OpenClaw LogoOpenClaw AI News
Releaseopenclawsecurity

openclaw 2026.1.29

8 min read

openclaw/openclaw released version v2026.1.29. This release includes breaking changes. Key updates: Rebrand: rename the npm package/CLI to `openclaw`, add a `openclaw` compatibility shim, and move extensions to the `@openclaw/*` scope.; Onboarding: strengthen security warning copy for beta + acce...

Status: stable.

Changes

  • Rebrand: rename the npm package/CLI to openclaw, add a openclaw compatibility shim, and move extensions to the @openclaw/* scope.
  • Onboarding: strengthen security warning copy for beta + access control expectations.
  • Onboarding: add Venice API key to non-interactive flow. (#1893) Thanks @jonisjongithub.
  • Config: auto-migrate legacy state/config paths and keep config resolution consistent across legacy filenames.
  • Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos.
  • Gateway: add dangerous Control UI device auth bypass flag + audit warnings. (#2248)
  • Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
  • Web UI: keep sub-agent announce replies visible in WebChat. (#1977) Thanks @andrescardonas7.
  • Browser: route browser control via gateway/node; remove standalone browser control command and control URL config.
  • Browser: route browser.request via node proxies when available; honor proxy timeouts; derive browser ports from gateway.port.
  • Browser: fall back to URL matching for extension relay target resolution. (#1999) Thanks @jonit-dev.
  • Telegram: allow caption param for media sends. (#1888) Thanks @mguellsegarra.
  • Telegram: support plugin sendPayload channelData (media/buttons) and validate plugin commands. (#1917) Thanks @JoshuaLelon.
  • Telegram: avoid block replies when streaming is disabled. (#1885) Thanks @ivancasco.
  • Telegram: add optional silent send flag (disable notifications). (#2382) Thanks @Suksham-sharma.
  • Telegram: support editing sent messages via message(action="edit"). (#2394) Thanks @marcelomar21.
  • Telegram: support quote replies for message tool and inbound context. (#2900) Thanks @aduk059.
  • Telegram: add sticker receive/send with vision caching. (#2629) Thanks @longjos.
  • Telegram: send sticker pixels to vision models. (#2650)
  • Telegram: keep topic IDs in restart sentinel notifications. (#1807) Thanks @hsrvc.
  • Discord: add configurable privileged gateway intents for presences/members. (#2266) Thanks @kentaro.
  • Slack: clear ack reaction after streamed replies. (#2044) Thanks @fancyboi999.
  • Matrix: switch plugin SDK to @vector-im/matrix-bot-sdk.
  • Tlon: format thread reply IDs as @ud. (#1837) Thanks @wca4a.
  • Tools: add per-sender group tool policies and fix precedence. (#1757) Thanks @adam91holt.
  • Agents: summarize dropped messages during compaction safeguard pruning. (#2509) Thanks @jogi47.
  • Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.
  • Agents: honor tools.exec.safeBins in exec allowlist checks. (#2281)
