OpenClaw v2026.3.22: ClawHub, 30+ Security Patches, and Major Performance Overhaul

OpenClaw v2026.3.22: ClawHub, 30+ Security Patches, and a Massive Performance Overhaul

Nine days of silence. Then one of the largest OpenClaw releases to date.

Version v2026.3.22 dropped on March 23, 2026, carrying 12 breaking changes, ClawHub as the new default plugin store, gateway cold starts cut from minutes to seconds, and over 30 security hardening patches — including a Windows SMB credential leak that has now been blocked. If you run OpenClaw, this is the release to read before you upgrade.

Here is a complete breakdown of everything that changed.

---

What Is OpenClaw? (Quick Context)

For readers new to the project: OpenClaw is a free and open-source autonomous AI agent that can execute tasks via large language models, using messaging platforms as its main user interface. It runs on your machine, automates tasks across WhatsApp, Telegram, Discord, and 30+ platforms, and works with Claude, GPT, or local models. It currently has over 310,000 GitHub stars.

What makes OpenClaw distinct is its combination: MIT-licensed, open-source, local-first with memory and data stored as Markdown files on your disk, and community-extensible through a portable skill format.

---

The Headline: ClawHub Is Now the Default Plugin Store

The biggest structural change in this release is that ClawHub replaces npm as the default plugin and skill registry.

Previously, openclaw plugins install <package> went straight to npm. Now it hits ClawHub first, and only falls back to npm when ClawHub does not carry that package or version. For users, this is largely invisible. For plugin authors, it means ClawHub is now the primary distribution channel.

The new native flows — openclaw skills search, openclaw skills install, and openclaw skills update — are all ClawHub-backed, with tracked update metadata built in. Gateway skill installs and updates through the dashboard also use ClawHub by default.

Documentation: docs.openclaw.ai/tools/clawhub

---

Breaking Changes: What You Must Fix Before Upgrading

This release has 12 breaking changes. Most are cleanups from the Clawdbot/Moltbot era. Here is what affects you.

Legacy environment variables removed

CLAWDBOT_* and MOLTBOT_* environment variable names are gone with no compatibility shim. Replace every instance with the matching OPENCLAW_* name across your configs, scripts, and .env files before upgrading.

Old state directory removed

The .moltbot state directory and moltbot.json auto-detection are no longer supported. If your state lives under ~/.moltbot, move it to ~/.openclaw before upgrading. You can also set OPENCLAW_STATE_DIR or OPENCLAW_CONFIG_PATH explicitly if you need a custom path.

Chrome extension relay removed

The legacy Chrome extension relay path is gone — including bundled extension assets, driver: "extension", and browser.relayBindHost. Run openclaw doctor --fix after upgrading and it will migrate your browser config automatically to existing-session or user mode. Docker, headless, sandbox, and remote browser flows using raw CDP are unaffected.

Plugin SDK breaking change

openclaw/extension-api is removed with no compatibility shim. Plugin authors must migrate to the new openclaw/plugin-sdk/* subpaths. The full migration guide is at docs.openclaw.ai/plugins/sdk-migration.

Bundled plugins now use injected runtime for host-side operations (for example, api.runtime.agent.runEmbeddedPiAgent).

Image generation tool standardized

The old nano-banana-pro skill wrapper is removed. Use agents.defaults.imageGenerationModel.primary: "google/gemini-3-pro-image-preview" for the native path, or install a third-party skill explicitly.

Matrix plugin rebuilt

The Matrix plugin is now backed by the official matrix-js-sdk. If you are upgrading from the previous Matrix plugin, follow the migration guide at docs.openclaw.ai/install/migrating-matrix.

Discord slash commands

Native Discord command deployment now uses Carbon reconcile by default, which stops Discord restarts from churning slash commands through OpenClaw's local deploy path.

Build-tool JVM injection blocked

MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, and ANT_OPTS are now blocked from the host exec environment as a security hardening measure. GRADLE_USER_HOME is restricted as an override-only block so user-configured Gradle homes still propagate.

