9 days since 3.13. The longest gap between OpenClaw releases in months. When the changelog finally dropped, it explained why: 12 breaking changes, 30+ security hardening patches, 100+ stability fixes, 7 new model providers, and a fundamental shift in how plugins are discovered and installed.
This is not an incremental release. This is the version where OpenClaw tore out its legacy plumbing and rebuilt the foundations.
Let's break down what happened.
ClawHub: The Plugin Ecosystem Migration
The headline change in 3.22 is deceptively simple: openclaw plugins install now checks ClawHub before npm.
That one sentence rewrites the plugin economy. ClawHub is OpenClaw's native package registry — purpose-built for plugin discovery, versioning, and trust verification. npm was always a borrowed house; ClawHub is the first home OpenClaw actually owns.
What ships alongside it:
- •Native install/search/update flows:
openclaw skills search|install|updateplusopenclaw plugins install clawhub:with tracked update metadata - •Claude/Codex/Cursor bundle support: Compatible bundle discovery and install, mapping bundle skills into OpenClaw skills and applying bundle
settings.jsondefaults to embedded Pi - •Claude marketplace registry: Plugin@marketplace installs, marketplace listing, and update support
- •Plugin SDK overhaul: The new public surface is
openclaw/plugin-sdk/*— the old monolithicopenclaw/extension-apiis removed with no compatibility shim. Bundled plugins must use injected runtime for host-side operations - •Plugin SDK testing surface: A public
openclaw/plugin-sdk/testingsurface for plugin-author test helpers - •Memory plugin system-prompt support: The active memory plugin can now register its own system-prompt section
The Plugin SDK change is the structural prerequisite for everything else. By standardizing on narrow openclaw/plugin-sdk/* subpaths instead of a monolithic root, every plugin gets a smaller, more stable API contract. The testing surface means plugin authors can finally write proper tests without reaching into framework internals.
12 Breaking Changes: Paying Off the Technical Debt
Twelve breaking changes in one release looks aggressive. But when you read them together, they tell a coherent story: OpenClaw is burning the last bridges to its pre-1.0 architecture.
Plugin Ecosystem (4 items)
- 1.ClawHub replaces npm as the default plugin install source. npm fallback remains, but ClawHub gets priority for npm-safe names
- 2.Plugin SDK surface changed to
openclaw/plugin-sdk/*— the oldopenclaw/extension-apiis gone with no shim - 3.Chrome MCP extension relay removed — the legacy Chrome extension relay path, bundled extension assets, and
driver: "extension"are all gone. Runopenclaw doctor --fixto migrate - 4.Image generation standardized — the old nano-banana-pro docs/examples are removed. Use
agents.defaults.imageGenerationModelinstead
Legacy Cleanup (3 items)
- 5.Legacy env names removed:
CLAWDBOT_andMOLTBOT_compatibility names are gone across runtime, installers, and test tooling. UseOPENCLAW_* - 6.Legacy state directory removed:
.moltbotstate-dir andmoltbot.jsonauto-detection/migration fallback are gone. Move to~/.openclawor setOPENCLAW_STATE_DIR - 7.Message discovery adapter changed: Requires
ChannelMessageActionAdapter.describeMessageTool(...)— the legacylistActions,getCapabilities, andgetToolSchemamethods are removed
Security & Sandbox (3 items)
- 8.Exec env sandbox expanded: Blocks JVM injection (
MAVEN_OPTS,SBT_OPTS,GRADLE_OPTS,ANT_OPTS), glibc tunable exploitation (GLIBC_TUNABLES), and .NET dependency hijack (DOTNET_ADDITIONAL_DEPS) - 9.Time wrapper transparency:
timeis treated as a transparent dispatch wrapper during allowlist evaluation so approvedtime ...commands bind the inner executable - 10.Voice-call webhook hardening: Rejects missing provider signature headers before body reads, drops pre-auth body budget to 64 KB / 5s
Platform Protocols (2 items)
- 11.Discord Carbon reconcile: Native command deployment switches to Carbon reconcile by default — Discord restarts stop churning slash commands
- 12.New Matrix plugin: Complete rewrite backed by the official
matrix-js-sdk. Migration guide available
Twelve breaking changes, shipped in one version. It looks radical. But looking back, every one of these cuts was overdue.
