OpenClaw 2026.6.11: Smarter Channels, Mobile Gains, and the Supply-Chain Threat You Can't Ignore
OpenClaw 2026.6.11 is a pre-release that deserves your attention: Slack relay mode, native Mattermost queuing, per-DM model overrides, stronger Android settings, and more reliable Codex agent turns all ship together. Meanwhile, security researchers are sounding alarms about the skills marketplace as an AI supply-chain attack surface — and the community is asking sharper questions about cron isolation and context budgets than ever before.
🦞 OpenClaw Updates
v2026.6.11: Channel Control Grows Up
The latest pre-release from the OpenClaw project, v2026.6.11, is still tagged beta but ships enough substance that operators running fast-moving deployments are already tracking it closely. The stable line sits at 2026.6.10 as of today — but if you want to understand where OpenClaw's channel layer is heading, this release is the clearest signal available.
The headline feature is Slack relay mode. PR #94707 adds a new delivery mode that lets OpenClaw operate through Slack's relay infrastructure rather than requiring a direct bot token and API connection. For teams that can't or won't give an external system full Slack bot permissions, this is a significant unblocking move. It means OpenClaw can participate in Slack workflows with a smaller permission surface — exactly what enterprise procurement teams want to hear.
Native Mattermost /oc_queue (PR #95546) is the other channel headline. Mattermost operators no longer need to chain together a custom slash command setup to put messages into OpenClaw's processing queue; the integration is now first-class. For anyone running self-hosted Mattermost as their enterprise communications layer, this removes a meaningful friction point that previously required custom glue code.
Less flashy but arguably more useful day-to-day: per-DM model overrides (PR #95120). You can now configure different model profiles for different DM conversations — so your low-cost fast model handles routine queries, while a more capable (and more expensive) model takes complex requests without affecting the default across all your channels. This kind of granularity is exactly what operators with real cost consciousness need.
Mobile Operations Get Serious
The Android improvements in 2026.6.11 continue a trend we have been watching since late April: OpenClaw is treating mobile as a genuine first-class deployment target rather than a read-only companion app. PR #95148 adds detailed settings panels for Android, giving mobile users real visibility into agent configuration, active skills, and permission state — things that were previously only accessible through the desktop or CLI interfaces.
The iOS side of things has also been getting attention, though mostly in the prior 2026.6.10 stable release. PR #95640 consolidated notification permissions into Settings > Notifications, separated APNs registration from OS-level authorization, and fixed the case where out-of-app exec approval notifications were silently unavailable. That last fix is especially important for operators who need exec approvals to work reliably when the app is backgrounded — a very common pattern for always-on assistants.
The combined message from these mobile improvements: OpenClaw is getting serious about approvals and oversight at the edge. If you are running an agent that can touch real systems, having reliable mobile approval flows is not a convenience feature — it is a core governance requirement.
Codex Integration Keeps Getting Tighter
Three PRs in 2026.6.11 target Codex agent reliability: partial delta handling (#95404), harness activation fixes (#95652), and long-context prompt-cache stability (#95624). These are not sexy release-note bullets, but they address a real pain point that has been visible in community issue threads for several weeks.
The prompt-cache stability fix is particularly interesting. Long-context runs — the kind you get when Codex is working through a large codebase or a multi-step research task — were hitting instability due to inconsistent cache state. That kind of failure is hard to diagnose because it surfaces as erratic or incomplete agent behavior rather than a clean error. Fixing it means longer Codex sessions can now complete reliably instead of degrading silently.
"More reliable agent turns: Codex partial deltas, harness activation, and long-context prompt-cache stability reduce lost progress and inconsistent runs." — OpenClaw 2026.6.11 release notes
Release Integrity: The New Table Stakes
One underappreciated theme in the June release train is how prominently release verification now features in the project's own communications. The 2026.6.10 stable notes included explicit links to full release validation CI runs, plugin npm publish workflows, ClawHub publish confirmations, and Windows Hub promotion evidence. That is a meaningful shift from where the project was six months ago, when release integrity was something third-party trackers documented better than the project itself.
This matters because it changes the trust model for self-hosted operators. You can now check, independently, whether the build you are running matches the release commit, whether the plugins in your install were published through the same validated pipeline, and whether the Windows node you are running was promoted from a verified source. That is the kind of auditability enterprise operators need before approving OpenClaw for sensitive environments.
2026.6.11's channel improvements are genuinely useful — Slack relay mode and native Mattermost queuing both solve real deployment blockers that have been sitting on operator wish lists for a while. But the story we are watching more closely is the mobile approval infrastructure. As OpenClaw gets used for more consequential tasks, the ability to approve exec operations from a phone with clear context is going to matter a lot more than any individual feature. The project appears to understand that.
