OpenClaw LaunchOpenClaw Launch
← All News
release

OpenClaw v2026.3.22: ClawHub Replaces npm, 30+ Security Patches & Gateway Cold Start Fix

Source: GitHub

OpenClaw v2026.3.22 is the most significant release since the project's rebrand, shipping 12 breaking changes, a new default plugin registry, and over 30 security fixes. Released on March 22, 2026, this version marks the project's shift toward a more secure, performant, and self-contained ecosystem.

ClawHub: The New Default Plugin Store

ClawHub now replaces npm as the default plugin registry. The openclaw plugins install command checks ClawHub first and only falls back to npm when packages aren't found. Native skill commands (openclaw skills search, install, update) are fully ClawHub-backed with integrated update metadata. This gives the OpenClaw team more control over plugin quality and security vetting.

Breaking Changes

Self-hosters should prepare for significant migration work:

  • Environment variables: Legacy CLAWDBOT_* and MOLTBOT_* names removed entirely — must rename to OPENCLAW_*
  • State directory: .moltbot auto-detection removed — migrate to ~/.openclaw or set OPENCLAW_STATE_DIR
  • Plugin SDK: openclaw/extension-api eliminated — migrate to openclaw/plugin-sdk/* subpaths
  • Chrome extension relay: Legacy relay path and driver: "extension" removed — run openclaw doctor --fix to migrate
  • Image generation: Bundled nano-banana-pro skill wrapper removed — use agents.defaults.imageGenerationModel instead

30+ Security Patches

Critical fixes include blocking Windows SMB credential leaks via file:// URLs, hardening DNS-SD discovery to fail closed, binding iOS pairing codes to intended profiles, removing jq from the safe-bin allowlist, and escaping Unicode padding in approval prompts.

Gateway Performance

Gateway cold starts have been cut from minutes to seconds by loading compiled dist/extensions instead of recompiling TypeScript at startup. Model catalog caching eliminates repeated overhead per embedded runner turn.

Notable Additions

  • /btw command: Context-preserving side questions during conversations
  • Pluggable sandbox backends with OpenShell support
  • Claude via Google Vertex AI (anthropic-vertex provider)
  • Default model updated to GPT-5.4

Managed hosting on OpenClaw Launch handles all breaking changes and upgrades automatically — no migration work needed.

Build with OpenClaw

Deploy your own AI agent in under 10 seconds — no servers, no CLI.

Deploy Now