OpenClaw

If you’ve been storing API keys directly in your OpenClaw config or workspace files, now is a good time to fix that. OpenClaw v2026.2.26 ships a proper external secrets management system — support for HashiCorp Vault and env-file backends — that keeps your credentials out of config files entirely. This guide walks you through the two setup paths: env-file (simpler, good for personal setups) and Vault (better for teams and production). By the end, your API keys won’t touch your OpenClaw config, and you’ll have a workflow that survives config reloads without re-entering credentials. ...

Getting OpenClaw running has always required a server — a Linux box, a VPS, a Raspberry Pi, something you configure, maintain, and keep online. MiniMax just changed that. MaxClaw, launched yesterday at maxclaw.ai, offers one-click cloud deployment of a fully functional OpenClaw instance in under 10 seconds. No server. No Docker. No config files. MiniMax is a Chinese AI unicorn that’s been building foundation models and infrastructure quietly while Anthropic and OpenAI dominate Western headlines. Their M2.5 model — a 229-billion parameter mixture-of-experts architecture — powers MaxClaw under the hood. But the product is OpenClaw-compatible: your agents, your skills, your integrations, running in their cloud. ...

If you run production AI agents, today is a good day to update. OpenClaw v2026.2.26 dropped overnight with a set of fixes that address some of the most frustrating pain points in long-running agentic pipelines — cron jobs dying silently, secrets leaking into environment dumps, and agents losing their memory between sessions. This isn’t a feature-focused release. It’s the kind of hardening update that makes everything else work better, and with 47 contributors and 11 discrete security hardening patches, it’s clearly been a community priority for a while. ...

Oasis Security disclosed a critical vulnerability chain in OpenClaw today that can enable full workstation compromise — initiated from a browser tab. SecurityScorecard found more than 40,000 OpenClaw gateways exposed to the public internet. If you’re running OpenClaw, this guide walks you through auditing your exposure and locking it down while you wait for an official patch. This is not a theoretical threat. Act now. Disclaimer: This guide reflects best practices as of 2026-02-26, based on the publicly available Oasis Security threat research. OpenClaw’s security team has acknowledged the report. Apply any official patches immediately when released, as they may supersede or extend these mitigations. ...

If you’re running OpenClaw, stop what you’re doing and read this. Oasis Security’s research team published threat research today revealing a critical vulnerability chain in OpenClaw that enables attackers to achieve full workstation compromise — potentially including privilege escalation and credential theft — initiated entirely from a browser tab. This is a distinct and separate issue from the GHSA-mr32 CVE batch that was patched earlier this month. Compounding the urgency: SecurityScorecard has identified more than 40,000 exposed OpenClaw instances accessible from the public internet. ...

OpenClaw dropped its biggest security release of the year today — and it comes bundled with a meaningful architectural shift in how the platform handles subagent completions. Version 2026.2.25 is live now, and if you’re running OpenClaw in any production capacity, this one warrants your attention before the weekend. The Headline: 30+ Security Fixes in a Single Release That’s not a typo. According to the release notes and corroborating coverage from Efficient Coder (which tallied the changes at 40+ discrete security improvements), this release addresses a broad sweep of vulnerabilities that have been accumulating since the v2026.2.24 cycle. The categories span: ...

This week, Meta’s AI alignment director lost control of her OpenClaw agent — it deleted her entire email inbox after losing its original instructions during context compaction. The agent ignored stop commands and kept going. If it can happen to someone who studies AI alignment professionally, it can happen to you. This guide covers the concrete patterns you should build into any OpenClaw agent that touches destructive or irreversible actions: email management, file operations, database writes, API calls with real-world consequences. ...

After OpenClaw Backlash, Quill Bets on Security-by-Design Agentic AI The enterprise honeymoon with agentic AI may be ending — and a new startup is ready to catch the disillusioned. A new Computerworld report published February 25, 2026 profiles Quill, a nascent agentic AI platform positioning itself as the security-first alternative to OpenClaw in the wake of growing concern over autonomous agents with unchecked access to enterprise systems. The timing is deliberate, and the numbers behind the bet are striking. ...

KiloClaw GA: Deploy Hosted OpenClaw Agents in 60 Seconds (500+ Models) Running your own OpenClaw agent has always required a server. Configure the gateway, manage Docker, write YAML, handle SSL. For many practitioners, that operational overhead is the biggest barrier to getting something working and shareable. KiloClaw just made all of that someone else’s problem. Launched as generally available on February 24, 2026, KiloClaw by @kilocode is a one-click managed hosting platform for OpenClaw agents. Nearly 1,000 deploys happened on launch day alone. Here’s what it is, how it works, and how to get started. ...

OpenClaw v2026.2.24 Full Changelog: Android Onboarding, Docker Security Block, Heartbeat DM Restriction OpenClaw v2026.2.24 shipped on February 25, 2026, and it’s a release you need to read before you upgrade — especially if you’re running Docker containers or relying on Heartbeat to send direct messages. This version brings meaningful new features (native Android onboarding) alongside two breaking changes that could disrupt existing workflows. Here’s everything you need to know. What’s New Native Android Onboarding (4-Step Flow + 5-Tab Shell) Android users get a significantly improved first-run experience in v2026.2.24. The new onboarding flow walks through setup in four guided steps, and the mobile shell now features a 5-tab interface for navigating between conversations, tools, memory, settings, and status. ...