Security: 30+ Hardening Patches, from SMB to SSRF to Hangul
The security section in 3.22 is massive. Not three items like 3.13 — over thirty. Grouped by attack surface:
Network & Protocol Layer
- •Windows SMB credential leak blocked: Remote-host
file://media URLs and UNC/network paths are blocked before local filesystem resolution, preventing structured local-media inputs from triggering outbound SMB credential handshakes - •SSRF pinning hardened: Explicit-proxy SSRF pinning now translates target-hop transport hints onto HTTPS proxy tunnels and fails closed for plain HTTP guarded fetches
- •Gateway auth scope hardening: Ignores spoofed loopback hops in trusted forwarding chains, blocks device approvals requesting scopes above the caller session
- •Gateway discovery fail-closed: Unresolved Bonjour and DNS-SD service endpoints in CLI discovery fail closed instead of being steered by TXT-only hints
- •Media error body bounds: Remote-media error-body snippets are bounded with the same streaming caps and idle timeouts as successful downloads
Sandbox & Execution Layer
- •Plugin marketplace manifest sandboxing: Rejects remote marketplace manifest entries that expand installation outside the cloned marketplace repo
- •jq removed from safe-bin allowlist:
jq -n envcan no longer dump host secrets without an explicit trust path - •macOS exec HMAC verification: Timing-safe compare for exec-host request HMAC, malformed signatures fail-closed
- •Exec env sandbox: Blocks JVM, glibc, and .NET injection vectors from the host exec environment
- •Workspace hooks gated: Repo-local hooks stay disabled until explicitly enabled, blocking name collisions from shadowing bundled hooks
Identity & Authentication Layer
- •Device pairing bound to profile: iOS setup codes are bound to the intended node profile, rejecting first-use bootstrap that asks for broader roles
- •Synology Chat user_id binding: Reply delivery bound to stable numeric
user_idby default — mutable username lookup requires explicitdangerouslyAllowNameMatching - •Browser node proxy enforcement: Enforces
nodeHost.browserProxy.allowProfilesacross query and body profile params - •Device token rotation hardened: Public failures stay generic, internal deny reasons logged, approved-baseline enforcement preserved
- •Trusted-proxy scope clearing: Self-declared scopes cleared for device-less trusted-proxy Control UI sessions
Encoding & Injection Layer
- •Hangul filler escape: Blank Hangul filler code points escaped in approval prompts across gateway and macOS native UI — visually empty Unicode padding can no longer hide command text
- •Nostr DM pre-crypto policy: Inbound DM policy enforced before decrypt, with pre-crypto rate and size guards
- •OpenResponses file-context escaping hardened
- •LINE webhook parsing: Enforces verified raw body for Express webhook parsing
- •Email webhook metadata sanitization: Sender and subject metadata sanitized before external-content wrapping
| Attack Surface | Fixes |
|---|---|
| Network & Protocol | 5 |
| Sandbox & Execution | 5 |
| Identity & Authentication | 5+ |
| Encoding & Injection | 5+ |
| Platform-specific | 10+ |
| Total | 30+ |
These patches won't appear on marketing posters. But they determine who dares to put OpenClaw into production. Trustworthy is harder than useful.
Performance: Gateway Cold Start Transformed
The single most user-visible performance improvement: Gateway boot no longer recompiles bundled extension TypeScript on every startup. WhatsApp-class cold starts drop from tens of seconds (or worse) back to seconds.
