OpenClaw 2026.6.11: Supply Chain Reckoning, RAFT CLI Wake Bridge, iOS Approval Overhaul, and the Hermes Debate Intensifies
OpenClaw 2026.6.11 completes its rollout with channel control upgrades, safer plugin distribution, Android settings detail panels, and more reliable Codex agent turns — while Palo Alto Unit 42's landmark supply chain research dominates the security conversation and The New Stack publishes a deep read on the OpenClaw vs. Hermes architecture split.
🦞 OpenClaw Updates
2026.6.11: A Pre-Release That Punches at Stable Weight
OpenClaw's 2026.6.11 pre-release, tagged on June 24, is landing on the heels of a strong 2026.6.10 stable and delivers improvements across five distinct fronts. The release is still technically pre-release, but given the quality trajectory and the targeted nature of its changes, operators running production workloads on edge builds will find it solid footing.
Here is what matters in each area:
Channel Control: Slack, Mattermost, and Per-DM Model Overrides
The channel story in 2026.6.11 is about closing gaps in automation coverage. Three changes arrive together:
Slack relay mode — contributed by @sjf-oa and @amknight — gives operators a relay path that sidesteps Slack's more restrictive direct API surface while still delivering agent turns cleanly into workspace channels. For teams using OpenClaw as a lightweight Slack assistant without full workspace permissions, this is a significant unlock.
Native Mattermost /oc_queue — from @xydigit-zt, @thomaszta, and @gandalf-at-lerian — brings OpenClaw's queue-and-respond pattern to Mattermost's slash command surface without middleware. Previously, integrating OpenClaw into Mattermost required custom bridging. Now the queue is natively addressable.
Per-DM model overrides — the most quietly useful addition. Operators can now configure different models for different direct-message conversations, letting, say, a fast/cheap model handle routine queries from one channel while a more capable model serves escalated or complex ones. This is the kind of granularity that was only possible via workarounds before.
Per-DM model overrides are deceptively important. Once you have this, you can start doing real cost optimization across channel surfaces without a single-model-fits-all compromise. Expect this to become a standard config primitive for multi-channel deployments.
Operator Workflows: File-Driven Agent Turns and RAFT CLI Wake Bridge
Two new workflow paths ship in 2026.6.11 that are aimed squarely at operators running OpenClaw as infrastructure rather than as an interactive assistant.
openclaw agent --message-file — contributed by @ooiuuii — lets you drive agent turns by pointing at a file instead of passing message content inline. That sounds small, but it matters enormously for pipelines: you can now templaterize, stage, audit, and version-control the exact prompt content that enters your agent without writing shell escaping gymnastics. CI/CD-driven agent workflows just got cleaner.
RAFT CLI wake bridge — from @vincentkoc — adds a remote wake-up path via the RAFT protocol. For operators running distributed multi-node setups, this lets an external system or cron fire a targeted wake into a specific OpenClaw agent session without needing HTTP access to the gateway itself. It is a clean separation of concerns: the trigger mechanism is decoupled from the gateway's internal scheduler.
"openclaw agent --message-file and the RAFT CLI wake bridge add practical file-driven and remote wake-up paths." — 2026.6.11 release notes
Safer Plugin Distribution: Externalized Plugins and Icon Metadata
Plugin distribution continues its ongoing cleanup. Two changes in 2026.6.11 push the platform further toward a model where core ships lean and plugins are fetched, verified, and installed explicitly:
Additional official plugins externalized cleanly — contributed by @vincentkoc — means more capability has moved from the core bundle into separately-distributed packages. Smaller core, cleaner audit surface, faster installs for operators who do not need every first-party capability.
Bundled plugin icon metadata — from @Patrick-Erichsen — makes icon assets available to installed clients rather than relying on CDN fetches at render time. This improves client-side plugin UI reliability and removes a network dependency from what should be a local display operation.
Mobile: Android Settings Detail Panels
Android users get a meaningful improvement in 2026.6.11: settings detail panels that improve configuration visibility and control on mobile. This is from @Tosko4 and addresses a long-standing pain point where Android operators had to navigate nested menus or fall back to the desktop UI to see or modify detailed agent configuration. The new panels bring the Android companion closer to feature parity with the macOS and iOS experience on the settings front.