  • Memory Search: allow extra paths for memory indexing (ignores symlinks). (#3600) Thanks @kira-ariaki.
  • Skills: add multi-image input support to Nano Banana Pro skill. (#1958) Thanks @tyler6204.
  • Skills: add missing dependency metadata for GitHub, Notion, Slack, Discord. (#1995) Thanks @jackheuberger.
  • Commands: group /help and /commands output with Telegram paging. (#2504) Thanks @hougangdev.
  • Routing: add per-account DM session scope and document multi-account isolation. (#3095) Thanks @jarvis-sam.
  • Routing: precompile session key regexes. (#1697) Thanks @Ray0907.
  • CLI: use Node's module compile cache for faster startup. (#2808) Thanks @pi0.
  • Auth: show copyable Google auth URL after ASCII prompt. (#1787) Thanks @robbyczgw-cla.
  • TUI: avoid width overflow when rendering selection lists. (#1686) Thanks @mossein.
  • macOS: finish OpenClaw app rename for macOS sources, bundle identifiers, and shared kit paths. (#2844) Thanks @fal3.
  • Branding: update launchd labels, mobile bundle IDs, and logging subsystems to bot.molt (legacy com.clawdbot migrations). Thanks @thewilloftheshadow.
  • macOS: limit project-local node_modules/.bin PATH preference to debug builds (reduce PATH hijacking risk).
  • macOS: keep custom SSH usernames in remote target. (#2046) Thanks @algal.
  • macOS: avoid crash when rendering code blocks by bumping Textual to 0.3.1. (#2033) Thanks @garricn.
  • Update: ignore dist/control-ui for dirty checks and restore after ui builds. (#1976) Thanks @Glucksberg.
  • Build: bundle A2UI assets during build and stop tracking generated bundles. (#2455) Thanks @0oAstro.
  • CI: increase Node heap size for macOS checks. (#1890) Thanks @realZachi.
  • Config: apply config.env before ${VAR} substitution. (#1813) Thanks @spanishflu-est1918.
  • Gateway: prefer newest session metadata when combining stores. (#1823) Thanks @emanuelst.
  • Docs: tighten Fly private deployment steps. (#2289) Thanks @dguido.
  • Docs: add migration guide for moving to a new machine. (#2381)
  • Docs: add Northflank one-click deployment guide. (#2167) Thanks @AdeboyeDN.
  • Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
  • Docs: add Render deployment guide. (#1975) Thanks @anurag.
  • Docs: add Claude Max API Proxy guide. (#1875) Thanks @atalovesyou.
  • Docs: add DigitalOcean deployment guide. (#1870) Thanks @0xJonHoldsCrypto.
  • Docs: add Oracle Cloud (OCI) platform guide + cross-links. (#2333) Thanks @hirefrank.
  • Docs: add Raspberry Pi install guide. (#1871) Thanks @0xJonHoldsCrypto.
  • Docs: add GCP Compute Engine deployment guide. (#1848) Thanks @hougangdev.
  • Docs: add LINE channel guide. Thanks @thewilloftheshadow.
  • Docs: credit both contributors for Control UI refresh. (#1852) Thanks @EnzeD.
  • Docs: keep docs header sticky so navbar stays visible while scrolling. (#2445) Thanks @chenyuan99.
  • Docs: update exe.dev install instructions. (#3047) Thanks @zackerthescar.