What else changed:
- •Model prewarm before channel startup: The configured primary model is prewarmed before channel startup, with one transient retry — so the first Telegram or Discord message after boot no longer fails with
Unknown model - •Lazy-loading across the stack: Channel
addand root help paths, plugin/provider fallback resolution, Discord provider/session runtime, media and link understanding for plain-text turns — all lazy-loaded to trim startup RSS and latency - •Agent model catalog caching: Cached by config and auth-file state so embedded runner turns stop paying repeated catalog startup work
- •Session cache sweeping: Expired embedded-runner session cache entries are opportunistically swept during later cache activity, preventing one-shot session file accumulation
New Features at a Glance
Search Ecosystem
Three new bundled web-search plugins arrive in 3.22:
- •Exa: Native date filters, search-mode selection, optional content extraction under
plugins.entries.exa.config.webSearch.* - •Tavily: Dedicated
tavily_searchandtavily_extracttools with plugin-owned config - •Firecrawl:
firecrawl_searchandfirecrawl_scrapetools with base-URL/env fallback
Sandbox & Tools
- •Pluggable sandbox backends: Ship with OpenShell (mirror and remote workspace modes) and SSH backends (secret-backed key, certificate, and known_hosts inputs)
- •Browser profiles for Chromium browsers:
browser.profiles.supports Brave, Edge, and other Chromium-based browsers through Chrome DevTools MCP.userDataDir
Interaction Experience
- •/btw side questions: Quick tool-less answers about the current session without changing future context — dismissible in-session TUI answers and explicit BTW replies on external channels
- •Control UI canvas expand: Expand-to-canvas button on assistant chat bubbles
- •Roundness slider: Adjust corner radius from sharp to fully rounded in Appearance settings
- •Per-agent thinking/reasoning/fast defaults: Auto-revert disallowed model overrides to the agent's default selection
CLI & Configuration
- •CLI config set expansion: SecretRef and provider builder modes, JSON/batch assignment,
--dry-runvalidation with structured JSON output - •Gateway health monitor: Configurable stale-event thresholds and restart limits with per-channel and per-account overrides
- •Install from GitHub main:
openclaw update --tag mainorinstaller --version main
Model Providers: The Arms Race Continues
| Provider | What Changed |
|---|---|
| OpenAI | Default setup model switches to openai/gpt-5.4. Forward-compat support for gpt-5.4-mini and gpt-5.4-nano |
| Anthropic Vertex | New core provider support for Claude via Google Vertex AI with GCP auth/discovery |
| Chutes | New bundled provider with plugin-owned OAuth/API-key auth and dynamic model discovery |
| MiniMax | M2.7 and M2.7-highspeed added, default updated from M2.5 to M2.7. M2 and M2.1 catalog entries added. Single unified plugin surface |
| xAI | Grok catalog synced to current Pi-backed IDs. Grok 4.20 renamed to GA IDs with runtime alias resolution |
| Z.AI | GLM catalog synced including 4.5/4.6 model families with updated pricing |
| Xiaomi | Switched to /v1 OpenAI-compatible endpoint. MiMo V2 Pro and MiMo V2 Omni added |
| Mistral | Default metadata synced to current Pi pricing — no longer advertises zero-cost |
| GitHub Copilot | Forward-compat dynamic model IDs without code updates |
Platform Improvements Across the Board
Android
- •System-aware dark theme across onboarding and post-onboarding screens
- •Talk voice migration: Speech synthesis moves behind gateway
talk.speak, Android switches to final-response audio - •Call log search (
callLog.search) and SMS search (sms.search) with shared permission wiring - •Contacts search fix: Escapes literal
%and_in contact-name queries to prevent SQL LIKE wildcard matches - •Camera memory fix: Recycles intermediate and final snap bitmaps to prevent native memory leaks
Telegram
- •Custom Bot API endpoints: Per-account custom endpoint support across all send, probe, setup, and media paths — self-hosted Telegram deployments work end to end
- •Auto-rename DM topics: LLM-generated labels for forum topics on first message, with per-account and per-DM overrides
- •Topic-edit action: Forum-topic renames and icon updates
- •Silent error replies: Default-off