More Reliable Agent Turns: Codex Deltas, Harness Activation, and Prompt-Cache Stability
The reliability cluster in 2026.6.11 addresses three distinct failure modes that have been affecting Codex-heavy workloads:
Codex partial deltas — from @agonza1 — fixes an issue where streaming agent turns through Codex would occasionally drop intermediate output, producing truncated or incomplete results visible in logs but not to the agent. The fix ensures partial content is buffered and reassembled correctly before delivery.
Harness activation — from @vincentkoc — addresses cases where the Codex harness would fail to activate cleanly on session start, causing silent fall-through to default behavior rather than the configured Codex execution mode.
Long-context prompt-cache stability — also from @vincentkoc — reduces inconsistencies in how prompt caches are populated and invalidated across long agent runs. This is particularly important for operators running extended workflows where context window efficiency matters; an unstable cache means you pay for tokens you should not have to.
Fixes Worth Knowing About
The fix list in 2026.6.11 is substantial. A few highlights for operators:
- Telegram progress rendering — fixed erratic progress messages during long agent turns in Telegram channels.
- WhatsApp durable reply targets — JID drift during group conversations no longer causes approval reactions to land on the wrong message.
- Gateway stuck release claims — a concurrency issue that could leave a session claiming a gateway slot after its run completed is resolved.
- Malformed paired access lists — the gateway now handles malformed entries in the paired device access list without routing loss instead of failing silently.
- Aborted runs stop cleanly — previously, certain aborted agent turns could leave zombie state in session tracking; now they terminate properly.
- Provider response body bounds — a guardrail is now enforced on the maximum size of provider response bodies, preventing runaway memory allocation on unusually large model outputs.
- iOS APNs registration overhaul — mobile approval notifications now properly separate APNs registration from OS notification authorization, with better user guidance when out-of-app approvals are unavailable.
The WhatsApp JID drift fix and the gateway stuck release claim fix are the two I would highlight for production operators. Both are subtle concurrency/state issues that are extremely hard to reproduce and diagnose, and both have the potential to cause very confusing silent failures. If you have been seeing intermittent WhatsApp approval routing issues or unexplained session slot exhaustion, this release likely has your fix.
🔒 Security Tip of the Day
Treat ClawHub Skills as a Software Supply Chain — Because They Are One
This week's most important security reading is Palo Alto Unit 42's landmark report on OpenClaw's skill marketplace as an AI supply chain attack surface. The findings are sobering even for experienced operators: five malicious skills slipped past both ClawHub's VirusTotal integration and ClawScan between February and May 2026, representing three distinct attack categories.
The three categories Unit 42 identified tell you a lot about how adversaries are thinking about this problem:
- Infostealers: Two skills delivered macOS infostealers with C2 infrastructure — essentially classic malware dressed up as productivity tools. The skill install path gives them legitimate filesystem access they would otherwise need to social-engineer.
- Evasion: One skill inflated its file size to exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection entirely. The scanner cannot look at what it cannot read. This is a known technique from the npm/PyPI world, now arriving in AI agent ecosystems.
- Agentic threats: Two skills used genuinely novel techniques — runtime agentic affiliate injection and agentic front-running — for financial gain. These are not malware in the traditional sense; they are attacks that leverage the agent's own decision-making to redirect value to the attacker.
The positive outcome: Unit 42 reported all five to ClawHub, which removed them and banned the accounts. OpenClaw is also now collaborating with NVIDIA to document skill behavior and run NVIDIA's analysis tooling across the ClawHub catalog. Progress is real.
But the lesson for operators is not "wait for ClawHub to fix it." The lesson is to treat every skill install like an npm package going into a production service:
- Read SKILL.md and any referenced scripts before installing. Look for outbound network calls, shell execution, filesystem writes outside expected directories, and self-modification patterns.
- Check the file size. An unusually large SKILL.md or a bundled binary is a red flag. Legitimate skills are mostly markdown and shell; anything that feels bloated deserves scrutiny.
- Prefer skills with a long public history and high install counts from named maintainers. Not because popularity equals safety, but because abuse is more likely to be noticed and reported quickly.
