OpenClaw v2026.6.10: Stability Wins, Context Recovery, and the ClawHub Supply-Chain Reckoning Deepens
OpenClaw v2026.6.10 holds firm as the stable release this week, with operator-facing reliability wins landing quietly: context access past transcript truncation, preserved long Telegram reply chunks, runtime diagnostics surfaced through openclaw doctor, and hardened catalog state. Elsewhere, the ClawHub supply-chain story enters a new chapter with mainstream media coverage, a new competitor hardens its OpenClaw import path, and the community debate about context budgets, cron isolation, and provider semantics keeps intensifying.
🦞 OpenClaw Release: v2026.6.10 Holds Stable
npm latest remains pinned at v2026.6.10, and beta has advanced to 2026.6.11-beta.1 — a healthy signal that the project's release cadence is still rolling, even if today isn't a package-upgrade day for most operators. What's happening right now is the steady accumulation of high-value, operator-facing fixes that land on mainline without fanfare.
Context Recovery Past Transcript Truncation
One of the most quietly important improvements in recent mainline commits is PR #97101, which pages sessions_history beyond truncated tails. If you run a long-lived assistant that accumulates thousands of turns, you may have noticed that older-but-relevant context can become silently unreachable once tool caps or transcript trimming kicks in. That silent failure mode is now being addressed: history fetch now pages past the truncation boundary, restoring access to context that was technically present but invisible to the agent.
This matters more than it sounds. Long-running personal assistants and enterprise agents that track ongoing projects depend on the ability to reach back into history. A context window that looks complete but actually has a blind spot is worse than a known limitation — it produces confident but wrong answers. The fix restores expected behavior across extended agent lifetimes.
Context recovery across truncation is the kind of fix that never makes a release headline but that every power user will quietly appreciate. If you've been noticing your agent "forgetting" things it should know about an ongoing project, this patch is for you. Consider it a stealth quality-of-life win hiding inside a stability release.
Long Telegram Reply Preservation
PR #97312 preserves long streamed Telegram reply chunks. This addresses a delivery gap that's been in the tracker for a while: when an agent's response to a Telegram message exceeded certain length thresholds during streaming, chunks could be dropped or truncated at the channel boundary. The fix ensures the full response makes it through — a practical win for anyone using OpenClaw as a Telegram bot that handles research summaries, long document drafts, or multi-step task reports.
Combined with the existing Telegram rich formatting work from 2026.6.8 (tables, expandable blockquotes, CLI-backed replies), this makes the Telegram channel stack meaningfully more reliable for production use.
Runtime Diagnostics Now Surfaced in openclaw doctor
PR #97075 exposes gateway runtime findings through openclaw doctor output, while redacting health targets from logs. The addition is genuinely useful for operators: previously, certain gateway runtime states were only visible through logs that required digging. Now the doctor command shows a structured view of what the gateway itself sees — without leaking sensitive endpoint URLs into output that might be shared in a support context.
If you run a self-hosted OpenClaw instance and have ever struggled to diagnose why a channel or model route stopped working, this is the kind of observability improvement that saves real time.
Catalog State Hardening
Recent mainline commits introduced hosted catalog snapshot fallback, snapshot persistence in state, and hosted catalog source-profile validation. The framing from the OpenClaw updates digest is apt: "Model and plugin catalogs are no longer harmless lookup tables; stale or unvalidated catalog state can change routing, provider availability, and setup behavior."
This is an area that's easy to underestimate. A stale model catalog can cause an agent to route to a deprecated model endpoint. An unvalidated skill catalog entry can pull from a tampered source profile. These aren't theoretical risks at the scale ClawHub has reached — they're exactly the attack surfaces that the supply-chain security research has been documenting.
iMessage Media & Unicode Fixes
PR #91803 stages remote iMessage media for plugin claims — ensuring that when media arrives via iMessage and needs to be processed by a plugin, the staging handoff is clean. PR #97299 truncates auto-reply user-facing text on UTF-16 boundaries, preventing garbled channel output on platforms where message length is measured in UTF-16 code units rather than Unicode scalar values. PR #97212 preserves null in anyOf unions rather than coercing it to an empty string, closing a semantic edge that produced incorrect tool-argument behavior when agents passed null for optional parameters.
The Unicode and schema fixes feel like plumbing, but they represent real correctness work. UTF-16 boundary truncation is the kind of bug that never appears in English-only environments but causes consistent breakage for anyone using Japanese, Chinese, Korean, or emoji-heavy content. And null-in-anyOf is a JSON Schema subtlety that causes tool calls to silently misbehave. These are good catches.
Also on the Radar: Provider Authentication Visibility
PR #96599 surfaces provider authentication failures through channel replies instead of leaving operators with a quiet failed run. Before this fix, if a provider's credentials expired or a key was rotated, the agent would simply stop producing responses with little explanation visible to the operator monitoring a channel. Now the failure propagates as a visible channel reply, making it actionable. This is especially useful for anyone running OpenClaw through Telegram, WhatsApp, Slack, or similar front doors where the only monitoring interface is the channel itself.
