OpenClaw v2026.2.25: Critical Security Hardening & Android Performance
Just days after the v2026.2.21 fallback update, the OpenClaw team has dropped v2026.2.25. This release is one of the most significant security-focused updates in the project's history, alongside major performance gains for mobile users.
If you are running OpenClaw in a shared environment or on Android, this is a mandatory update.
The "Security First" Release
While the previous update focused on fallback chains and reliability, v2026.2.25 turns its attention to the Gateway's defensive posture. The maintainers have addressed several theoretical and practical escape vectors.
1. Anthropic OAuth & PKCE Hardening
A legacy onboarding path for macOS users using Anthropic OAuth was found to potentially expose the PKCE verifier via the OAuth state. In v2026.2.25, this path has been entirely removed. Anthropic subscription authentication is now strictly setup-token-only.
2. Execution Boundary Enforcement
One of the most complex additions is the hardening of system.run approvals. Approvals are now bound to the exact argv identity, including whitespace preservation. This prevents "trailing-space" executable path swaps where a malicious actor might try to trick the system into running a different binary.
Furthermore:
- Symlink Rejection: The system now rejects symlinked
cwdpaths for sensitive operations. - Workspace Isolation: OpenClaw now blocks out-of-workspace symlink targets for
agents.filestools, ensuring that agents cannot "hop" out of their assigned directories via filesystem tricks.
3. Gateway WebSocket Origin Checks
To prevent brute-force and session hijacking, the Gateway now enforces strict origin checks for direct browser WebSocket clients. It also introduces failure throttling for password authentication, a standard but crucial feature for internet-exposed instances.
Android: Faster, Smoother, Smarter
Mobile users will notice a distinct snappiness in this version. The Android team has implemented several "under-the-hood" optimizations:
- Deferred Startup: Foreground services are now deferred until strictly necessary, allowing the app to reach a usable state much faster.
- Optimized Markdown: The native Android chat UI has received a rendering overhaul, particularly for complex GitHub-flavored markdown (GFM) tables and code blocks.
- WebView Debugging: WebView debugging initialization has been moved out of the critical startup path, reducing "jank" during the first few seconds of app launch.
Branding: Farewell to Molt
Following the project's evolution, this release completes the migration away from the internal "Molt" codename. The remaining bot.molt launchd labels, bundle IDs, and logging subsystems have been renamed to ai.openclaw. This unifies the codebase with the OpenClaw Foundation's long-term vision.
Breaking Change: Heartbeat Delivery
User feedback on the recent heartbeat changes led to a policy reversal. The default for Heartbeat direct/DM delivery is now "allow" once again.
If you prefer the "DM-blocked" behavior from the February 24th beta, you must now explicitly set:
"agents.defaults.heartbeat.directPolicy": "block"
Summary of Key Changes
| Category | Improvement | Impact |
|---|---|---|
| Security | PKCE Hardened / OAuth Cleanup | Critical |
| Security | Argv Identity Matching | High |
| Performance | Android Startup Optimization | High |
| UX | Mobile Stacked Compose Layouts | Medium |
| Branding | Final bot.molt -> ai.openclaw | Low |
For those new to the ecosystem, we recommend reviewing our OpenClaw Security Best Practices to ensure your local gateway is fully locked down.
Stay tuned to CompareClaw for the latest OpenClaw cost analysis and integration guides.