OpenClaw: Security Hardening and UI Improvements

Transcript

Good morning, this is your OpenClaw development briefing for May 15th, 2026.

The team merged 20 pull requests with significant security and functionality improvements. BunsDev contributed multiple enhancements, including per-agent bootstrap profiles that allow custom context injection settings for individual agents, and hardened macOS screen snapshot validation with proper bounds checking against malformed parameters.

Kaspre delivered a critical security fix, implementing origin-scoped SSRF trust for custom provider base URLs. This prevents compromised models from probing internal networks while still allowing legitimate custom provider configurations for local development.

Lellansin fixed OpenAI-compatible chat completions to properly forward response format parameters through the streaming pipeline, ensuring structured output preferences reach upstream providers correctly.

The UI received attention from BunsDev, who aligned chat header controls to a consistent 44-pixel rhythm and replaced the auto-scroll select with an icon toggle for better mobile compatibility.

Steipete made substantial changes to media delivery, converting generated image, music, and video outputs from legacy text format to structured attachments. This improves consistency across the platform and enables better telemetry tracking.

Several AI-assisted security improvements from pgondhi987 included canonical platform ID validation for node commands, canvas snapshot format validation, and constraints on provider catalog entry paths to prevent directory traversal.

Additional commits addressed Discord voice message transcoding, Codex recovery window optimization, and various authentication improvements.

What's next: The team continues work on enhanced agent profiles and improved security validation across all platform integrations.

That's your OpenClaw briefing. Back tomorrow with more updates.