OpenClaw 2026.5.26 Makes the Agent Gateway Faster, Safer, and Easier to Inspect

OpenClaw 2026.5.26 makes the agent runtime feel less like a pile of connected features and more like production plumbing. The May 27 release does not center on one flashy add-on. It tightens the paths that matter when an assistant is answering through chat apps, voice sessions, local tools, Codex, and scheduled work at the same time.

The headline is latency and reliability. OpenClaw says the Gateway now avoids repeated scans across plugins, channels, sessions, usage-cost metadata, warnings, scheduled services, and filesystem paths. Reply delivery was split so user-facing sends are no longer held up by slower follow-up work. Runtime and session caches also churn less under load.

That matches our experience with the newest OpenClaw build. In AgentRiot/BurmDesk use, response times and general responsiveness have improved sharply, and Gateway restarts now come back faster. This is the rare release-note claim that is immediately obvious in day-to-day operation rather than buried in benchmark output.

That matters because OpenClaw is not only a command-line agent. It is a gateway for assistants that live across Telegram, Discord, iMessage, WhatsApp, Signal, WebChat, mobile Talk mode, local shells, and provider runtimes. In that setup, the painful bugs are rarely dramatic. They are delayed replies, stale context, missing media, dropped voice state, confusing approval prompts, and provider-specific dead ends.

Transcripts become a first-class system

The most important structural change is transcript handling. OpenClaw added core transcript capture and source-provider support for transcript-backed meeting summaries. The release also folds cleaned user turns, source-provider chunks, media provenance, Codex mirrors, WebChat replies, CLI/TUI replay, and meeting summary inputs into a more consistent transcript path.

That is not just record keeping. A multi-channel agent needs one reliable account of what happened. If a user speaks in Discord voice, follows up in WebChat, sends media through a chat app, and then resumes a Codex-backed task, transcript drift can break the thread even when every individual integration appears healthy.

The release notes describe several fixes in this area: CLI, WebChat, media, follow-up, hook, and Codex-mirror user turns now persist to the admitted session target; replay paths were made more idempotent; and duplicate transcript tool metadata was kept from reappearing. For operators, the practical result should be fewer “the agent forgot what just happened” failures.

Voice and Talk get easier to inspect

OpenClaw’s voice work also moved from isolated feature fixes toward shared runtime pieces. The release exposes shared realtime turn-context tracking through the voice SDK, reuses output activity tracking for Discord playback and barge-in decisions, and shares activation-name matching and consult-transcript screening across Discord, browser voice, Gateway Talk, Voice Call, and meeting paths.

In plain terms: the agent should have a better idea of who is speaking, when it recently spoke, when a user is interrupting, and when a wake-name variant should count. The notes specifically call out broader fuzzy wake-name handling for phrases such as “Open Club” while still keeping ambient speech gated.

The Web UI and Discord voice paths can now inspect, steer, cancel, or follow up on realtime Talk runs. That is the right direction. Voice agents fail in messy ways, and operators need live state, not just a transcript after the fact.

Channels get less fragile

Channel reliability is a major part of 2026.5.26. Telegram keeps typing and progress context, preserves inbound text entities, handles forum topic names more carefully, and treats targeted bot-command mentions as explicit mentions when requireMention is enabled. iMessage can read local Messages attachment roots, dedupe duplicate local Messages sources, seed DM history, and fix image or group media attachment commands. WhatsApp restores ack identity and group/media behavior. Discord improves voice playback, wake replies, model picking, media captions, proxy routing, and numeric channel sends.

The release also adds reaction-based approval flows for Signal, iMessage, and WhatsApp. That is a small interface change with a real operational benefit: mobile users can approve with native reactions instead of typing command text.

The pattern is clear. OpenClaw is smoothing the edges where channel adapters meet the agent runtime. For an always-on assistant, that is more valuable than adding another chat app to a checklist.

Security boundaries tighten around content and tools

The security work in this release is practical and specific. Browser snapshot reads now validate tab URLs against SSRF policy before ChromeMCP or direct CDP reads. System-event text is sanitized so untrusted plugin or channel labels cannot spoof nested prompt markers. Fetched file text and metadata are wrapped as external content. ClickClack sender allowlists run before agent dispatch. Invalidated device-token clients are rejected during rotation. Staged sandbox media refs are required. Serialized tool-call text is scrubbed from replies.

OpenClaw also rejects prompt-like text submitted through the explicit memory_store tool before embedding or storage. That matches the existing prompt-injection filter for auto-capture paths and closes a direct route where hostile text could otherwise be stored as memory.

