OpenClaw 2026.6.11 Ships with Supply Chain Alarms Ringing
The latest OpenClaw beta tightens channel control, advances plugin safety, and shores up mobile and agent reliability — all while a bombshell Unit 42 report confirms five malicious ClawHub skills evaded automated scanners between February and May. If you install skills, read this before touching ClawHub today.
🦞 OpenClaw Updates
v2026.6.11 (Beta): Channel Control, Plugin Safety, and Reliable Agent Turns
OpenClaw shipped v2026.6.11 as a pre-release on June 24 — and the scope of the changelog makes it feel like a major milestone dressed in beta clothes. The stable track sits at 2026.6.10 on npm latest, but operators watching the mainline will want to understand what's coming.
The five headline themes from the release notes:
More capable channel control. Slack now supports relay mode, Mattermost gets a native /oc_queue integration, and per-DM model overrides arrive — making it possible to run different models for different conversations in the same installation. These aren't novelty features; they're the kind of fine-grained routing control that operators managing multiple workflows across multiple channels have been asking for. Credit to contributors @sjf-oa, @amknight, @xydigit-zt, @thomaszta, and @gandalf-at-lerian for landing these.
Richer operator workflows. openclaw agent --message-file adds a file-driven message path — useful for scripted or templated agent turns — and the RAFT CLI wake bridge enables remote wake-up of sessions programmatically. Both features point toward OpenClaw being used as a component inside larger automation systems, not just a standalone personal assistant. That's a healthy sign of maturity.
Safer plugin distribution. Additional official plugins are now externalized cleanly, with bundled plugin icon metadata exposed to installed clients. This continues the architectural push to make the core leaner and let plugins carry their own weight. The paired PR from @vincentkoc and @Patrick-Erichsen also tightens the publish pipeline, which matters given the supply chain concerns discussed below.
Stronger mobile operations. Android gets improved settings detail panels in 2026.6.11, following the iOS notification permission clarifications that landed in the mainline just days earlier (PR #95640). Mobile-first operators now have better configuration visibility — which reduces the "I didn't know that was on" class of security incidents.
More reliable agent turns. Codex partial delta handling, harness activation fixes, and long-context prompt-cache stability are all improved. If you've had runs where progress mysteriously vanished mid-task or Codex sessions felt inconsistent, these fixes are specifically aimed at those patterns.
June 26 Mainline: Hardening Day
Even as the beta settles, the mainline (on top of 2026.6.10 stable) kept moving through June 26 with a focused hardening pass. The biggest fixes landed on four surfaces that touch real users daily:
- Backend sandbox exec (PR #96926): Cleaned up failed sandbox launches, fixed hook context during deferred environment resolution, and turned malformed wrapped exec parameters into proper tool errors instead of silent WeakMap failures.
- Google Meet chrome-node (PR #96908): Aligned local Chrome, Chrome node-host, audio, and profile settings so Meet transcription and talk-back paths use the configured runtime consistently instead of drifting between launch modes.
- Signal approval reactions (PR #96880): Reactions now bind to the message that actually delivered the approval prompt — eliminating the mismatch between visible approval instructions and stored targets that confused some users.
- Telegram replay loop fix (PR #96847): Serialized auto-reply session initialization on the Telegram isolated-ingress path, stopping stale snapshot conflicts from replaying the same spooled update before the agent turn started.
The takeaway for operators: June 26 is a stability day, not a feature day. If you're on 2026.6.10 stable, you can stay there. If you're tracking beta or mainline, smoke-test sandbox exec with plugin hooks, Google Meet chrome-node launches, Signal approval reactions, and Telegram replay behavior after restarts.
"MCP tool calls failing when some models serialize array or object parameters as strings" — OpenClaw community issue #96916, June 26. A cross-model tool-call contract problem that operators should watch closely.
The 2026.6.11 release is proof that OpenClaw has internalized the lesson from the rough patch earlier this year: channel delivery and agent turn reliability aren't optional polish — they're the product. The Slack relay mode and Mattermost native queue are also signals that the project is treating channel operators as a first-class audience, not an afterthought. That's the right call for an always-on agent framework.
