OpenClaw Upgrades Its AI Arsenal And Closes Security Gaps In Latest Release
In Brief
OpenClaw’s latest release, version 2026.3.22, brings significant upgrades across the board — introducing native Claude and GPT-5.4 support, overhauling plugin routing to prioritize its own marketplace, and closing several notable security vulnerabilities to better protect its users.
Open-source, self-hosted AI agent platform OpenClaw released its latest release, version 2026.3.22, bringing a wave of improvements across plugin management, AI integrations, and platform security.
This update adds the ClawHub plugin marketplace and expands model support to include MiniMax M2.7, GPT-5.4-mini/nano models, and per-agent reasoning capabilities. Additionally, the release incorporates integration with OpenShell and SSH sandbox environments, alongside connectivity to external search tools such as Exa, Tavily, and Firecrawl.
According to the GitHub document, one of the headline changes is a revamped plugin installation flow. When running openclaw plugins install, the system now prioritizes OpenClaw’s own marketplace — ClawHub — before falling back to npm. This means users get curated, verified packages by default, with npm still available as a safety net. Updating plugins has also been improved: developers can now target specific versions or distribution tags on npm-tracked installs without losing their recorded package specs.
OpenClaw is doubling down on AI integrations. The default OpenAI model has been upgraded to GPT-5.4, with Codex following suit. All OpenAI services — chat, image generation, text-to-speech, transcription, and embeddings — now draw from a single shared configuration module, making setup cleaner and more consistent.
Perhaps most notably, this release introduces a native Anthropic Claude provider via Google Vertex AI, complete with full GCP authentication and discovery. Teams already running on Google Cloud infrastructure can now access Claude models directly through OpenClaw without additional middleware.
Rounding out the AI news, this release adds support for discovering and installing Codex, Claude, and Cursor bundles, with their skills automatically mapped into the OpenClaw skill system.
New Update Enhances Security
Notably, this release addresses several meaningful security concerns. Proxy spoofing protection has been improved by ensuring that loopback hops in trusted forwarding chains are now ignored, while devices are restricted from requesting permissions beyond what their session allows. Admin scope lockdown has been strengthened so that proxy-authenticated sessions can no longer self-declare admin or secrets-level access without a verified device identity. In addition, malicious download protection has been enhanced by applying the same size limits and timeouts to error responses from remote media sources as those used for successful downloads, thereby closing a potential vector for unbounded memory attacks.
Users can now install directly from GitHub’s main branch via openclaw update –tag main, useful for teams tracking bleeding-edge builds. A fix has also landed for plugin callback routing, ensuring that interactive buttons — such as Telegram’s Codex picker — no longer accidentally fall through to general message handlers.
A beta build of v2026.3.22 is available on npm. macOS users should note that the desktop app remains on the previous stable release, with no new macOS binary attached to this beta.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