Gateway auth gets a default rate limiter for remote non-browser and HTTP failures when no custom rate limit is configured, while keeping loopback exempt. The release also avoids printing Gateway tokens in Docker, validates plugin model-pattern regexes with a safe compiler, escapes transcript metadata field names, hardens session allowlist glob matching, audits Claude permission overrides under YOLO mode, and requires explicit allow for ACP auto approvals.

None of that is glamorous. It is the kind of boundary work agent systems need once they start reading files, browser snapshots, plugin labels, transcripts, and channel events as possible context.

Codex gets steadier

OpenClaw 2026.5.26 updates the bundled Codex CLI to 0.134.0. It keeps native Codex compaction disabled for budget-triggered app-server turns so OpenClaw owns the recovery boundary. It also improves resumed app-server thread projection, keeps turn timeouts inside the Codex runtime boundary, preserves native web-search metadata, bridges CLI API-key auth into the app server, recovers context-window prompt errors through overflow compaction, and lets Codex app-server runs bootstrap from CODEX_API_KEY or OPENAI_API_KEY when no Codex auth profile is configured.

Provider recovery improves, with a Kimi caveat

Provider handling is broader than Codex. The release adds named model login profiles and credential migration support for Hermes, OpenCode, and Codex auth profiles. OpenAI sampling parameters now flow through the Gateway. xAI usage-limit errors are preserved locally. Ollama top_p normalization is fixed. Unsupported dynamic tool schemas are quarantined instead of poisoning the run.

For users, this should mean fewer cases where a model/provider failure leaks through as an unrelated fallback error or turns into a confusing dead end.

There is still a caution for Kimi users. In our testing, OpenClaw’s newest release is dramatically faster overall, but Kimi-backed runs can still hit tool-call replay failures. The failure we have seen is explicit: LLM request rejected: an assistant message with 'tool_calls' must be followed by tool messages responding to each 'tool_call_id'. The following tool_call_ids did not have response messages: exec:2, web_fetch:3.

That error means the provider is seeing an assistant tool-call turn in history without the matching tool-result messages. It fits a known class of OpenClaw/Kimi and OpenAI-compatible replay issues tracked on GitHub. One closed issue, #62319, documented Kimi tool-call ID handling problems and a workaround that preserved native functions.<tool>:<index> IDs instead of applying strict alphanumeric sanitization. A newer open PR, #87596, targets another Kimi/Moonshot replay edge case by preserving the first native Kimi tool-call ID while rewriting later duplicates. The practical advice for now: if Kimi is your primary model and agentic tool use starts failing after several turns, check the OpenClaw GitHub issues before assuming your tools or credentials are broken.

Observability catches up with the surface area

OpenClaw’s Control UI gets an ephemeral Activity tab for sanitized live tool activity summaries. Gateway secret preparation can now be traced. Tool and model stream progress is surfaced. Fast-mode and systemd Gateway state are more explicit. OpenTelemetry LLM content spans and alertable signals cover blocked tools, model failover, stale sessions, liveness warnings, oversized payloads, and webhook ingress.

This is necessary. Once an assistant spans channels, tools, voice, plugins, local models, and scheduled work, “it failed” is not enough. Operators need to know whether the problem was delivery, model routing, auth, stale session state, a blocked tool, or a wedged gateway lane.

Install and release hardening round out the update

The release also hardens install, update, and packaging paths. Alpine installs are supported more carefully. Docker package builds, inventory, pack, and tarball preparation have process-group timeouts. Windows Scheduled Task launches keep running on battery power. macOS runner bootstraps and package smoke commands are bounded so they fail instead of hanging. Stable updater resolution now excludes prerelease tags.

Release verification is unusually explicit. The notes link the npm package, registry tarball, package integrity hash, release validation runs, plugin publish runs, OpenClaw npm publish run, appcast, macOS zip, DMG, and dSYM artifacts. The published-package smoke check reports OpenClaw 2026.5.26 (10ad3aa) and plugins list --json returning 46 bundled plugins from a clean temporary home directory.

That evidence does not guarantee every upgrade will be uneventful, but it gives operators something concrete to verify against.

Bottom line

OpenClaw 2026.5.26 is a maintenance-heavy release, but it is not minor. It focuses on the hard parts of agent infrastructure: faster hot paths, durable transcripts, live voice state, safer content boundaries, channel-specific reliability, provider recovery, and observable failures.

If you run OpenClaw as a personal assistant on one machine, the upgrade should mostly feel like fewer rough edges. If you run it as a gateway across multiple channels or agents, this release is more important: it reduces the number of places where state, delivery, security, and provider behavior can quietly diverge.

Sources: OpenClaw v2026.5.26 GitHub release notes; OpenClaw GitHub repository metadata; npm package verification links listed in the release notes; OpenClaw GitHub issue #62319 and PR #87596 for the Kimi/Moonshot tool-call replay caveat; official OpenClaw X announcement snippet surfaced in web search.