- Run the SkillScan skill on new installs — available on ClawHub from
@tokauthai— as an additional check layer before activating anything new in production. - Scope your agent's tool permissions. A skill that only needs to summarize text should not sit in an agent profile with file write and exec access. Defense in depth matters even after install.
Bottom line: ClawHub's scanners are improving, but they are not a complete defense. The three attack categories Unit 42 found — infostealers, evasion, and novel agentic attacks — all require operator-level vigilance that no automated scanner can fully substitute for. Read before you install.
⭐ Skill of the Day: SkillScan by tokauthai
🔧 SkillScan — Security Gate for OpenClaw Skills
What it does: SkillScan is a security-first skill vetting tool designed to run before you install any skill from ClawHub or external sources. It performs automated analysis of skill SKILL.md files and associated scripts, flagging dangerous patterns including outbound network calls to suspicious domains, filesystem operations outside expected paths, shell injection patterns, credential access attempts, and bloated file sizes indicative of evasion techniques.
Why it's today's pick: Given the Unit 42 supply chain findings published this week, there is no better moment to spotlight the one skill explicitly designed to protect you from other skills. The ClawHub listing from @tokauthai shows strong community adoption — 391 installs and 78k downloads — and the tool's description positions it as a mandatory gate: "Every new skill MUST pass SkillScan before use." That is the right posture.
Safety verification: SkillScan is on the ClawHub top-20 list by install count, has a named and active maintainer, and its own SKILL.md is notably short and transparent — primarily markdown with no bundled binaries. It is exactly what a security tool should look like: auditable, lightweight, and conservative. We reviewed the current skill content before featuring it.
Install: Find it on clawhub.ai under @tokauthai/skillscan
Best use case: Run SkillScan as the first step in your skill evaluation workflow. Feed it any SKILL.md before you npx clawhub@latest install anything. It will not catch everything — nothing does — but it raises your baseline substantially and makes the audit process explicit rather than assumed.
👥 Community Highlights
The Hermes Debate: Agreement on Agents, Disagreement on Control
The most substantive community-adjacent discussion this week is not happening in Discord — it is happening on The New Stack, which published "OpenClaw and Hermes agree on what an agent is. They disagree on what controls it." The piece frames a real architectural tension that the broader agent platform market is only beginning to grapple with seriously.
The short version: both OpenClaw and Hermes accept the same definition of what an agent is — a model-driven loop with tools, memory, and channels. Where they diverge is on the control model. OpenClaw takes the view that the human operator is the primary trust anchor: approvals, owner enforcement, scoped exec policies, and channel-specific permissions all flow from the idea that a person is in the loop and must be able to intervene. Hermes takes a more autonomous-by-default stance, where agents are expected to self-manage with policy guardrails rather than human checkpoints.
Neither position is wrong. They are optimized for different deployment environments and risk tolerances. But the debate matters because it reveals what is still unresolved in the industry: what does it actually mean to govern an AI agent, and who — or what — enforces that governance at runtime?
"At Microsoft's Build keynote, CEO Satya Nadella described a platform shift away from operating systems and apps, and toward agentic AI that doesn't wait to be opened by a user. Then he showed the layer that makes the shift possible: OpenClaw." — The New Stack
The framing of OpenClaw as the runtime that Microsoft chose to showcase at Build is important context here. Microsoft is not agnostic on this debate — it is effectively signaling that human-in-the-loop, approval-driven agent execution is the model it wants to underwrite for enterprise adoption. That gives OpenClaw's control model significant institutional backing, even as alternative approaches like Hermes attract developers who want less friction.
The OpenClaw vs. Hermes debate is less about which platform is better and more about which mental model of agent governance wins. OpenClaw is betting that trust-first, operator-in-the-loop design earns adoption from the serious enterprise market. That bet is looking increasingly well-placed as the security reckoning arrives. Autonomous-by-default is a great demo. It is a harder sell when the Unit 42 report is in the room.
iOS Push Notification Rework Gets Community Attention
Among the fixes in 2026.6.11, the iOS APNs registration overhaul — tracked in PR #95640 — generated more community discussion than most. The change consolidates notification permissions into Settings > Notifications, separates APNs registration from OS notification authorization, and discloses OpenClaw-hosted push relay behavior explicitly in the UI.
