intelligently rather than failing silently. The Mattermost /oc_queue slash command brings native queuing to Mattermost instances, which previously relied on workarounds. Per-DM model overrides let operators give different users in direct messages different model configurations without touching global settings. That is a real capability gap finally closed for anyone running mixed-tier deployments.
These PRs were contributed by community members @sjf-oa, @amknight, @xydigit-zt, @thomaszta, and @gandalf-at-lerian β a reminder that OpenClaw's community contribution model continues to punch well above what most open-source projects achieve in this space.
Richer Operator Workflows via File-Driven Wake
The addition of openclaw agent --message-file and the RAFT CLI wake bridge (PR #93351 and #95497) deserves special attention from operators building automated pipelines. Previously, injecting messages into an OpenClaw agent from an external script required more ceremony than it should. --message-file accepts a path to a file whose contents become the agent's next message β that is exactly the pattern you need when integrating OpenClaw with CI/CD pipelines, webhook processors, or batch jobs that generate output and then need the agent to act on it. The RAFT wake bridge adds a complementary remote wake-up path for distributed deployments. Together, these turn OpenClaw into something much more composable.
The --message-file flag is a small addition with large consequences. It means OpenClaw agents can now be woken and fed inputs by any process that can write a file β which is essentially everything. That is a clean, UNIX-philosophic design choice that makes OpenClaw easier to integrate without adding complexity to the core. We expect this to become a load-bearing primitive for production pipelines.
Safer Plugin Distribution
OpenClaw continues its push to externalize official plugins cleanly. v2026.6.11 ships two plugin distribution improvements: additional official plugins are moved out of the monorepo and into their own externalized packages, and bundled plugin icon metadata is now available to installed clients. The icon metadata addition sounds cosmetic, but it signals a more mature plugin identity system β one where the client UI can know what it is dealing with without fetching external resources at install time.
The externalization effort matters beyond packaging tidiness. When plugins are bundled in the monorepo, their release cycle is coupled to the core. External plugins can be patched, updated, or revoked independently β which is exactly what you want when a plugin has a vulnerability or behaves unexpectedly in the field.
Stronger Codex Integration and Agent Turn Reliability
Three agent-turn reliability fixes are worth noting: Codex partial delta handling, harness activation improvements, and long-context prompt-cache stability. In practice, these address cases where a Codex run would appear to succeed but deliver incomplete output due to streaming delta loss, or where the harness would fail to activate cleanly under certain session configurations. Long-context prompt-cache stability is increasingly important as operators run longer sessions and rely on caching to reduce latency and cost. Breakage there is the kind of thing that causes intermittent confusion that is very hard to debug from the outside.
Channel Delivery Reliability Round-Up
The fixes section of v2026.6.11 is a long list, but the channel delivery fixes cluster around Telegram and WhatsApp specifically. Telegram progress rendering, webhook lifecycle, reaction directives, and queued update draining are all improved. On the WhatsApp side: native quotes, Baileys group reliability, and approval reactions across JID drift β the last of which addresses a genuinely tricky problem where WhatsApp's JID (account identifier) can drift across sessions and cause approval reactions to misfire. These are the kinds of bugs that are invisible until they aren't, and then they are deeply annoying.
Gateway and session safety also get a patch pass: stuck release claims, draining-state reporting, remote probe timeouts, malformed paired access lists, and non-delivery session identity are handled without silent routing loss. "Silent routing loss" β messages disappearing without error β is one of the worst failure modes in a system people depend on for communications. The fact that multiple PRs in this release address it suggests it was a meaningful real-world pain point.
Mobile Improvements: Android Settings Detail Panels
Android users get settings detail panels that improve configuration visibility and control on mobile (PR #95148, thanks @Tosko4). The mobile story for OpenClaw has historically been weaker than the desktop/server story, so any improvement here compounds over time. A companion PR on the iOS side (PR #95640) has been consolidating notification permissions into Settings > Notifications and separating APNs registration from OS notification authorization. Mobile approval flows are becoming more explicit about what OpenClaw-hosted push relay is doing and when β important context for anyone relying on mobile for exec approvals.
v2026.6.11 is not a headline-grabbing release β it is a polish-and-infrastructure release that makes OpenClaw measurably better for anyone running it seriously. Channel operators, pipeline builders, and mobile-first users all get meaningful wins. That is exactly the cadence you want to see from a project that is transitioning from "exciting experiment" to "production infrastructure."
