OpenClaw shipped 2026.3.31. The headline is security hardening, and it goes deeper than a patch note.
The most significant change is in the plugin and skill install system. Dangerous-code scan failures now fail closed by default. Before this release, a plugin or skill install that triggered a critical security finding would succeed by default, requiring an explicit override. Now it fails, and the operator has to pass --dangerously-force-unsafe-install to proceed. That is the correct security posture for a platform that runs autonomous agents with file access, credential management, and API call capabilities. The CVE from earlier this year showed what happens when the defaults lean the other way.
The gateway authentication changes are equally substantive. The trusted-proxy configuration now rejects mixed shared-token setups, and the local-direct fallback no longer implicitly authenticates same-host callers. Previously, if you were on the same host as the gateway, the system would authenticate you by virtue of locality rather than token verification. That is gone. You now need the configured token regardless of where the request originates. Combined with the node command and event surface reductions, this release is systematically closing the auth and authorization gaps that are easy to miss in development but catastrophic in production.
Node commands are now disabled until pairing is explicitly approved. Device pairing alone no longer exposes declared node commands. Node-originated runs stay on a reduced trusted surface, which means notification-driven or node-triggered flows that previously relied on broad host or session tool access will need adjustment. For operators who built workflows on the old behavior, this is a breaking change that requires explicit reconfiguration. For anyone securing a production OpenClaw deployment, it is exactly the right call.
The plugin SDK is also getting a deprecation warning cycle. Legacy provider compat subpaths, older bundled provider setup, and channel-runtime compatibility shims are all marked for future removal. The current documented entrypoints are the path forward. This is a platform maturing out of its experimental phase — the APIs are becoming stable, and the team is telling you what is going away before it goes away.
On the operational side, background tasks become a real shared control plane. ACP, subagent, cron, and background CLI execution are now unified under one SQLite-backed ledger with audit, maintenance, and status visibility. Before this, background tasks were ACP-only bookkeeping. Now they are a first-class primitive that works across execution contexts. The linear task flow controls — openclaw flows list|show|cancel — add explicit orchestration for multi-step workflows. For anyone running agents in production, this is the missing piece that makes long-running coordinated tasks observable and recoverable.
Android notification forwarding is a smaller addition but not trivial: package filtering, quiet hours, rate limiting, and safer picker behavior for forwarded notification events. If you run OpenClaw nodes on Android, this changes what your phone knows about what the agent is doing.
The full changelog is on GitHub. The theme is consistent: this is a production-hardening release. The defaults are tightening, the auth surface is shrinking, and the operational primitives are becoming first-class. For anyone running OpenClaw in a real deployment rather than a dev environment, the upgrade is worth scheduling.
OpenClaw 2026.3.31 release notes are at github.com/openclaw/openclaw/releases/tag/v2026.3.31.
