OpenClaw update expands model support as security alarms escalate

OpenClaw, a widely used open-source autonomous AI assistant, has pushed out version 2026.2.17 with expanded capabilities that include support for Anthropic’s latest Claude Sonnet 4.6 model and enhancements across messaging platforms and automation workflows. The update, made available by lead developer Peter Steinberger on February 17, 2026, was designed to address user demand for broader model integration and improved context handling, but it arrives as the software grapples with intensifying scrutiny over critical security vulnerabilities and malware targeting its ecosystem.

OpenClaw, originally launched in November 2025 and gaining rapid adoption thanks to its flexible agent architecture and messaging platform interfaces, now offers native support for Claude Sonnet 4.6 alongside opt-in extended context windows up to one million tokens for compatible Anthropic models. The release also brings deterministic subagent spawning via chat commands, enhanced support for Slack, Telegram and Discord integration, and new iOS share and talk-mode features. These additions aim to streamline workflows for developers and end-users leveraging agentic AI in professional and personal settings.

Security researchers have, however, flagged a series of concerning issues tied to both the framework’s core operation and its ecosystem of plugins known as “skills.” A documented credential-theft incident involving infostealer malware successfully exfiltrated sensitive OpenClaw configuration and authentication files, including tokens and private cryptographic keys, from a victim’s device, underscoring the potential for attackers to impersonate clients or gain unauthorised access to local instances. Experts warn that such breaches represent a significant shift in the threat landscape as agentic AI systems gain deeper integration into user workflows and systems with broad file-system access.

Supply chain risks have compounded these concerns. Research published in early February reported that hundreds of malicious add-ons on the official ClawHub repository posed as legitimate tools such as cryptocurrency trading bots and leveraged trusted brand names to deliver information-stealing malware targeting both macOS and Windows systems. Security analysts said that these tainted plugins exploit ClawHub’s trust model to intercept wallet data, browser credentials and other personal information, illustrating the wide range of vectors adversaries are exploiting against the AI agent’s user base.

The broader security picture for OpenClaw has been shaped by academic and industry analysis highlighting systemic vulnerabilities intrinsic to agentic AI frameworks. Recent scholarly audits have shown that protocols used to standardise interactions between models, tools and workflows can inadvertently expose systems to remote code execution, unauthorized command execution and credential compromise when safeguards are insufficient or misconfigured. These analyses reinforce the need for proactive security assessments and robust defence mechanisms as agentic AI platforms evolve beyond simple chat interfaces to full task automation.

Within the OpenClaw project itself, historical vulnerability disclosures — including one that enabled remote code execution via improperly handled authentication tokens and WebSocket connections — have underscored persistent architectural security challenges that go beyond isolated incidents. These types of flaws can allow a maliciously crafted link to compromise host systems and elevate risk for users engaging with agentic assistants for critical operations.

Steinberger’s announcement of his move to OpenAI and the transition of OpenClaw governance to an open-source foundation has been noted as a pivotal moment for the project’s maturation and community stewardship. Enthusiasts argue that formalised governance could help the ecosystem better coordinate on security standards and vetting processes for third-party contributions. At the same time, critics caution that decentralised skill marketplaces will remain a persistent challenge if rigorous security controls and continuous auditing frameworks are not instituted.

Adopters of OpenClaw are responding with a mix of enthusiasm for the platform’s expanded functionality and heightened vigilance regarding security posture. Developers are increasingly focusing on adopting best practices to mitigate exposure, including strict configuration management, whitelisting interactions for web search and fetch tools, and isolating agent operations from critical systems to limit the potential impact of compromise. In parallel, independent security researchers continue to probe the framework and its plugins, sharing findings with the broader community to drive improvements in resilience against emerging threat vectors.