OpenClaw: OAuth Refactoring and Security Updates

Transcript

Good morning. This is OpenClaw for Tuesday, May 28th, 2026.

RomneyDa merged a major OpenAI Codex OAuth refactor, centralizing the browser token flow and removing over 1,400 lines of duplicated code while preserving legacy compatibility. eleqtrizit addressed a security issue in QQBot by validating direct media upload URLs to prevent SSRF attacks on literal special-use hosts.

steipete fixed abandoned requester completion handoff in the agent system, preventing late subagent deliveries from interfering with abandoned sessions. The same author implemented performance improvements for skill prompt storage using content-addressed blobs, reducing disk usage for repeated prompts.

zeroaltitude resolved a critical bug where sessionKey wasn't being threaded into message_sending hooks, leaving plugins with undefined session contexts. joshavant preserved signed thinking payloads from Anthropic providers and fixed Claude live tool progress for watchdog recovery.

Several authentication and validation fixes landed: bladin added missing WhatsApp messageReceived hook configuration support, masatohoshino stripped control characters from WhatsApp document filenames to prevent header injection, and obviyus enabled Android LAN pairing over private cleartext hosts.

vincentkoc stabilized QA live transport lanes with proper fallback model configuration. pgondhi987 clarified directive persistence authorization policies, separating gateway admin scope requirements from external channel permissions.

Additional commits by vincentkoc addressed memory system error body bounds, Windows Git installation hardening, and security fixes for CodeQL alerts. Cross-platform fetch body handling was improved across release scripts and audit systems.

What's next: Build performance optimization based on new CI timing instrumentation, and continued agent runtime stability improvements.

That's OpenClaw for May 28th. We'll be back tomorrow.