OpenClaw 3.8 is a smaller release than 3.7. Fewer lines changed, fewer bullet points in the changelog. But there's one feature in here that matters more than its diff size suggests.
ACP Provenance: Your Agents Now Know Who's Talking
When agents only talked to humans, identity was simple—there was a user on the other end of a chat app. Now agents talk to other agents. An OpenClaw instance might receive a task from a CI pipeline, a scheduling agent, or another OpenClaw node in a multi-agent workflow. The question "who sent this?" stopped being trivial a while ago.
3.8 adds ACP Provenance—optional ingress metadata that lets your agent verify the origin of incoming ACP sessions. Run openclaw acp --provenance meta and every inbound session carries a signed origin context with a session trace ID. Bump it to meta+receipt and the agent injects a visible receipt into the conversation, creating an auditable chain of who triggered what.
Three modes: off, meta, meta+receipt. Off by default—no breaking changes, no surprise overhead. Turn it on when you need it.
Why This Is the Headline
Agent identity is the unsolved problem in the multi-agent stack. MCP handles tool access—"what can this agent do." ACP/A2A handles agent-to-agent messaging—"how do agents talk." But neither answers "who is this agent, and should I trust it?"
IBM's ACP protocol and Google's A2A have merged under the Linux Foundation, with 100+ companies backing the unified standard. DeepLearning.AI already has a dedicated course on it. The industry is converging on agent interoperability, and identity verification is the missing piece everyone needs.
OpenClaw's ACP Provenance is a first step, not the final answer. It doesn't solve the full identity problem—there's no certificate authority for agents yet, no universal agent passport. But it gives you a practical tool today: your agent can now distinguish "request from my trusted CI pipeline" from "request from unknown origin," and act accordingly.
For teams running multi-agent setups, that's the difference between "works in a demo" and "works in production."
Brave LLMContext: Search Results Built for AI
Web search in OpenClaw used to return raw HTML or basic snippets. Useful for humans, awkward for agents. The agent would burn context window tokens just parsing page structure to find the actual answer.
3.8 adds support for Brave's LLMContext endpoint. When configured, web search returns pre-extracted summary fragments with source metadata—structured content designed to be consumed by language models. Less noise, more signal, fewer wasted tokens.
This isn't a cosmetic change. For agents that search the web as part of their workflow, it means smaller context footprints and more accurate results. The agent gets what it needs without having to play HTML parser first.
Podman + SELinux: Enterprise Linux Finally Just Works
If you've ever tried running OpenClaw on Fedora or RHEL with SELinux enforcing, you know the drill: mysterious permission denied errors, manual :Z label additions, forum threads full of conflicting advice.
3.8 auto-detects whether SELinux is in enforcing or permissive mode and adds the correct :Z volume labels automatically. No manual intervention. No config flags. It just works.
Small change. Big quality-of-life improvement for anyone in an enterprise Linux environment—which, given OpenClaw's growing adoption in regulated industries, is a lot of people.
Docker Image: Lighter Again
Development dependencies and build metadata have been stripped from the runtime image. The result is a smaller pull, faster cold starts, and less attack surface.
Not much to say here—it's the kind of housekeeping that doesn't make for exciting reading but compounds over thousands of deployments.
The Speed Question
Some people say OpenClaw updates too fast. That's a fair complaint if you're trying to pin to a version and forget about it.
But step back and think about what "too fast" actually means for an open-source project. It means pull requests are flowing. It means maintainers are reviewing and merging. It means the contributor pipeline—the thing that makes open source actually work—isn't a trickle; it's a river.
An open-source project that moves fast enough to be hard to keep up with is an open-source project with an active community behind it. That velocity is a signal. It tells you the track is hot and the direction is right.
3.7 laid the foundation with ContextEngine. 3.8 starts filling in the gaps—agent identity, smarter search, broader platform support. The pace isn't slowing down. Good.
What Changed
| Area | Change |
|---|---|
| ACP | Provenance metadata + receipt injection (--provenance off / meta / meta+receipt) |
| Search | Brave LLMContext endpoint for AI-friendly results |
| Containers | Podman/SELinux auto-detection with :Z labels |
| Docker | Slimmer runtime image (dev deps + build metadata removed) |
| Security | 12+ patches across gateway, webhooks, and TLS handling |
| Backup | Improved archive naming, config-only mode, hardened verification |
| Telegram | Duplicate message fix |