OpenClaw: Security Hardening & Teams Excellence
Today we're diving into a massive day of security improvements and Microsoft Teams enhancements! Twenty merged pull requests brought us exec approval security fixes, proper gateway authentication scope handling, and a complete overhaul of Teams functionality including typing indicators and conversation management. Plus, we saw crucial model selection fixes and provider improvements across the board.
Duration: PT4M19S
Transcript
Hey there, fellow developers! Welcome back to OpenClaw - I'm absolutely buzzing with excitement about today's episode because wow, what a day April 4th was for the OpenClaw project! We had twenty pull requests merged and thirty additional commits that really show the maturity and momentum this project is gaining.
Let me start with the big story of the day - security hardening. We had two major security-focused PRs that really caught my attention. First up, lml2468 tackled a critical issue where gateway exec wasn't honoring the exec-approvals.json agent security properly. This is exactly the kind of attention to detail that makes me love open source - someone noticed that the gateway path wasn't matching the node-host path for security checks, and they fixed it. The PR also cleaned up stale task management, which is one of those behind-the-scenes improvements that keeps everything running smoothly.
But here's where it gets interesting - there was a contributor fork issue that couldn't be updated due to GitHub permissions, so steipete stepped in and created a replacement PR that preserved the original contributor's credit. That's the kind of maintainer behavior that builds strong communities!
The other major security win came from pgondhi987, who fixed a subtle but important issue with gateway-authenticated plugin routes. Turns out, these routes were hardcoding operator.write scope for all callers, regardless of their actual permissions. If you're using trusted-proxy auth, this meant a caller with only read permissions could accidentally get write access during plugin execution. It's fixed now, and it's a great reminder of how authentication and authorization can have these hidden edge cases.
Now, let's talk about Microsoft Teams - BradGroux has been absolutely on fire with Teams improvements! We got three fantastic PRs from them. First, they added proper OpenClaw User-Agent headers to all Microsoft HTTP calls, which is great for debugging and tracking. Then they fixed a really annoying issue where DMs would show duplicate typing indicators - you know how jarring that can be when you're having a conversation. They also added a config flag so you can turn off typing indicators entirely if you prefer.
But my favorite Teams improvement was fixing conversation reference persistence during DM pairing. This was one of those "it should just work" moments - now when you approve a pairing and want to notify someone immediately, it actually works instead of failing because the conversation reference wasn't saved yet.
Model selection got some love too, with multiple contributors tackling different aspects. honwee fixed an issue where bare model IDs would resolve against the wrong provider when switching between providers in the web chat. haoyu-haoyu solved a similar problem with GLM-5 models getting incorrectly resolved. These might seem like small fixes, but they're exactly the kind of user experience polish that makes a tool feel professional.
I'm also excited about the provider improvements we saw. YangManBOBO fixed MiniMax quota reporting - turns out the API fields were named confusingly and the remaining quota was being displayed as used quota. Innocent-children got Kimi web search working properly and added region selection during onboarding. These international provider improvements really show how global this project's reach is becoming.
One more thing that made me smile - we saw some great community contributions around model capabilities. xydt-610 made image understanding auto-register when models are configured with image input, and MerlinMiao88888888 added image capability to the MiniMax M2.7 model. It's those details that make the difference between a tool that technically works and one that feels polished.
Today's focus should be on testing these security improvements in your own setups, especially if you're using gateway authentication or Microsoft Teams. The typing indicator improvements alone are worth updating for if you're a Teams user.
That's a wrap on today's OpenClaw update! Keep building amazing things, and I'll catch you tomorrow with whatever exciting changes the community brings us next!