Breaking

  • BREAKING: Gateway auth mode "none" is removed; gateway now requires token/password (Tailscale Serve identity still allowed).

Fixes

  • Telegram: avoid silent empty replies by tracking normalization skips before fallback. (#3796)
  • Mentions: honor mentionPatterns even when explicit mentions are present. (#3303) Thanks @HirokiKobayashi-R.
  • Discord: restore username directory lookup in target resolution. (#3131) Thanks @bonald.
  • Agents: align MiniMax base URL test expectation with default provider config. (#3131) Thanks @bonald.
  • Agents: prevent retries on oversized image errors and surface size limits. (#2871) Thanks @Suksham-sharma.
  • Agents: inherit provider baseUrl/api for inline models. (#2740) Thanks @lploc94.
  • Memory Search: keep auto provider model defaults and only include remote when configured. (#2576) Thanks @papago2355.
  • Telegram: include AccountId in native command context for multi-agent routing. (#2942) Thanks @Chloe-VP.
  • Telegram: handle video note attachments in media extraction. (#2905) Thanks @mylukin.
  • TTS: read OPENAI_TTS_BASE_URL at runtime instead of module load to honor config.env. (#3341) Thanks @hclsys.
  • macOS: auto-scroll to bottom when sending a new message while scrolled up. (#2471) Thanks @kennyklee.
  • Web UI: auto-expand the chat compose textarea while typing (with sensible max height). (#2950) Thanks @shivamraut101.
  • Gateway: prevent crashes on transient network errors (fetch failures, timeouts, DNS). Added fatal error detection to only exit on truly critical errors. Fixes #2895, #2879, #2873. (#2980) Thanks @elliotsecops.
  • Agents: guard channel tool listActions to avoid plugin crashes. (#2859) Thanks @mbelinky.
  • Discord: stop resolveDiscordTarget from passing directory params into messaging target parsers. Fixes #3167. Thanks @thewilloftheshadow.
  • Discord: avoid resolving bare channel names to user DMs when a username matches. Thanks @thewilloftheshadow.
  • Discord: fix directory config type import for target resolution. Thanks @thewilloftheshadow.
  • Providers: update MiniMax API endpoint and compatibility mode. (#3064) Thanks @hlbbbbbbb.
  • Telegram: treat more network errors as recoverable in polling. (#3013) Thanks @ryancontent.
  • Discord: resolve usernames to user IDs for outbound messages. (#2649) Thanks @nonggialiang.
  • Providers: update Moonshot Kimi model references to kimi-k2.5. (#2762) Thanks @MarvinCui.
  • Gateway: suppress AbortError and transient network errors in unhandled rejections. (#2451) Thanks @Glucksberg.
  • TTS: keep /tts status replies on text-only commands and avoid duplicate block-stream audio. (#2451) Thanks @Glucksberg.
  • Security: pin npm overrides to keep tar@7.5.4 for install toolchains.
  • Security: properly test Windows ACL audit for config includes. (#2403) Thanks @dominicnunez.
  • CLI: recognize versioned Node executables when parsing argv. (#2490) Thanks @David-Marsh-Photo.
  • CLI: avoid prompting for gateway runtime under the spinner. (#2874)
  • BlueBubbles: coalesce inbound URL link preview messages. (#1981) Thanks @tyler6204.
  • Cron: allow payloads containing "heartbeat" in event filter. (#2219) Thanks @dwfinkelstein.
  • CLI: avoid loading config for global help/version while registering plugin commands. (#2212) Thanks @dial481.
  • Agents: include memory.md when bootstrapping memory context. (#2318) Thanks @czekaj.
  • Agents: release session locks on process termination and cover more signals. (#2483) Thanks @janeexai.
  • Agents: skip cooldowned providers during model failover. (#2143) Thanks @YiWang24.
  • Telegram: harden polling + retry behavior for transient network errors and Node 22 transport issues. (#2420) Thanks @techboss.
  • Telegram: ignore non-forum group message_thread_id while preserving DM thread sessions. (#2731) Thanks @dylanneve1.
  • Telegram: wrap reasoning italics per line to avoid raw underscores. (#2181) Thanks @YuriNachos.
  • Telegram: centralize API error logging for delivery and bot calls. (#2492) Thanks @altryne.
  • Voice Call: enforce Twilio webhook signature verification for ngrok URLs; disable ngrok free tier bypass by default.
  • Security: harden Tailscale Serve auth by validating identity via local tailscaled before trusting headers.
  • Media: fix text attachment MIME misclassification with CSV/TSV inference and UTF-16 detection; add XML attribute escaping for file output. (#3628) Thanks @frankekn.
  • Build: align memory-core peer dependency with lockfile.
  • Security: add mDNS discovery mode with minimal default to reduce information disclosure. (#1882) Thanks @orlyjamie.
  • Security: harden URL fetches with DNS pinning to reduce rebinding risk. Thanks Chris Zheng.
  • Web UI: improve WebChat image paste previews and allow image-only sends. (#1925) Thanks @smartprogrammer93.
  • Security: wrap external hook content by default with a per-hook opt-out. (#1827) Thanks @mertcicekci0.
  • Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed).
  • Gateway: treat loopback + non-local Host connections as remote unless trusted proxy headers are present.
  • Onboarding: remove unsupported gateway auth "off" choice from onboarding/configure flows and CLI flags.

Tags

#release#breaking-change#bug-fix#performance#ai#chatgpt#claude#breaking-change

Sources

Related Releases