---

Major New Features

`/btw` — Side Questions Without Losing Context

A small command with a big quality-of-life impact. /btw lets you ask a quick tool-less question about the current session without changing future session context. The answer appears as a dismissible in-session TUI reply and shows up explicitly on external channels. Useful for asking "what did we just decide?" without derailing the active conversation thread.

Pluggable Sandbox Backends + OpenShell

The sandbox system is now extensible. This release ships an OpenShell backend with two workspace modes: mirror (replicates your local environment) and remote (executes in a remote workspace). A new SSH sandbox backend also lands with secret-backed key, certificate, and known_hosts inputs.

This is the same OpenShell that NVIDIA is building on top of for NemoClaw, their policy-based safety layer for OpenClaw deployments.

Anthropic Claude on Google Vertex AI

Core anthropic-vertex provider support is now built in. Teams running inside Google Cloud infrastructure can route Claude traffic through Vertex AI, including full GCP auth and discovery, without any third-party plugins.

New Bundled Web Search Providers

Three web search providers are now bundled directly into OpenClaw:

• Exa — with native date filters, search-mode selection, and optional content extraction under plugins.entries.exa.config.webSearch.*
• Tavily — with dedicated tavily_search and tavily_extract tools
• Firecrawl — with explicit firecrawl_search and firecrawl_scrape tools

All three are configured under plugins.entries.<provider>.config.webSearch.*.

New and Updated Models

The model catalog saw significant updates across every major provider:

• OpenAI: GPT-5.4 is now the default model (replacing GPT-5.2). Forward-compat support added for gpt-5.4-mini and gpt-5.4-nano.
• MiniMax: M2.7 and M2.7-highspeed added. M2.5 and M2.7 API and OAuth plugins merged into a single minimax plugin.
• Z.AI / GLM: GLM 4.5, 4.6, and glm-5-turbo added to the catalog.
• xAI Grok: Catalog synced to current PI-backed IDs. Grok 4.20 beta entries renamed to GA IDs.
• Xiaomi: MiMo V2 Pro and V2 Omni added, endpoint switched to /v1.
• GitHub Copilot: Dynamic model IDs now forward-compatible without code updates.

Claude Marketplace Registry

Plugin installs now support plugin@marketplace syntax, with marketplace listing and update support. Docker end-to-end coverage for local and official marketplace flows is included.

Android: System-Aware Dark Theme, Call Log & SMS Search

Android gets three notable additions. The app now follows the system dark/light theme through onboarding and all post-onboarding screens. Two new gateway-backed node capabilities land: callLog.search (search recent call history) and sms.search (search device text messages), both with proper permission wiring.

Talk speech synthesis also moves behind the gateway — secrets stay on the server, and playback switches to final-response audio instead of device-local ElevenLabs streaming.

Control UI Improvements

The dashboard gains an expand-to-canvas button on assistant chat bubbles, a Roundness slider in Appearance settings to adjust corner radius from sharp to fully rounded, and improved usage view styling with better localization and responsive layout.

Feishu Gets ACP and Streaming Reasoning

Feishu users get a significant update: full ACP (agent context protocol) and subagent session binding for DMs and topic conversations, structured interactive approval cards, and streaming reasoning support via onReasoningStream and onReasoningEnd. Reasoning tokens now render as markdown blockquotes inline in the same card, matching the behavior Telegram users already had.

---

Performance: Gateway Cold Starts Drop from Minutes to Seconds

One of the most impactful improvements in this release is startup performance. The key fix: bundled channel plugins now load from compiled dist/extensions entries in built installs instead of recompiling TypeScript on every startup.

The result: WhatsApp-class cold starts drop from minutes to seconds. Additional lazy-loading improvements across the CLI, configure, Discord startup, and inbound reply paths mean ordinary message handling no longer pays full provider discovery and model catalog loading costs on every turn.