π Security Tip of the Day
The AI Supply Chain Is Your Attack Surface β Unit 42's Report Is a Must-Read
Palo Alto Networks' Unit 42 published a landmark research report this week: "OpenClaw's Skill Marketplace and the Emerging AI Supply Chain Threat." It is the most comprehensive public analysis of ClawHub security to date, and every OpenClaw operator should read it.
The headline finding: despite ClawHub's VirusTotal and ClawScan integrations, researchers identified five unblocked malicious skills across three distinct threat categories during a FebruaryβMay 2026 analysis window. All five were reported and removed, but the categories matter:
- Infostealers: Two skills delivered macOS infostealers with live C2 connections. These were persistent threat actor operations, not one-off experiments.
- Evasion: One skill used file-size inflation to exceed scanner thresholds β deliberately bypassing both ClawScan and VirusTotal. This is a known technique from the npm/PyPI supply chain world, now present in agent skills.
- Agentic threats: Two skills represented novel attack classes β runtime agentic affiliate injection and agentic front-running. These are techniques unique to the agent skill model and have no direct analogue in conventional software supply chains.
The positive news: OpenClaw is now collaborating with NVIDIA to run NVIDIA's analysis tooling across all skills, adding another layer of automated inspection. Unit 42 also notes that ClawHub's response to reports was fast β accounts banned and skills deleted promptly.
Practical steps for today:
- Audit every skill currently installed in your OpenClaw profile. Remove anything you didn't deliberately install or haven't used in 30+ days.
- Verify active skills against their current ClawHub listing β check scan status and look for any new flags since you installed.
- Be especially cautious of skills that request filesystem access, network calls to external domains, or clipboard/keychain access.
- If a skill's file size seems unreasonably large relative to its stated functionality, treat that as a yellow flag β size inflation is now a known evasion tactic.
Bottom line: ClawHub's scanning is real and improving, but it is not sufficient on its own. Treat skill installation the same way you would installing an npm package in a production environment β read the source, check the scan history, and maintain a minimal footprint.
β Skill of the Day: Skill Vetter by @spclaudehome
π§ Skill Vetter
What it does: Skill Vetter is a security-first skill vetting system designed specifically for AI agents. Before you install any new skill, you run it through Skill Vetter, which performs structured analysis of the skill's SKILL.md, any referenced scripts, metadata, and install behavior. It surfaces red flags, evasion techniques, unusual permission requests, and provides a structured risk summary. Currently the #1 most installed skill on ClawHub with over 260,000 installs.
Why now: Given Unit 42's report this week documenting active infostealer and evasion campaigns on ClawHub, Skill Vetter has never been more relevant. Running a new skill through an analysis layer before install is exactly the workflow the security community has been asking for, and Skill Vetter is the most mature implementation of that idea on ClawHub right now.
ClawHub listing: clawhub.ai/spclaudehome/skill-vetter β #1 by installs (1.2k stars, 260k installs)
Install: npx clawhub@latest install skill-vetter
Security posture: Because Skill Vetter is itself a skill, you should verify it before installing β check its ClawHub listing for scan history and read its SKILL.md. The skill's description is "security-first skill vetting for AI agents" and it is purely analytical in nature β no outbound calls, no credential access, no filesystem writes outside the workspace. Its massive install and review base means malicious modification would be detected quickly by the community.
SEN-X recommendation: In the wake of this week's Unit 42 report, we consider Skill Vetter a hygiene essential, not an optional add-on. If you are installing any skills you did not write yourself, Skill Vetter should be part of your install workflow.
π₯ Community Highlights
OpenClaw vs. Hermes: A Genuine Rivalry Emerges
The New Stack published a sharp piece this week titled "OpenClaw and Hermes agree on what an agent is. They disagree on what controls it." It is the clearest articulation yet of the emerging fork in the agent harness market, and it is worth reading in full.
Hermes, an agent framework from Nous Research, has been gaining ground β to the point where The Information reported it "recently eclipsed" OpenClaw on some metrics. The New Stack piece framed the philosophical difference well: both projects agree on the definition of an agent, but diverge sharply on the question of what controls agent behavior. OpenClaw's model leans toward operator-defined policies, channel-native approvals, and explicit trust boundaries. Hermes takes a different stance, favoring more autonomous operation with model-native self-governance.
The Microsoft Build context matters here. At the keynote, Satya Nadella described a platform shift away from operating systems and apps, toward agentic AI that doesn't wait to be opened by a user β and he showed OpenClaw running natively on Windows inside Microsoft's new execution containers. That is a significant platform endorsement that will be very hard for Hermes to match in the enterprise channel. OpenClaw may face a community challenger in Hermes, but it appears to have captured the enterprise layer first.