🔒 Security Tip of the Day
⚠️ Unit 42 Confirms: Five Malicious ClawHub Skills Beat the Scanner
This week's security tip isn't theoretical. Palo Alto Networks' Unit 42 published a report confirming that five malicious ClawHub skills evaded both VirusTotal and ClawScan screening during the period from February to May 2026. Bitdefender Labs had previously flagged that roughly 17% of early ClawHub skills carried malicious payloads — but these five represent something scarier: adversaries who specifically studied and bypassed the automated scanner pipeline.
According to Unit 42, the malicious skills used a range of techniques to appear legitimate: they had plausible descriptions, reasonable download counts (some amplified artificially), and benign-looking SKILL.md files. The actual malicious behavior was embedded in referenced scripts or activated only after installation when context conditions were met. Two TradingView assistant skills were specifically called out as examples — their marketplace listings looked credible enough to fool casual review.
What did these skills actually do? Unit 42 describes the capabilities as including information-stealing payloads (credential harvesting, clipboard capture) and agentic financial fraud — skills that could make API calls or interact with financial services on behalf of the agent once installed in a privileged context.
Your immediate action items:
- Audit your installed skills now. Run
openclaw skills listand cross-reference each against the original ClawHub listing. Look for anything you installed between February and May that touched financial, trading, or credential-adjacent workflows. - Never rely solely on scanner verdicts. VirusTotal and ClawScan are useful signals, not guarantees. A "clean" badge is a starting point for your review, not the end of it.
- Read referenced scripts before installing. The SKILL.md is the cover letter; the scripts are the code. Any skill that reaches out to the network, spawns subprocesses, or reads credential files deserves manual review.
- Apply the principle of least privilege. Skills that only need to summarize text should not be installed in an agent profile that has access to your email, financial accounts, or file system. Compartmentalize.
- Enable exec approvals for untrusted skills. Even if a skill is somehow malicious, approval gates stop it from executing arbitrary shell commands without your awareness.
Bottom line: The ClawHub scanner is a floor, not a ceiling. Treat every skill installation the same way you'd treat adding a dependency to a production codebase — with intent, review, and a clear understanding of what access you're granting.
⭐ Skill of the Day: Skill Vetter
🔧 Skill Vetter by @spclaudehome
What it does: Given the Unit 42 report this week, today's skill pick is an obvious but important one: Skill Vetter is a security-first vetting skill designed specifically to evaluate other skills before you install them. It guides you through a structured review of SKILL.md files, referenced scripts, network call patterns, permission requirements, and red-flag behaviors. It's on ClawHub with over 1,200 installs and 260k+ usage events — which means it's been battle-tested in the community.
Why it matters today: The Unit 42 report is a reminder that the "install and trust" mental model is genuinely dangerous for AI agent skills. Skill Vetter operationalizes the manual review process that most operators know they should do but rarely find time for. It doesn't replace judgment — it structures it.
ClawHub listing: clawhub.ai/spclaudehome/skill-vetter
Install: npx clawhub@latest install skill-vetter
Safety verification: We checked the ClawHub listing before featuring this skill. Skill Vetter itself is a knowledge-based, read-only skill — it analyzes SKILL.md content and asks structured questions. It doesn't execute shell commands, make network calls, or require privileged agent access. That's the ideal profile for a security tool: narrowly scoped, auditable, and inert without your direction.
Best use case: Make it part of your standard intake for any new skill. Before you npx clawhub@latest install anything, drop the SKILL.md contents into a session with Skill Vetter active and let it flag concerns. Takes two minutes. Could save hours of incident response.
👥 Community Highlights
Microsoft Build Put OpenClaw on the Main Stage — and Changed the Conversation
The biggest community moment of the past week wasn't a release note or a Discord thread. It was Microsoft's Build keynote, where CEO Satya Nadella described an agentic shift away from operating systems toward AI that "doesn't wait to be opened by a user" — and then showed OpenClaw running natively on Windows inside Microsoft's new execution containers. The New Stack called it correctly: OpenClaw and Hermes agree on what an agent is; they disagree on what controls it.
For the community, this moment landed with a mix of pride and anxiety. Pride, because the project that started as a personal assistant harness is now being cited in enterprise keynotes with 380,000+ GitHub stars and 79,600 forks. Anxiety, because mainstreaming an agent framework also mainstreams its attack surface. The Unit 42 report that dropped in the same week as the Microsoft moment is not a coincidence — security researchers follow adoption curves, and OpenClaw's curve is steep right now.