🚨 ClawHub Supply-Chain: The Crisis Enters Its Next Chapter
The skills marketplace supply-chain story isn't new — we've covered Unit 42's research here repeatedly — but it's entering a new phase of mainstream visibility and institutional response.
Reco.ai Security Analysis: The OpenClaw Attack Surface
Security firm Reco.ai published a detailed breakdown of "The AI Agent Security Crisis Unfolding Right Now," with OpenClaw named as a primary case study. The analysis documents a pattern that's been accumulating since OpenClaw went viral: within weeks of widespread adoption, the project was associated with a growing number of security incidents escalating in scope and severity — from traditional vulnerabilities to exposed management interfaces and supply-chain attacks via the skills ecosystem.
The framing is important: Reco.ai isn't documenting theoretical risks. They're tracking incidents that have already occurred. The ClawHub marketplace, which now hosts tens of thousands of skills from thousands of contributors, has become a meaningful attack surface for anyone willing to publish a malicious skill and wait for installs.
Unit 42: Five Malicious Skills, Two macOS Infostealers
Palo Alto Networks' Unit 42 — the same team that published the landmark skills supply-chain research earlier this month — followed up with a report identifying five malicious skills on ClawHub. Two of those skills were delivering macOS infostealers, while others served as staging tools for credential harvesting operations. The skills were removed after disclosure, but the incident underscores a structural problem: VirusTotal scanning alone is not sufficient to catch purpose-built agent skills that wrap malicious behavior in legitimate-looking skill scaffolding.
Two macOS infostealers distributed as ClawHub skills is a line that's been crossed. This isn't about abstract supply-chain theory anymore — it's about malware running inside your agent's trust boundary with access to your files, credentials, and API keys. The skill vetting process needs to be significantly more rigorous. Until it is, treat every ClawHub skill as untrusted code from the internet, because that's exactly what it is.
What This Means for Operators
The practical takeaway for OpenClaw operators right now is straightforward: before installing any ClawHub skill, check it independently. Don't rely solely on ClawHub's own safety indicators. Check the author's GitHub history, look at the skill's source code directly, search for the skill name plus security reports, and run openclaw doctor after install to catch any anomalous runtime state changes.
The OpenClaw project has integrated VirusTotal scanning and is working on stronger provenance tooling — but those controls are catching known malware signatures, not purpose-built agent skill exploits. The gap is structural, and it won't close overnight.
🆚 OpenClaw vs. Hermes: The Debate Goes Mainstream
The New Stack published a piece this week examining OpenClaw and Hermes Agent side by side: "OpenClaw and Hermes agree on what an agent is. They disagree on what controls it." The framing is sharper than most competitive comparisons: both projects share a definition of what an AI agent should do, but they've made fundamentally different choices about the control layer that sits between the agent and the systems it touches.
The piece gave significant air time to the Microsoft Build moment — when Satya Nadella described the shift from operating systems and apps toward agentic AI, and showed OpenClaw running natively on Windows inside Microsoft's new execution containers. That endorsement continues to reverberate as a signal that OpenClaw has cleared an enterprise legitimacy bar that newer entrants haven't yet reached.
Meanwhile, Context Studios published a detailed technical comparison noting that Hermes has now shipped security fixes as named release work: Hermes v0.16.0 on June 5, 2026 included a Starlette pin for CVE-2026-48710, server-side request forgery hardening, and subprocess credential stripping. The comparison also notes that Hermes can now automatically import OpenClaw settings, memories, skills, and API keys — a deliberate migration path that signals where Hermes thinks the switching cost pressure lies.
The Hermes "import from OpenClaw" feature is a tell. It means the Hermes team believes there are enough OpenClaw operators dissatisfied enough to switch — and they want to make that switch frictionless. Whether that converts into real migration volume depends on whether the supply-chain incidents create lasting trust damage with the operator community. Watch this space carefully over the next 30 days.
🔒 Security Tip of the Day
Run openclaw doctor Before and After Every Skill Install
With the ClawHub supply-chain incident involving macOS infostealers fresh in the news, here's a concrete operational habit to adopt immediately: run openclaw doctor both before and after installing any new skill.
What you're looking for:
- New processes or listeners: A malicious skill might spawn a background process or open a network listener. Doctor output now exposes gateway runtime findings — look for anything unexpected.
- Changed catalog state: After a skill install, verify your model and plugin catalog hasn't been modified in unexpected ways. A poisoned skill can tamper with catalog source profiles.
- Auth profile changes: Check that no new auth profiles were created or existing ones modified. An infostealer skill's primary goal is credential exfiltration.
- File system changes: Run
ls -la ~/.openclaw/before and after and diff the output. New files you didn't expect are a red flag.
The goal is to establish a baseline of your OpenClaw state before the install and detect deviations after. It takes 30 seconds and it's the simplest thing you can do to protect yourself while the marketplace security controls mature.
⭐ Skill of the Day: SkillScan
🔍 SkillScan by tokauthai
What it does: SkillScan is a security gate for OpenClaw skills. Before installing any new skill, run it through SkillScan — it analyzes the skill's source code, checks for known malicious patterns, validates the skill's declared capabilities against its actual code, and produces a security verdict with a confidence score. Think of it as your personal skill security auditor.
Why it's the right pick today: Given the ClawHub supply-chain incidents this week — five malicious skills including macOS infostealers — SkillScan is the most directly relevant tool an operator can add to their workflow right now. It's the difference between installing skills blindly and having a structured gate in place.
ClawHub stats: 391 installs, 78k downloads — smaller than the top tier skills, but meaningfully gaining traction as security awareness grows in the community.
Install: npx clawhub@latest install tokauthai/skillscan
Usage: Once installed, use it before any other ClawHub install: "Run SkillScan on [skill-name] before I install it." Your agent will audit the skill and report back before anything gets installed.
Caveat: SkillScan is itself a ClawHub skill, which means it carries the same supply-chain risk it's designed to detect. Vet it first — check the author's GitHub (github.com/tokauthai), review the SKILL.md source, and use an independent VirusTotal scan before installing. The meta-irony is intentional: it highlights why a defense-in-depth approach is necessary.
👥 Community Pulse: Cron Isolation, Context Budgets, and Replay Safety
The OpenClaw community issue tracker this week reads like a coherent operator concern list. Three themes are dominating the discussion:
Cron Isolation and Cost Control
Issue #97317 reports that isolated cron runs inherit the full toolbox plus full project context, making scheduled agent jobs unexpectedly expensive. Issue #97335 reports a cron fallback model path that works in a normal session but silently fails from within a cron context. Both issues point at the same gap: cron/scheduled agent runs need their own, explicitly bounded context and tool policy — not silent inheritance from the parent session.
For operators running daily cron jobs (news digests, email summaries, monitoring checks), these issues mean your scheduled agents may be burning significantly more tokens than expected. Until the fixes land, the practical mitigation is to explicitly set lightContext: true and toolsAllow restrictions on cron job payloads.
Context Budget Mismatches
Issue #97323 describes mismatched context budgets between a main channel and an embedded precheck. Issue #97331 reports dashboard child sessions inheriting stale parent context token budgets. Issue #97329 asks for configurable channel metadata injection to reduce per-turn token waste. The common thread: context budgets need to be explicitly scoped to the session or turn, not silently inherited from parent contexts that may have different constraints.
Replay Safety Remains a Live Risk
Issue #97324 flags incomplete tool-call turns with zero payloads as replay-unsafe — a turn that ended mid-execution without a payload could be re-executed in a way that causes unintended state changes. Issue #97320 reports stale Discord group backlog events arriving as fresh turns after a long delay. These are the same class of problem: old state masquerading as new user intent, which can cause agents to act on stale instructions with real consequences.
The cron isolation and replay safety issues are not cosmetic bugs — they're correctness failures for production operators. If a cron job inherits an unbounded toolbox, it can take actions the operator never intended in the scheduled context. If a stale backlog event replays as fresh user intent, an agent can act on outdated instructions with current-state consequences. Both need to be in the P1 queue, not the backlog.
🌐 Ecosystem: Boring Infrastructure Is Winning
The broader AI agent market is converging on something that the AI media doesn't cover well: boring reliability. MCP-style tool routing, explicit approval rails, prompt-cache economics, durable memory, mobile notification clarity, and channel-native controls are becoming the competitive differentiators — not model benchmarks or feature demos.
OpenClaw's position here is interesting. Its six-month acceleration from viral launch to enterprise adoption is unprecedented, but it's also created a maintenance burden that's pulling the core team toward stability work rather than feature development. The beta channel advancing to 2026.6.11-beta.1 suggests new feature work is still happening, but the mainline work is dominated by the kind of unglamorous correctness patches that production operators actually care about.
The NewStack piece on OpenClaw and Hermes noted that Microsoft's Build keynote effectively anointed OpenClaw as the reference runtime for the agentic AI shift — a platform endorsement that puts enormous expectations on the project's stability and security posture at exactly the moment when both are under the most scrutiny. That's a meaningful tension to watch as the summer release cycle continues.
For operators: v2026.6.10 is the right version to be on today. Don't upgrade to the 6.11 beta unless you have a specific reason to. Stay on stable, keep your skill installs minimal, run SkillScan, and run openclaw doctor regularly. The project is healthy — it's just navigating a hard moment.
Need help securing your OpenClaw deployment?
SEN-X provides enterprise OpenClaw consulting — architecture, security hardening, custom skill development, supply-chain audits, and ongoing support.
Contact SEN-X →