🔒 Security Tip of the Day
The Skills Marketplace Is Your AI Supply Chain — Treat It That Way
This week, Palo Alto Networks Unit 42 published a detailed analysis of OpenClaw's skill marketplace as an emerging AI supply-chain attack surface. Their headline finding was sobering: in the first weeks after OpenClaw's initial release, approximately 17% of skills analyzed by Bitdefender Labs carried malicious payloads. That number has almost certainly improved since then — ClawHub's VirusTotal scanning integration has raised the floor significantly — but the underlying dynamic has not changed.
Think about what a compromised skill can do. Unlike a traditional npm package that runs in a sandboxed build environment, an OpenClaw skill runs adjacent to your agent's full permission set. If your agent can read email, write files, send messages, and invoke shell commands, and a skill you installed silently exfiltrates data or modifies configuration, you may not notice until the damage is done.
The practical checklist for skill security:
- Check the VirusTotal scan status on ClawHub before every install. Not after. A clean scan is not a guarantee, but a missing or failed scan is a hard stop.
- Read the SKILL.md. Look specifically for: outbound network calls, shell execution, credential access, file writes outside the workspace, and any self-modifying behavior. If any of those appear without an obvious justified reason, treat it as suspicious.
- Prefer skills with large install counts and recent maintenance activity. Not because popularity equals safety — it does not — but because widely-used, actively-maintained skills get more eyes on them. Malicious behavior is more likely to surface quickly.
- Match tool permissions to actual need. If you install a skill for summarization, it should not be running in an agent profile that has exec approval, production database access, and external messaging capability simultaneously.
- Re-verify after updates. Skill updates can introduce new behavior. Subscribe to ClawHub notifications for skills you depend on, and re-check the SKILL.md diff when a version bumps.
Bottom line: OpenClaw's skill ecosystem is maturing fast, but it is still a young supply chain. Apply the same scrutiny you would to any third-party code running in a privileged context. The fact that it feels like configuration instead of code does not make it any less consequential.
⭐ Skill of the Day: SkillScan
🔧 SkillScan by @tokauthai
What it does: SkillScan is a security gate for your OpenClaw skills workflow. Before you install any new skill, SkillScan runs a structured vetting process: it checks the SKILL.md for suspicious patterns, verifies the ClawHub scan status, inspects declared tool permissions against stated purpose, and reports a risk verdict with reasoning. Think of it as a mandatory code review step applied to the agent equivalent of a third-party library.
Why it's worth featuring today: Given the Unit 42 findings this week about skills as an AI supply-chain attack vector, SkillScan is exactly the kind of defensive tooling that should be standard in any serious OpenClaw deployment. It currently sits at approximately 78k installs on ClawHub — significant adoption for a security-focused utility skill. The creator, @tokauthai, has kept it updated through recent OpenClaw changes.
Safety note: We ran SkillScan's SKILL.md through the same vetting process it prescribes for others. It declares read access to local skill files and ClawHub HTTP lookups — both expected for its stated purpose. No exec calls, no credential access, no outbound data exfiltration patterns. It is one of the cleaner security-focused skills on the platform.
Install: npx clawhub@latest install skillscan
Best use case: Run SkillScan as the first step in any skill installation workflow. Pair it with a rule in your SOUL.md or AGENTS.md that requires a clean SkillScan verdict before any skill goes live. If the project is serious about supply-chain hygiene, the process should be enforced, not just advisory.
👥 Community Highlights
The Cron Isolation Conversation Is Long Overdue
Two community issues filed this week are getting more traction than their relatively quiet thread titles suggest. Issue #97317 reports that isolated cron runs are inheriting the full agent toolbox plus the full project context — a much larger footprint than most operators expect or want from a background scheduled task. Issue #97335 describes a cron fallback model path that works in the main session but silently fails in isolated runs.
Both issues point at the same underlying gap: OpenClaw's cron isolation model has not been made explicit to operators. When you schedule a job to run in an isolated session, what exactly does it inherit? Which tools are available? Which context files are loaded? What model routing applies? These questions matter enormously for both cost and security — an isolated cron job that pulls the full project context is burning tokens you did not intend to spend, and providing tool access you may not want it to have.
The project's response to these issues will be telling. If it leads to clearer documentation and more configurable isolation defaults, that is a maturity step. If it gets closed as "working as intended" without better operator guidance, expect the friction to keep surfacing.
