OpenClaw: Security and Reliability Fixes

Transcript

Good morning, I'm your host with the OpenClaw developer briefing for May 24th, 2026.

Seven pull requests were merged overnight, focusing on security and stability improvements. Sebastien Tardif merged a critical security fix replacing regex wildcard matching with linear-time glob patterns in session visibility. The previous implementation was vulnerable to polynomial backtracking attacks when processing user-supplied wildcard patterns.

Luoyanglang fixed Telegram durable group retry targets, resolving an issue where legacy group identifiers caused Telegram to reject retries as non-numeric chat IDs. NianJiuZst addressed memory handling by stripping invalid thinking signatures for signed-thinking providers, preventing incomplete thinking blocks from causing API errors on recovery.

Scott Huang merged two improvements: aligning image description token limits to prevent truncated responses from reasoning-capable vision models, and fixing dashboard timeout error display to properly broadcast WebSocket error events when chat requests fail.

Ruben Cuevas resolved dev channel update issues by avoiding broad tag fetches that could conflict with existing local tags. Homer-byte fixed iMessage slash command acknowledgements by properly marking authorized commands with the correct source signal.

Additional commits focused on test infrastructure hardening and Windows compatibility improvements. Vincent Koc contributed several fixes for npm package staging and release verification on Windows systems. Peter Steinberger updated Docker configurations and plugin metadata handling.

What's next: The team continues focus on cross-platform reliability and security hardening. Testing infrastructure improvements should reduce CI flakiness going forward.

That's your OpenClaw briefing for today. Back tomorrow with more updates.