Other performance work:

• Model catalog is now cached by config and auth-file state, eliminating repeated startup work per embedded runner turn
• openclaw configure no longer stalls after the banner while eagerly loading channel plugins
• Telegram message handling no longer rebuilds the full model catalog on ordinary inbound replies

---

Security: 30+ Patches, Including a Windows SMB Credential Leak

This release carries the heaviest security hardening of any OpenClaw version. Several of these are significant:

Windows SMB credential leak blocked. Remote-host file:// media URLs and UNC/network paths are now blocked before local filesystem resolution. Previously, structured local-media inputs could trigger outbound SMB credential handshakes on Windows. This is fixed.

DNS-SD discovery fails closed. Unresolved Bonjour and DNS-SD service endpoints in CLI discovery now fail closed, so TXT-only hints can no longer steer routing or SSH auto-target selection.

iOS pairing codes hardened. Setup codes are now bound to the intended node profile. First-use bootstrap redemption that asks for broader roles or scopes is rejected.

jq env blocks host secrets dump. jq has been removed from the default safe-bin allowlist. When operators explicitly re-add it, the jq -n env builtin is blocked so it cannot dump host environment secrets.

Hangul filler in approval prompts blocked. Blank Unicode padding characters can visually hide command text in approval prompts. This is now caught and escaped across gateway/chat and the macOS native approval UI.

Voice call webhook hardening. Pre-auth body budget dropped to 64 KB / 5s. Concurrent pre-auth requests are now capped per source IP. Previously, unauthenticated callers could force the old 1 MB / 30s buffering path.

Nostr DM security. Inbound DM policy is now enforced before decryption, with pre-crypto rate and size guards.

Build-tool JVM injection blocked. MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, and ANT_OPTS are blocked from the host exec environment.

Additional patches cover proxy SSRF pinning, Synology Chat user_id binding, remote CDP SSRF policy, media error-body unbounded buffering, exec approval Unicode spoofing, device pairing token rotation, and more.

---

Notable Fixes

A few fixes worth calling out specifically:

• Agent default timeout raised from 600s to 48h. Long-running ACP and agent sessions were failing after 10 minutes. The new default gives them up to 48 hours unless you configure a shorter limit explicitly.
• Gateway Bonjour crash on WiFi/VPN/sleep-wake fixed. The non-fatal @homebridge/ciao IPv4-loss assertion during interface churn no longer takes down the gateway.
• WhatsApp-class cold starts fixed (see performance section above).
• macOS launch at login no longer relaunches after manual quit. The KeepAlive entry for the desktop app launch agent has been removed.
• Memory tools now register independently. Previously, if one memory tool was unavailable, it suppressed the other. memory_search and memory_get now register independently.
• OpenAI-compatible tool calls deduplicated. Repeated tool call IDs across live assistant messages and replayed history were causing HTTP 400 errors from OpenAI-compatible backends. Fixed.
• Blank extra tab on browser launch removed. Managed browser startup no longer opens an unwanted empty page.

---

How to Upgrade

npm install -g openclaw@latest
## or
pnpm add -g openclaw@latest

After upgrading, run the doctor to auto-migrate browser config and catch any remaining issues:

openclaw doctor --fix

Before you upgrade, check:

1. Rename any CLAWDBOT_* or MOLTBOT_* env vars to OPENCLAW_*
2. Move state from ~/.moltbot to ~/.openclaw if applicable
3. If you have custom plugins using openclaw/extension-api, migrate to openclaw/plugin-sdk/*
4. If you use the Chrome extension relay (driver: "extension"), openclaw doctor --fix handles the migration automatically

Full migration documentation: docs.openclaw.ai/install/migrating

---

Sources

• OpenClaw v2026.3.22 release notes — Full changelog on GitHub
• OpenClaw official website — Project homepage
• OpenClaw documentation — Full docs and migration guides
• Wikipedia: OpenClaw — Project history and background
• NVIDIA NemoClaw — NVIDIA's OpenShell-backed safety layer for OpenClaw

---

Published: March 24, 2026. Based on the official v2026.3.22 release notes. Always verify breaking changes against the official documentation before upgrading production deployments.