channels.telegram.silentErrorRepliessetting - •Network stability: Sticky IPv4 fallback preserved across polling restarts; unified API and media fetches under same fallback chain
Feishu (Lark)
- •Interactive approval and quick-action cards with callback context routing
- •ACP and subagent session binding for supported DMs and topic conversations
- •Reasoning stream:
onReasoningStreamrenders thinking tokens as markdown blockquotes in streaming cards - •Identity-aware card headers and footers through the shared outbound identity path
- •Expanded action surface: Message read/edit, explicit thread replies, pinning, chat/member inspection
Matrix
- •Complete plugin rewrite backed by the official
matrix-js-sdkwith migration guide - •allowBots room policy for configured bot-to-bot communication
- •Private network opt-in: Per-account
allowPrivateNetworkfor internal homeservers - •Durable event dedup across gateway restarts
- •Mention-gated binding fix: Idle ACP and session bindings expire normally in mention-required rooms
Discord
- •Carbon reconcile for native command deployment — restarts stop churning slash commands
- •Strict DM component allowlist auth
- •ACP abort forwarding: Timed-out Discord jobs cancel the running turn instead of leaving ACP sessions working in the background
- •Reconnect fix: Append recency filter restored in inbox monitor, protobuf Long timestamps handled correctly
- •Active listener singleton:
globalThissingleton ensures split bundle chunks share one listener map - •Login fix: Waits for pending creds writes before reopening after Baileys 515 pairing restarts
100+ Stability Fixes: The Summary Table
| Area | Key Fixes |
|---|---|
| Agent Compaction | Orphaned tool_result repair after compact, overflow recovery when post-compaction context still exceeds threshold, empty-preparation boundary summaries, capped retry fallback preserves split-turn context, opt-in JSONL truncation |
| Agent Runtime | Deduplicate tool call IDs for OpenAI-compatible backends, strip prompt_cache fields for non-OpenAI endpoints, plain-text error output for timeouts, replay block sanitization, bootstrap warnings moved out of system prompt for stable cache |
| Plugin Runtime | Shared singleton state across duplicate module graphs, plugin bind approval state sharing, context engine delegation semantics, bundler TDZ fix for device-pair/phone-control/talk-voice plugins |
| Gateway | WS handshake timeout raised to 10s, stale chat buffer reaping fixed, orphaned run recovery during restart, serialized per-account channel startup, webhook route pinning to startup registry |
| Control UI | Scoped settings keys by gateway path, provider prefix preserved on model switch, session routing preserves external delivery routes, locale dropdown persistence, safe logger imports |
| Telegram | Hard-timeout stuck getUpdates, allow_sending_without_reply, DM topic session key routing, malformed reply field handling, pairing setup seeds mention-gated groups |
| Feishu | Full thread context fetch for topic threads, native media handling alignment, signed webhook constant-time comparison |
| Mattermost | Honor replyToMode: "off" for threaded posts, retry transient DM channel creation |
| macOS | Stop KeepAlive for desktop app launch agent, use openclaw node start/stop --json |
| Windows | Accept schtasks Last Result output alias, gateway network discovery guard for WSL2 |
| Linux | Auto-detect nvm-managed Node TLS CA bundle, Google auth Node 25 compatibility |
By the Numbers
| Metric | 3.13 | 3.22 |
|---|---|---|
| Breaking Changes | 0 | 12 |
| Security Fixes | 3 | 30+ |
| Stability Patches | 70+ | 100+ |
| New Model Providers | 0 | 7 |
| New Web Search Plugins | 0 | 3 |
| Plugin Source | npm | ClawHub |
| Gateway Cold Start | Tens of seconds | Seconds |
| Default Agent Timeout | 600s | 48h |
| Contributors Thanked | ~10 | 80+ |
---
3.22 is not the kind of release that makes headlines with a shiny new feature. It is surgery — open the chest, replace the engine, stitch it up, and run faster than before.
12 breaking changes are not chaos. They are burning the old maps. ClawHub going live, security surfaces hardened across the board, Gateway cold start reborn — these three things together mean OpenClaw has graduated from "fast-iterating open source project" to "infrastructure you can actually depend on."
The lobster has molted again. This time, even the skeleton is new.