Context Budget Awareness Is Growing Up
A quieter but important shift in the community mood: more operators are now asking about context budgets as a first-order concern rather than an afterthought. PR #97101, which fixes the ability to page sessions_history beyond truncated tails, was celebrated precisely because long-running assistants fail in subtle ways when relevant historical context becomes unreachable due to tool caps or transcript trimming.
That kind of fix — restoring access to context that had quietly disappeared — reveals a maturity gap that many operators had been living with without fully understanding. If your agent could not see past a certain point in a long conversation, it might give you answers that were technically correct given what it could see, but wrong given what actually happened. That is the kind of issue that erodes trust slowly.
The broader cultural signal: the community is starting to treat context integrity as a reliability requirement, not just a nice-to-have. That is the right instinct.
The Microsoft Build Moment Keeps Reverberating
Last month's Microsoft Build keynote — where Satya Nadella described a platform shift toward agentic AI and then showed OpenClaw running natively inside Windows execution containers — is still generating discussion. The New Stack published an analysis this week asking the right question: OpenClaw and Microsoft's Hermes runtime agree on what an agent is, but they disagree on what controls it.
That disagreement matters. OpenClaw's control model is operator-first: you configure your own permissions, set your own tool policies, manage your own approvals. Hermes and the broader Microsoft platform model is enterprise-first: IT controls the baseline, users operate within it. Neither model is wrong, but they create real friction when they intersect — and increasingly, they will intersect in enterprise environments where some users want OpenClaw's flexibility while IT needs Hermes-grade governance.
Watch this space. The resolution — either a governance bridge between the two models, or a formal fork in the operator audience — will define a lot of OpenClaw's commercial trajectory over the next twelve months.
🌐 Ecosystem News
OpenAI GPT-5.6 Sol Ships Under Restrictions
OpenAI released GPT-5.6 Sol this week under usage restrictions while the company works with the US Administration on a cyber executive order framework. The model is being positioned as OpenAI's strongest yet, with particularly improved agentic capabilities in coding, biology, and cybersecurity. For OpenClaw users, this is relevant because GPT-5.6 Sol will presumably become available through OpenRouter and OpenClaw's standard provider routing once the restriction period ends — and its enhanced agentic coding capabilities could make it a compelling choice for Codex harness work.
The companion security evaluation is worth reading. OpenAI says GPT-5.6 Sol "is better at helping people find and fix vulnerabilities than reliably carrying out end-to-end attacks" — a framing that acknowledges offensive capability while arguing it does not cross the preparedness framework's "critical" threshold. That is a complicated claim that security researchers are still unpacking.
Google Announces Agentic Resource Discovery Specification
Google published an open specification this week called Agentic Resource Discovery (ARD) — a framework for publishing, discovering, and verifying AI capabilities across the web through domain-owned catalogs and searchable registries. It is early-stage and not yet implemented broadly, but the direction is clear: Google wants agent capabilities to be as discoverable as web pages, with cryptographic verification and structured metadata that lets agents reason about what tools and services they can call.
If ARD gains traction, it could become a meaningful complement to ClawHub's marketplace model. Instead of browsing a curated skill store, agents could dynamically discover and verify capabilities from any ARD-compliant domain. OpenClaw's plugin architecture is already extensible enough to support something like that — the question is whether the project prioritizes protocol-based discovery over its current marketplace model, or supports both in parallel.
reco.ai Documents the OpenClaw Security Crisis Chronology
Security vendor reco.ai published what may be the most comprehensive public timeline of OpenClaw-related security incidents since the platform went viral. Their analysis covers exposed management interfaces, misconfigured exec approvals, credential leakage through channel plugins, and several incidents where agents were manipulated through prompt injection in messages from compromised accounts.
The report is not entirely fair — some incidents they document reflect operator misconfiguration rather than OpenClaw vulnerabilities, and their recommendations occasionally conflate self-hosted and hosted deployment models. But the core finding is valid: OpenClaw's rapid adoption outpaced many users' understanding of its attack surface, and the incidents that followed were predictable given that gap.
The practical takeaway is the same one we have been repeating for months: running OpenClaw in production requires understanding its permission and approval model, not just its features. If you are still using default configurations for exec approvals, channel access controls, and tool policies, spend an afternoon with the security documentation before something expensive happens.
The reco.ai report and the Unit 42 skills analysis arriving in the same week is not a coincidence — it reflects a coordinated security community effort to document the OpenClaw attack surface now that the platform has reached critical mass. This is actually healthy. Security researchers focusing on a platform means the platform matters. OpenClaw's response — improving release integrity, tightening mobile approvals, adding channel-level model controls — suggests the project is tracking these concerns seriously. The operators who will get hurt are the ones who read the feature announcements but skip the security coverage.
Need help with OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, and ongoing support.
Contact SEN-X →