The MCP Tool-Call Contract Problem Is Real
Community issue #96916 — MCP tool calls failing when some models serialize array or object parameters as strings instead of JSON — is getting traction as a practical blocker for cross-model deployments. This isn't an edge case. Operators running multi-model setups (e.g., Claude for reasoning, a local Gemma for lightweight tasks) are hitting it when model A's tool-call output format doesn't match what model B expects on the receiving end.
The broader lesson: MCP interoperability is still more of a promise than a reality in production. Until tool-call schemas are tested explicitly across model families, assume behavior varies. Build validation into your workflows, not just your assumptions.
Community Pulse: Reliability Over Features
The loudest signal from community reports closed in the past 48 hours: Telegram ingress queue stalls, large session JSON timeouts, and Feishu metadata leakage. Message-loss is still the most painful user experience in always-on agent deployments — because unlike a wrong answer (which is annoying), a dropped message can mean a missed meeting, a failed notification, or an undetected error in a running workflow.
The community is also increasingly vocal about TLS configuration gaps. Open reports cover gateway listeners without subjectAltName in their certificates, which causes client validation failures in strict environments. If you're running OpenClaw behind a reverse proxy or in a containerized deployment, double-check your cert chain now — before a client or monitoring tool enforces stricter validation and you're debugging it at the worst possible moment.
The community is growing faster than its security culture is maturing, and the Unit 42 report is the wake-up call that moment needed. The good news: the OpenClaw project and its community are both responding correctly — tightening plugin pipelines, improving mobile approval flows, and improving scanner coverage. The bad news: these are cat-and-mouse dynamics. Operators who treat security as a one-time install step are the ones who will get burned next.
🌐 Ecosystem News
OpenClaw Now Has 380,000+ GitHub Stars — and a Target on Its Back
The generect.com overview published this week puts the project's scale in stark terms: over 380,000 GitHub stars as of June 2026, 79,600 forks, 61,861 commits. That's not a niche developer tool anymore. That's infrastructure. And infrastructure at scale attracts adversaries at scale.
The Bitdefender Labs finding from early February — that approximately 17% of analyzed early ClawHub skills carried malicious payloads — was the first alarm. The Unit 42 report this week is the second, louder one. Both point to the same structural issue: ClawHub's automated scanning is useful but insufficient, and the community's default posture of "trust the registry" is a liability when the registry is growing faster than its vetting pipeline.
OpenClaw isn't alone in facing this problem. npm had its own supply chain crisis years. PyPI deals with malicious packages constantly. The difference is that an OpenClaw skill runs inside an agent with broad permissions — email access, shell execution, file system, possibly financial APIs. The blast radius of a malicious skill is potentially much larger than a malicious npm package that only runs in a sandboxed Node process.
The OpenRouter + OpenClaw Relationship Is Worth Watching
OpenRouter's public collection page for OpenClaw now shows it as one of the most active hubs for model routing, with persistent memory, customizable skills, and 24/7 operation being the three features cited most often. This matters because OpenRouter's model-agnosticism is one of OpenClaw's genuine differentiators — the ability to run Claude for one task, GPT-4o for another, and a local Gemma instance for a third, all within the same agent workflow.
As model pricing continues to shift and new providers emerge, this routing flexibility becomes more strategically valuable. Operators who locked into a single-provider agent stack six months ago are now paying more or scrambling to migrate. OpenClaw's multi-provider architecture was designed for this moment.
TECNO EllaClaw Shows Phones Are the Next Agent Frontier
A smaller but interesting signal: TECNO announced this week that their EllaClaw AI agent can now manage the phone itself and step inside other apps to perform tasks on the user's behalf. It's early and limited, but the direction is clear — AI agents are moving off the desktop and onto the most personal device most people own.
For OpenClaw's Android node capability, this is a preview of user expectations in 12 months. The hardening of Android settings panels in 2026.6.11 looks prescient in this context. Mobile isn't an afterthought anymore — it's where agents will do their most sensitive work.
Three things are converging this week that define where OpenClaw sits heading into mid-2026: (1) the platform is mainstream enough to appear in Microsoft keynotes, (2) it's large enough to attract sophisticated supply-chain attacks, and (3) it's capable enough to run on mobile and inside enterprise orchestration frameworks. That's a genuine inflection point. The projects that navigate it well will be the ones that treat security as a product feature — not a blog post — and that give operators real tools to audit, compartmentalize, and control their agent environments. OpenClaw is moving in the right direction. The pace matters.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →