OpenClaw shipped version 2026.2.23 — and this one is all about security. The release lands amid a wave of negative press coverage, making the timing as strategic as the features are substantive.

Security Hardening

The update addresses multiple attack vectors that have drawn scrutiny:

  • SSRF Policy: Defaults to "trusted-network" mode, requiring explicit configuration for private network access. Legacy users can migrate with openclaw doctor –fix.
  • Config Redaction: Sensitive dynamic keys (env.*, skills.env.*) are now redacted in config snapshots, preventing credential leakage during restore.
  • Obfuscated Command Detection: Commands that try to hide their intent now trigger explicit approval before execution.
  • ACP Client Permissions: Requires trusted tool IDs with scoped read approvals to block unauthorized file access.
  • Skills XSS Protection: Escapes user inputs in HTML output to prevent stored cross-site scripting.
  • OTEL Redaction: API keys are scrubbed from diagnostics before export.
  • Session Cleanup: New openclaw sessions cleanup command with disk-budget controls prevents storage overflows.
  • HSTS Support: Optional HTTP security headers for direct HTTPS deployments.

AI Enhancements

On the model side:

  • Kilo Gateway: First-class support with kilocode/anthropic/claude-opus-4.6 as the default, including auth, onboarding, and cache handling.
  • Vercel AI Gateway: Normalizes shorthand Claude references.
  • Moonshot "kimi": Added to tools/web_search with improved citation extraction.
  • Video Support: Native Moonshot video understanding.
  • Per-Agent Params: More granular control over agent behavior.

The Context

This release is OpenClaw's response to the security questions raised this week — the npm supply chain incident, the Meta researcher's inbox meltdown, and general concerns about prompt injection and credential exposure. Whether it quiets the critics remains to be seen, but the changelog is thorough.

The release also pushes OpenClaw past 215,000 GitHub stars — a number that underscores how many developers are now running autonomous agents locally.