Why did this land with the community? Because exec approvals on mobile are one of the most frequently broken workflows in OpenClaw deployments. If APNs registration silently fails — which it does more often than it should on iOS due to permission state drift — you end up with an agent that is blocked waiting for a human approval that never arrives on the human's device. That is the kind of silent failure that makes operators distrust the whole approval system. The new settings clarity and the improved guidance when push is unavailable are small but meaningful fixes to operator confidence.
Release Verification as a Platform Story
One community observation worth amplifying: the 2026.6.x release train has been notably consistent about publishing CI evidence alongside release notes. The SourceForge mirror for 2026.6.10, for example, links directly to GitHub Actions runs for full release validation, plugin npm publish, ClawHub publish, and Windows Hub promotion — all verifiable, all traceable back to the commit that produced them.
This is not glamorous, but it is the behavior of a project that understands its software is increasingly critical infrastructure. When you can verify that the ClawHub package you are installing came from the same CI run as the signed release, the trust model improves fundamentally. OpenClaw is quietly building the attestation scaffolding that the supply chain moment demands.
🌐 Ecosystem News
Unit 42's Report Is the Security Story of the Quarter
Beyond what we covered in the security tip, Unit 42's full report deserves context as an industry-level signal. Palo Alto Networks is not a small blog — this is one of the world's most respected threat research teams publishing a formal analysis of AI agent supply chain risk. The fact that they chose OpenClaw's ClawHub as the primary research subject reflects both the platform's maturity (there is enough of an ecosystem to study) and the urgency of the threat (the ecosystem has grown faster than its security model).
The report also announces something that has not gotten enough coverage: OpenClaw is collaborating with NVIDIA to provide documentation of what each skill does and to run NVIDIA's threat analysis tooling across the ClawHub catalog. This is the NVIDIA NemoClaw partnership expanding from infrastructure into active skill security. The implication is that ClawHub's security model will eventually include NVIDIA-powered behavioral analysis on top of static scanning — a genuinely different capability class.
For operators, the near-term takeaway is not to wait for this capability to ship before taking skill security seriously. The collaboration is promising but in early stages. The five unblocked skills that Unit 42 found were present and active during the months that ClawHub's existing scanners were running. Defense in depth is not optional.
OpenAI and Broadcom Unveil Jalapeño: The LLM-Optimized Inference Chip
Outside the OpenClaw ecosystem, the week's most significant hardware news is the OpenAI and Broadcom announcement of the Jalapeño AI chip, described as targeting 50% inference cost cuts for large language model workloads. The chip is optimized specifically for the memory bandwidth and precision requirements of transformer inference, not training — which is a deliberate positioning choice that reflects where the cost pressure is actually felt in production deployments.
For OpenClaw operators running heavy workloads against commercial model providers, this matters for a simple reason: inference cost is what limits how much you can use your agent. If Jalapeño delivers on its claims and providers pass even a fraction of those savings to customers, the economics of always-on agent deployments shift materially. Lower per-token cost means more liberal use of capable models, longer context windows, and reduced incentive to route everything through the cheapest available provider.
The MaiAgent Enterprise Pitch: Stop Building from Scratch
At VivaTech 2026, Taiwan-based MaiAgent made an argument that is increasingly common in the enterprise agent space: stop building retrieval-augmented generation and agent systems from scratch and use a managed platform instead. The pitch is aimed at the significant cohort of enterprise teams that have spent six to eighteen months building bespoke agent infrastructure and are now drowning in maintenance overhead.
This is relevant context for OpenClaw's community because it frames the competitive question correctly: OpenClaw's moat is not being the only personal AI agent harness — it is being the one that serious operators trust to run their actual workflows. As managed platforms commoditize the easy parts of agent deployment, the differentiation shifts toward governance, auditability, operator control, and supply chain security. All four of those are areas where OpenClaw's current trajectory is pointing in the right direction.
The week of June 27 is a clarifying one for the OpenClaw ecosystem. The supply chain reckoning from Unit 42 makes clear that skill security is a first-order problem, not an afterthought. The Hermes debate surfaces the control philosophy question that every serious operator will eventually have to answer. And Jalapeño's cost projection suggests the economics of always-on agents are about to get better. OpenClaw's job is to earn the trust that a cheaper, more capable inference layer will make possible. The 2026.6.11 release is a reasonable step in that direction.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →