OpenClaw

RSAC 2026 is where the agentic AI security conversation got serious, and the number that defined it was 500,000. That’s the estimated count of internet-facing OpenClaw instances identified by security researchers — a deployment footprint that arrived faster than the security tooling needed to manage it. VentureBeat’s analysis at the conference laid out an uncomfortable reality: half a million instances, three unpatched high-severity CVEs, and no mechanism for fleet-wide patching or emergency shutdown. ...

Microsoft made two OpenClaw-related moves this week that, taken together, perfectly capture the enterprise AI agent paradox: they hired someone specifically to bring OpenClaw into Microsoft 365, and they issued a security guidance document specifically warning enterprises not to deploy OpenClaw on standard workstations. Both are correct. That’s the tension. The Hire: Omar Shahine to Lead OpenClaw in M365 Omar Shahine, previously known for his work on Outlook and various Microsoft productivity products, has been hired by Microsoft to lead the integration of OpenClaw and personal AI agents into the Microsoft 365 ecosystem. Windows Central confirmed the hire. ...

OpenClaw shipped v2026.3.31 on March 31st, and it’s one of the more substantive releases in recent months. Three security fixes over the prior stable version (v2026.3.28), a rethought approach to background task management, and two new platform integrations — including one that opens the China market. If you’re running OpenClaw in production, this release warrants a careful read before you upgrade. The Security Story: Trust Is No Longer Automatic The headline change in v2026.3.31 is a security model overhaul that makes implicit trust explicit across the stack. ...

One of the most widely-used JavaScript libraries in the world was silently backdoored today. Axios — the HTTP client with over 83 million weekly downloads — had two of its npm versions compromised in an active supply chain attack. And if you’re running OpenClaw 3.28 with the Slack plugin enabled, you need to act now. What Happened On March 31, 2026, attackers gained access to the npm credentials of Axios’s primary maintainer (“jasonsaayman”) and published two malicious versions: 1.14.1 and 0.30.4. Both versions inject a fake dependency called [email protected] that functions as a cross-platform Remote Access Trojan (RAT) dropper. ...

A new critical vulnerability in OpenClaw — tracked as CVE-2026-32971 — allows attackers to obtain human approval for a benign-looking command while executing an entirely different, malicious payload. If you’re running OpenClaw before version 2026.3.11, patch now. The Vulnerability CVE-2026-32971 is a flaw in how OpenClaw’s node-host system.run approval mechanism displays shell commands to users. When the approval dialog is triggered, OpenClaw extracts and displays only a subset of the shell payload — the portion it considers “representative” — rather than the full argv that will actually be executed. ...

The wall between AI agents and your browser just came down. Opera announced today that Opera Neon — the company’s experimental AI-first browser — now supports the Model Context Protocol (MCP) as a native server. This means external AI clients — including Claude Code, ChatGPT, n8n, Lovable, and OpenClaw — can connect directly to a live Neon browser session, access your real-time web context, and take actions inside pages. No Playwright. No Selenium. No screenshots copied and pasted between apps. Just agents talking directly to your browser. ...

The AFP wire just ran a story on OpenClaw. That’s a milestone worth pausing on. AFP — the global French news agency that feeds outlets in 150+ countries — picked up a dispatch from Tokyo today where OpenClaw creator Peter Steinberger spoke at a gathering of the tool’s enthusiasts. The story ran across France24, Digital Journal, and dozens of US local outlets. It’s the kind of mainstream wire pickup that signals a technology has crossed from tech-insider territory into the general conversation. ...

The “token tax” problem is real. As enterprises and power users deploy OpenClaw at scale, a recurring nightmare scenario is playing out: you set up an autonomous reasoning loop before bed, wake up, and discover your OpenAI or Anthropic bill has ballooned by $500–$1,000+ overnight. This is not a hypothetical. It’s being reported across the OpenClaw community today — in Paul Macko’s OpenClaw Newsletter, on ManageMyClaw.com, and in cost guides circulating in developer channels. And the root cause is straightforward: OpenClaw ships with no native API rate limiting or daily spend caps by default. ...

A newly disclosed vulnerability in OpenClaw — tracked as CVE-2026-32979 — allows attackers to execute arbitrary code by modifying local scripts during the window between user approval and actual execution. If you’re running OpenClaw before version 2026.3.11, you should patch immediately. The Vulnerability OpenClaw’s security model relies on a human approval step before executing certain commands, particularly those flagged as elevated or potentially destructive. This approval mechanism is central to the framework’s safety guarantees — it’s how the system ensures a human is in the loop before sensitive operations run. ...

OpenClaw just shipped version 2026.3.28, and if you run agentic pipelines on this platform, you need to read the release notes carefully. This is one of the more architecturally significant updates in recent months — it introduces async human-in-the-loop (HITL) tool approvals, drops the Qwen portal auth integration entirely, and ships a handful of other meaningful improvements. Let’s unpack what changed and what it means for your deployments. Async Human-in-the-Loop: The Headline Feature The biggest change is the addition of requireApproval as an async hook in OpenClaw’s before_tool_call plugin system. In practical terms, this means plugins can now pause tool execution mid-flight and prompt the user for explicit approval before the tool actually runs. ...