diff --git a/appcast.xml b/appcast.xml index 4aa70fb613..c479133d09 100644 --- a/appcast.xml +++ b/appcast.xml @@ -2,6 +2,72 @@ OpenClaw + + 2026.2.1 + Mon, 02 Feb 2026 03:53:03 -0800 + https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml + 8650 + 2026.2.1 + 15.0 + OpenClaw 2026.2.1 +

Changes

+
    +
  • Docs: onboarding/install/i18n/exec-approvals/Control UI/exe.dev/cacheRetention updates + misc nav/typos. (#3050, #3461, #4064, #4675, #4729, #4763, #5003, #5402, #5446, #5474, #5663, #5689, #5694, #5967, #6270, #6300, #6311, #6416, #6487, #6550, #6789)
    • +
  • Telegram: use shared pairing store. (#6127) Thanks @obviyus.
    • +
  • Agents: add OpenRouter app attribution headers. Thanks @alexanderatallah.
    • +
  • Agents: add system prompt safety guardrails. (#5445) Thanks @joshp123.
    • +
  • Agents: update pi-ai to 0.50.9 and rename cacheControlTtl -> cacheRetention (with back-compat mapping).
    • +
  • Agents: extend CreateAgentSessionOptions with systemPrompt/skills/contextFiles.
    • +
  • Agents: add tool policy conformance snapshot (no runtime behavior change). (#6011)
    • +
  • Auth: update MiniMax OAuth hint + portal auth note copy.
    • +
  • Discord: inherit thread parent bindings for routing. (#3892) Thanks @aerolalit.
    • +
  • Gateway: inject timestamps into agent and chat.send messages. (#3705) Thanks @conroywhitney, @CashWilliams.
    • +
  • Gateway: require TLS 1.3 minimum for TLS listeners. (#5970) Thanks @loganaden.
    • +
  • Web UI: refine chat layout + extend session active duration.
    • +
  • CI: add formal conformance + alias consistency checks. (#5723, #5807)
    • +
+

Fixes

+
    +
  • Plugins: validate plugin/hook install paths and reject traversal-like names.
    • +
  • Telegram: add download timeouts for file fetches. (#6914) Thanks @hclsys.
    • +
  • Telegram: enforce thread specs for DM vs forum sends. (#6833) Thanks @obviyus.
    • +
  • Streaming: flush block streaming on paragraph boundaries for newline chunking. (#7014)
    • +
  • Streaming: stabilize partial streaming filters.
    • +
  • Auto-reply: avoid referencing workspace files in /new greeting prompt. (#5706) Thanks @bravostation.
    • +
  • Tools: align tool execute adapters/signatures (legacy + parameter order + arg normalization).
    • +
  • Tools: treat "*" tool allowlist entries as valid to avoid spurious unknown-entry warnings.
    • +
  • Skills: update session-logs paths from .clawdbot to .openclaw. (#4502)
    • +
  • Slack: harden media fetch limits and Slack file URL validation. (#6639) Thanks @davidiach.
    • +
  • Lint: satisfy curly rule after import sorting. (#6310)
    • +
  • Process: resolve Windows spawn() failures for npm-family CLIs by appending .cmd when needed. (#5815) Thanks @thejhinvirtuoso.
    • +
  • Discord: resolve PluralKit proxied senders for allowlists and labels. (#5838) Thanks @thewilloftheshadow.
    • +
  • Tlon: add timeout to SSE client fetch calls (CWE-400). (#5926)
    • +
  • Memory search: L2-normalize local embedding vectors to fix semantic search. (#5332)
    • +
  • Agents: align embedded runner + typings with pi-coding-agent API updates (pi 0.51.0).
    • +
  • Agents: ensure OpenRouter attribution headers apply in the embedded runner.
    • +
  • Agents: cap context window resolution for compaction safeguard. (#6187) Thanks @iamEvanYT.
    • +
  • System prompt: resolve overrides and hint using session_status for current date/time. (#1897, #1928, #2108, #3677)
    • +
  • Agents: fix Pi prompt template argument syntax. (#6543)
    • +
  • Subagents: fix announce failover race (always emit lifecycle end; timeout=0 means no-timeout). (#6621)
    • +
  • Teams: gate media auth retries.
    • +
  • Telegram: restore draft streaming partials. (#5543) Thanks @obviyus.
    • +
  • Onboarding: friendlier Windows onboarding message. (#6242) Thanks @shanselman.
    • +
  • TUI: prevent crash when searching with digits in the model selector.
    • +
  • Agents: wire before_tool_call plugin hook into tool execution. (#6570, #6660) Thanks @ryancnelson.
    • +
  • Browser: secure Chrome extension relay CDP sessions.
    • +
  • Docker: use container port for gateway command instead of host port. (#5110) Thanks @mise42.
    • +
  • fix(lobster): block arbitrary exec via lobsterPath/cwd injection (GHSA-4mhr-g7xj-cg8j). (#5335) Thanks @vignesh07.
    • +
  • Security: sanitize WhatsApp accountId to prevent path traversal. (#4610)
    • +
  • Security: restrict MEDIA path extraction to prevent LFI. (#4930)
    • +
  • Security: validate message-tool filePath/path against sandbox root. (#6398)
    • +
  • Security: block LD*/DYLD* env overrides for host exec. (#4896) Thanks @HassanFleyah.
    • +
  • Security: harden web tool content wrapping + file parsing safeguards. (#4058) Thanks @VACInc.
    • +
  • Security: enforce Twitch allowFrom allowlist gating (deny non-allowlisted senders). Thanks @MegaManSec.
    • +
+

View full changelog

+]]> + + 2026.1.30 Sat, 31 Jan 2026 14:29:57 +0100 @@ -179,21 +245,5 @@ Status: stable. ]]> - - 2026.1.24-1 - Sun, 25 Jan 2026 14:05:25 +0000 - https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml - 7952 - 2026.1.24-1 - 15.0 - OpenClaw 2026.1.24-1 -

Fixes

-
    -
  • Packaging: include dist/shared output in npm tarball (fixes missing reasoning-tags import on install).
    • -
-

View full changelog

-]]> - - \ No newline at end of file