OpenClaw v2026.2.6: Opus 4.6, Safety Scanner, and the Security Hardening Era

What Dropped

OpenClaw v2026.2.6 shipped February 7, 2026.

This isn't a features-first release. It's a security-first release. The ClawHavoc campaign forced OpenClaw's hand — 341 malicious skills discovered in the wild, credential exfiltration vectors in config responses, and unauthenticated Gateway canvas hosts. All addressed in this single release.

There's also meaningful model expansion. Opus 4.6, GPT-5.3-Codex, Grok, and Baidu Qianfan all land as supported providers. Plus a new browser automation tool called Unbrowse that generates skills 100x faster than traditional approaches.

Here's everything that matters.

New Model Support

Five provider-level changes in this release. The model roster is getting wide.

Anthropic Opus 4.6

Full support for Opus 4.6 with forward-compatibility fallbacks. If your provider hasn't rolled Opus 4.6 yet, OpenClaw gracefully falls back to Opus 4.5 without breaking your config. The agents subsystem bumps pi-mono to 0.52.7 specifically for Opus compatibility.

{
  "agents": {
    "defaults": {
      "model": {
        "primary": "anthropic/claude-opus-4-6"
      }
    }
  }
}

OpenAI GPT-5.3-Codex

GPT-5.3-Codex is now a first-class provider. This is OpenAI's code-specialized model — strong at structured generation and function calling. Useful as a routing target for code-heavy tasks where you want to avoid Opus pricing.

xAI Grok

Grok joins as a new provider. This is xAI's model, now accessible through OpenClaw's unified provider interface. Configure it the same way as any other provider:

{
  "agents": {
    "defaults": {
      "models": {
        "xai/grok": {
          "alias": "grok"
        }
      }
    }
  }
}

Baidu Qianfan

Baidu's Qianfan platform is now a supported provider. This matters for teams operating in China or needing models trained on Chinese-language data. Configuration follows the standard provider pattern.

Safety Scanner

This is the headline feature. And it exists because of a real attack.

The safety scanner is OpenClaw's direct response. Every skill and plugin submitted to ClawHub now passes through an automated code safety scan before it's available for installation.

What It Scans

• Hook scripts — checks for outbound network calls, credential access patterns, and obfuscated code
• Plugin manifests — validates declared permissions match actual code behavior
• Skill definitions — ensures skill code doesn't access filesystem paths outside declared scope
• Dependencies — flags known-malicious packages and suspicious dependency chains

VirusTotal Partnership

OpenClaw is exploring a potential VirusTotal integration for marketplace integrity. The idea: every ClawHub submission gets cross-referenced against VirusTotal's threat database before publication. This isn't live yet, but the scanner infrastructure is built to support it.

Credential Redaction

Config responses now redact credentials automatically. Previously, certain API responses could leak API keys and tokens in their payloads. This release ensures sensitive values are masked before they reach the agent's context window.

{
  "provider": "anthropic",
  "api_key": "sk-ant-***REDACTED***",
  "status": "connected"
}

If you're running a multi-user OpenClaw deployment, this alone justifies the upgrade.

Security Hardening

Beyond the scanner, v2026.2.6 closes several attack surface gaps across the Gateway, Control UI, and exec approval system.

Gateway Canvas Host Authentication

Gateway canvas hosts now require authentication. Previously, canvas-rendered content could be served to unauthenticated clients. This was a vector for serving malicious content through an OpenClaw instance's Gateway endpoint.

A2UI Asset Authentication

Same treatment for A2UI (Agent-to-UI) assets. All asset serving now goes through the auth layer. No more anonymous access to UI components.

Control UI Asset Hardening

Control UI asset handling during updates has been hardened. The update process previously had a window where assets could be swapped. That window is closed.

Exec Approval Allowlist Fix

A subtle but important fix: exec approvals now coerce string allowlists to objects. Previously, if you passed a string where an object was expected in your exec approval config, the allowlist would silently fail open. Now it's properly coerced.

New Features

Security dominated this release, but there's real feature work too.

Web UI Token Usage Dashboard

The web UI now includes a token usage dashboard. Track input tokens, output tokens, cache hits, and cost breakdowns directly in the browser. No more digging through logs or using third-party tools for basic usage visibility.

Native Voyage AI Support for Memory

Memory embeddings now support Voyage AI natively. If you're using OpenClaw's memory system for long-term context, you can point it at Voyage AI's embedding models instead of defaulting to OpenAI embeddings.

{
  "memory": {
    "embedding": {
      "provider": "voyageai",
      "model": "voyage-3"
    }
  }
}

Capped sessions_history Payloads

The sessions_history payload is now capped. This directly addresses context overflow issues where long-running agents would accumulate session history until the context window was exhausted. The cap keeps payloads manageable without losing critical context.

Unbrowse Browser Automation

This one is interesting. Unbrowse auto-discovers APIs from browser traffic and generates skills from them. Instead of manually writing browser automation scripts, Unbrowse watches your browser traffic, identifies the underlying API calls, and generates OpenClaw skills that call those APIs directly.

The claim: 100x faster than traditional browser automation. No more brittle CSS selectors or waiting for page loads. You get clean API calls instead of simulated clicks.

Other Notable Additions

• Sorted commands alphabetically in help output — small quality-of-life fix that makes the help menu actually scannable
• Telegram DMs auto-inject thread IDs — conversations in Telegram now automatically carry thread context
• Slack strips mentions in commands — @openclaw /run deploy now correctly parses as /run deploy instead of choking on the mention
• Chrome extensions resolve bundled paths — fixes path resolution for Chrome extension integrations that bundle their own assets

Cron & Stability Fixes

Three targeted fixes for production reliability.

Robust Timer Re-arming

Cron scheduling now uses robust timer re-arming. Previously, if a cron job failed mid-execution, the timer wouldn't re-arm for the next interval. The job would silently stop running. Now the timer re-arms regardless of execution outcome.

cron:
  daily_report:
    schedule: "0 9 * * *"
    action: generate_report
    retry_on_failure: true

Compaction Retry on Context Overflow

Context compaction now retries on overflow instead of failing. When an agent's context window fills up during compaction, the system retries with a more aggressive pruning strategy. This prevents the frustrating scenario where an agent dies mid-conversation because compaction itself exceeded the context limit.

Clearer Billing Errors

Billing error messages are now human-readable. Instead of cryptic error codes, you get messages like:

Error: Monthly token budget exceeded ($200.00 / $200.00).
Increase your budget in ~/.openclaw/openclaw.json or wait for the next billing cycle.
Current usage: 42.1M tokens across 847 sessions.

Upgrade Now

This release signals a shift. OpenClaw started as a hobby project — move fast, ship features, worry about security later. That era is ending.

341 malicious skills in the ClawHavoc campaign proved that a platform with this many users can't treat security as an afterthought. The safety scanner, credential redaction, and auth hardening in v2026.2.6 are the foundation. Expect more in this direction.

Upgrade immediately:

openclaw update

Or if you're pinned to a specific version:

pip install openclaw==2026.2.6

Full Changelog

The intelligence is moving from features to foundations. That's the right direction.