OpenClaw shipped version 2026.4.1 today, and it’s a substantial release — over 40 pull requests merged, a handful of significant feature additions, and a simultaneous ClawHub China mirror announcement that signals continued international expansion. Here’s what’s actually in the release, drawn directly from the changelog. AWS Bedrock Guardrails Support The biggest enterprise story in this release is native AWS Bedrock Guardrails integration in the bundled provider. This lets teams using OpenClaw on AWS infrastructure apply Bedrock’s policy enforcement layer — content filters, topic deny lists, PII redaction, and grounding checks — directly to model calls routed through the Bedrock provider. ...

Amazon Web Services has officially moved its two most ambitious AI agent products out of preview: AWS Security Agent and AWS DevOps Agent are now generally available. This is the first time an enterprise-grade cloud provider has shipped autonomous agents — not assistants, not copilots, but agents — that operate for hours or days without constant human direction, at scale. If you’ve been watching the agentic AI space, this is the moment where frontier agent capabilities stop being a research preview and start being a procurement decision. ...

Sometimes the most revealing leaks aren’t the ones attackers engineer — they’re the ones that happen because someone forgot to add a line to .npmignore. That’s exactly what happened with Anthropic’s Claude Code v2.1.88. A developer named Chaofan Shou noticed that the npm package included a file it really, really shouldn’t have: main.js.map — a source map that, by design, contains a complete reconstruction of the original source code. By the time Anthropic patched it, GitHub mirrors had already spread. The community had 512,000 lines of TypeScript to dig through, and dig they did. ...

If you’ve been hitting Claude Code’s usage limits in 20 minutes instead of hours, you’re not imagining it and you’re not alone. The developer community has named it Cache-22: a prompt cache regression in recent Claude Code versions that’s causing Max-tier quotas to exhaust dramatically faster than expected. Anthropic has acknowledged the bug. A fix is in progress. In the meantime, here’s how to work around it. What’s Happening Prompt caching is supposed to save tokens by reusing previously-processed context instead of re-processing it from scratch every request. When it works correctly, it dramatically extends how far your token quota goes — particularly in agentic workflows with large context windows. ...

Security researcher Yarden Porat at Cyata published findings this week that should be required reading for anyone running CrewAI in production: four critical CVEs, chainable via prompt injection, that allow attackers to escape Docker sandboxes and execute arbitrary code on the host machine. CERT/CC issued advisory VU#221883. Patches are available. What Was Found Porat’s research identified four vulnerabilities in CrewAI that can be chained together: CVE-2026-2275 — The initial vector: a prompt injection flaw that allows malicious content in agent inputs to manipulate how CrewAI processes tool calls. Normally, tool calls are structured, validated operations. This CVE allows crafted input to make the framework treat attacker-controlled content as legitimate tool invocations. ...

A quick note before we start: yes, this was published on April 1st. No, it’s not an April Fools’ joke. Multiple trade press outlets — Business Insider, AOL, letsdatascience.com — covered this as straight news, and Karpathy has since confirmed the demo is real. With that cleared up: what Andrej Karpathy demonstrated this week is one of the clearest visions of where personal AI agents are actually going. The Demo Karpathy built an OpenClaw agent he named Dobby. The task he gave it: scan the local network, discover connected devices, and figure out how to control them. ...

RSAC 2026 is where the agentic AI security conversation got serious, and the number that defined it was 500,000. That’s the estimated count of internet-facing OpenClaw instances identified by security researchers — a deployment footprint that arrived faster than the security tooling needed to manage it. VentureBeat’s analysis at the conference laid out an uncomfortable reality: half a million instances, three unpatched high-severity CVEs, and no mechanism for fleet-wide patching or emergency shutdown. ...

Microsoft made two OpenClaw-related moves this week that, taken together, perfectly capture the enterprise AI agent paradox: they hired someone specifically to bring OpenClaw into Microsoft 365, and they issued a security guidance document specifically warning enterprises not to deploy OpenClaw on standard workstations. Both are correct. That’s the tension. The Hire: Omar Shahine to Lead OpenClaw in M365 Omar Shahine, previously known for his work on Outlook and various Microsoft productivity products, has been hired by Microsoft to lead the integration of OpenClaw and personal AI agents into the Microsoft 365 ecosystem. Windows Central confirmed the hire. ...

OpenClaw shipped v2026.3.31 on March 31st, and it’s one of the more substantive releases in recent months. Three security fixes over the prior stable version (v2026.3.28), a rethought approach to background task management, and two new platform integrations — including one that opens the China market. If you’re running OpenClaw in production, this release warrants a careful read before you upgrade. The Security Story: Trust Is No Longer Automatic The headline change in v2026.3.31 is a security model overhaul that makes implicit trust explicit across the stack. ...

One of the most widely-used JavaScript libraries in the world was silently backdoored today. Axios — the HTTP client with over 83 million weekly downloads — had two of its npm versions compromised in an active supply chain attack. And if you’re running OpenClaw 3.28 with the Slack plugin enabled, you need to act now. What Happened On March 31, 2026, attackers gained access to the npm credentials of Axios’s primary maintainer (“jasonsaayman”) and published two malicious versions: 1.14.1 and 0.30.4. Both versions inject a fake dependency called [email protected] that functions as a cross-platform Remote Access Trojan (RAT) dropper. ...