Hey everyone, After the recent malware scare from ClawHub that I flagged a while back, I know security has been top-of-mind for all of us. I've been digging through the full v2026.2.25 release notes, and I'm not exaggerating when I say this is one of the most important updates for our community in a long time. This isn't a feature-heavy release. It's a hardening release. And it directly addresses many of the stability and security fears we've been talking about right here in this group. Here's the breakdown of what matters to us as builders. (INSTRUCTION: Make the following line bold in the Skool editor) The Big One: Massive Security Overhaul This release ships with nearly 20 critical security patches. This isn't routine maintenance. It's a direct response to the kinds of vulnerabilities that keep us up at night. Many of these were reported by community security researchers like @tdjackey and @bmendonca3. Why it matters to you: Remember the malware that spread through a popular skill? This update hardens the system against exactly that kind of attack. It blocks multiple pathways for remote code execution, session hijacking, and data leakage. Specifically, they've plugged holes in gateway WebSocket authentication (preventing brute-force and session takeover), hardened the file system against malicious symlinks and hardlinks (a common escape vector), blocked unauthorized event injections through chat platform reactions on Discord, Slack, Signal, and Telegram, and fixed an OAuth PKCE verifier exposure in the macOS beta onboarding flow. If you're running OpenClaw for clients or handling any sensitive data, this update is non-negotiable. Stability Fixes That Address Our Biggest Headaches Beyond security, this update tackles some of the most common and frustrating issues we've all faced in this community. Runaway Agents & Costs: Several fixes target the agent delivery and cron systems. The subagent completion dispatch has been refactored into a proper state machine, and there's a new duplicate-send guard for cron jobs. This should help prevent the kind of orphaned processes and duplicate sends that have led to those terrifying, unexpected API bills. If you've experienced what Christo Roberts described with his $100+/day spike, these fixes are directly relevant.

If you've downloaded skills from ClawHub, your machine and your clients' data could be at risk. This isn't a theoretical warning anymore. A recent investigation by 1Password found that the top-downloaded "Twitter" skill was actively distributing infostealing malware. This post breaks down exactly what happened, why it matters to every single person in this community, and the immediate steps you need to take to protect yourself. Why This Matters To You The promise of OpenClaw is building powerful AI agents that can automate our work. But that power comes with a hidden cost. The very skills we use to make our agents smarter have become a new attack surface. The malware discovered was designed to steal everything from your browser sessions and API keys to your crypto wallets. For anyone building solutions for clients or handling sensitive data, a breach like this could be devastating. How a "Harmless" Markdown File Became a Weapon The 1Password security team found that the most popular skill on ClawHub wasn't just a guide; it was a trap. It used a classic social engineering trick, telling users to install a "required dependency" to get the skill to work. That link, however, kicked off a 5-step installation chain that ended with macOS infostealing malware on the user's machine. This wasn't a bug or an accident; it was a deliberate, malicious campaign that reportedly involved hundreds of other skills. The So What: This proves that we cannot trust download counts as a measure of safety. The core of the problem is that in an agent ecosystem, a simple markdown file is not just content—it's an installer. It can execute commands and scripts, making every skill a potential trojan horse. Your Security Setup Might Not Be Enough Many of us are taking steps to secure our OpenClaw instances, from using hardened DigitalOcean droplets to implementing reviewer-based norms. This incident shows why those measures are critical. The article confirms that even if you're using the Model Context Protocol (MCP), a malicious skill can simply bypass it by using direct shell commands hidden in the skill's folder.

Hey Builders, I need to talk to you about something that doesn't get enough attention in the AI agent space. And honestly, it's the thing that will separate the platforms that survive from the ones that become cautionary tales. Security. Not the boring kind. Not the "we take your privacy seriously" copy-paste nonsense. I'm talking about real, transparent, community-driven security for AI agents that can take real-world actions. Think about what OpenClaw agents can actually do. They execute shell commands on your machine. They send messages through WhatsApp, Telegram, Discord, Slack. They read and write files. They fetch URLs. They schedule automated tasks. They access your connected services and APIs. That's not a chatbot. That's a digital employee with the keys to your kingdom. Done wrong, that's a massive liability. Done right, it changes personal computing forever. OpenClaw just launched the OpenClaw Trust page, and I want to break down why this matters to you as a builder. They're building our entire security program in the open. Here's what that looks like: 1. TOTAL TRANSPARENCY - OC is developing our threat model publicly on GitHub. Not hiding behind "security through obscurity." They arelaying out every risk - prompt injection, indirect injection, tool abuse, identity spoofing - all of it. Because attackers already know these techniques. The only people kept in the dark by secrecy are the users. 2. PUBLIC SECURITY ROADMAP - Every defensive engineering goal is tracked as a public GitHub issue. Input validation for injection attempts. Tool confirmation for sensitive actions. Fine-grained per-tool permissions. Spending controls. Signed releases. You can see it all, track our progress, and contribute. 3. DEEP CODE REVIEW - OC is doing a full, manual, top-to-bottom security review of the entire codebase. Not just running automated scanners. Human experts going through every line of agent execution, tool implementation, message processing, gateway code, auth, session management - everything. Led by Jamieson O'Reilly, founder of Dvuln and CREST Advisory Council member.