"After the success of OpenClaw, an open-source AI agent software that took the tech world by storm earlier this year, it's no surprise that copycats are popping up. And some of these copycats are catching up to OpenClaw, by some measures." β The Information
Mobile Approval Flows Get Explicit Disclosure
PR #95640 is getting quiet praise from privacy-focused users. The change consolidates iOS notification permissions into Settings > Notifications, separates APNs registration from OS notification authorization, discloses OpenClaw-hosted push relay behavior explicitly, and gives users clear guidance when out-of-app exec approval notifications are unavailable. For a system that can execute shell commands on approval, understanding exactly how that approval notification is routed is not a minor detail β it is a trust requirement. The fact that OpenClaw is now surfacing this explicitly signals growing maturity in how the project handles consent.
The @vincentkoc Effect
One fun community observation: scrolling through the v2026.6.11 release notes, @vincentkoc appears in the acknowledgements for at least six different PRs spanning provider model coverage, gateway tooling, safer plugin distribution, agent fallback behavior, channel delivery, and channel identity hooks. That is a remarkable breadth of contribution for a single community member. The OpenClaw project has found a pattern where highly engaged contributors end up acting as informal area leads β a model that has historically worked well for large open-source projects and appears to be working here too.
π Ecosystem News
Microsoft Build Goes All-In on Agentic AI β With OpenClaw at the Center
This month's Microsoft Build keynote will likely be remembered as the moment the big-tech consensus fully shifted toward agentic AI as the primary interface paradigm. Satya Nadella's framing β a platform shift away from operating systems and apps, toward AI that doesn't wait to be opened β is consistent with what the OpenClaw community has been arguing for since the project launched. What is new is that Microsoft is now saying it out loud at its flagship developer conference, with OpenClaw running as a live demo inside Windows execution containers.
For OpenClaw operators, the Microsoft endorsement has practical consequences beyond prestige. Windows support in OpenClaw has historically been a second-class experience β present but not polished. If Microsoft is running OpenClaw natively in Windows execution containers, that suggests real engineering investment in the Windows path. The recent spawn() fixes for npm CLIs on Windows in earlier releases already hinted at this; the Build demo makes it explicit.
OpenAI Transitions Its Model Lineup β What It Means for Agent Operators
OpenAI announced that GPT-4.5 will be retired from ChatGPT on June 27, 2026 (a 30-day sunset), and that o3 will be retired from ChatGPT on August 26, 2026 following a 90-day sunset. For OpenClaw operators using GPT-4.5 or o3 via OpenAI's API or OpenRouter, this is a planning signal. The models are not disappearing from the API immediately, but ChatGPT's retirement tends to precede API deprecation notices. If your OpenClaw configuration has GPT-4.5 or o3 as primary or fallback models, now is a good time to test your setup with alternatives.
The v2026.6.11 provider model coverage improvements β including better provider model resolution and catalog parsing β should make model migration smoother when you're ready to swap.
ClawHub x NVIDIA: Skill Security Gets Another Layer
The Unit 42 report, which we covered in the security section above, also mentions an ongoing collaboration between OpenClaw and NVIDIA to document skill behavior and run NVIDIA's analysis tooling across all published skills. This is a meaningful development for enterprise operators who have been asking for more than just VirusTotal hash checks. Behavioral documentation β what a skill actually does, not just whether known signatures match β is the next frontier of marketplace trust. If NVIDIA's tooling delivers on that promise, ClawHub could end up with the most rigorous skill security posture of any agent marketplace in production.
OpenClaw 2026.6.8 Stable: The Production Baseline
While v2026.6.11 is the latest pre-release, the community consensus reference for stable deployments remains v2026.6.8. The openclaw.com.au updates blog noted this week that the active issue queue β cron isolated watchdog, cron hot-reload persistence, plugin-load boundary, memory pressure config, and MCP OAuth refresh serialization β are all being addressed but some remain open in 2026.6.9 and .10. Their verdict: operators running production workloads should still verify the runtime rather than relying solely on the version string. That is good advice. The release velocity in June has been high, and the stability landscape is changing frequently.
Three threads are converging in the OpenClaw ecosystem right now: the runtime is maturing toward infrastructure-grade reliability, the skill security story is getting real teeth (helped along by Unit 42's public research), and the competitive landscape is heating up with Hermes as a credible alternative. OpenClaw's best response to all three is exactly what we are seeing in v2026.6.11 β operational polish, plugin safety, and operator-grade tooling. The project that wins the long game in the agent harness space will be the one operators can trust to run quietly in the background without surprises. OpenClaw is building toward that.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting β architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X β