What Shipped in OpenClaw v2026.4.27?
OpenClaw v2026.4.27 delivers a comprehensive update focused on three strategic pillars: secure desktop automation through Codex Computer Use, expanded model provider options via DeepInfra integration, and hardened reliability across mobile and messaging channels. The release introduces fail-closed MCP checks that prevent unauthorized desktop control when using Codex-mode automation, addressing critical security concerns for production deployments. DeepInfra joins the bundled provider set with automatic model discovery, media generation, TTS, and embeddings, offering open-weight alternatives to proprietary APIs. The update also brings manifest-first metadata for plugins, significantly reducing Gateway boot times by moving provider configuration from runtime computation to static declarations. Mobile platforms receive authenticated presence protocols for iOS and Android, ensuring accurate last-seen tracking without draining battery. Reliability improvements cover Telegram startup sequences, Slack socket reconnection logic, and Windows restart handoffs. Additionally, sandboxed agents can now access host GPUs through Docker passthrough, enabling local inference workloads within secure containers. Non-image attachments gain proper handling in chat pipelines, and Tencent Yuanbao with QQBot expand channel coverage for Chinese markets. This release signals OpenClaw’s maturation into enterprise-grade infrastructure while maintaining its open-source foundation.
This version marks a significant leap forward in OpenClaw’s capabilities, moving it beyond a purely conversational agent framework into a robust platform for enterprise automation. The emphasis on security, particularly with the fail-closed MCP checks, ensures that organizations can deploy autonomous agents with confidence, even in sensitive environments. The expanded provider ecosystem, featuring DeepInfra, democratizes access to advanced AI models by making open-weight alternatives more readily available and easier to integrate. Furthermore, the numerous reliability enhancements across various communication channels underscore a commitment to stability and operational excellence. These improvements collectively empower developers and businesses to build more sophisticated, secure, and globally accessible AI solutions using OpenClaw.
How Does Codex Computer Use Change OpenClaw Desktop Automation?
Codex Computer Use transforms OpenClaw from a conversational interface into a full desktop automation platform capable of interacting with any GUI application. The integration provides setup commands that handle installation and status monitoring, plus marketplace discovery that lets you browse and deploy computer-use configurations without manual setup. When activated, agents capture screenshots, analyze interface elements, and execute mouse movements, clicks, and keyboard input through OpenAI’s Codex model. The implementation uses structured RPC endpoints rather than shell-based workarounds, creating a reliable bridge between language models and operating system interactions. You trigger automation through standard agent instructions, and the framework manages the perception-action loop, converting visual observations into structured data for the model. This differs fundamentally from previous automation attempts that relied on brittle coordinate-based scripting or accessibility APIs alone. The marketplace component allows sharing of computer-use presets for specific applications, reducing setup time for common workflows. For developers building automated testing, data entry, or personal assistant systems, this removes the friction of maintaining VNC servers or custom vision pipelines. The integration respects existing permission models while adding granular controls specific to desktop interactions, ensuring agents only access authorized screen regions and applications.
This capability fundamentally redefines the scope of tasks that OpenClaw agents can perform. Instead of being limited to text-based interactions or API calls, agents can now mimic human interaction with any software on a desktop. Consider scenarios like automating complex data entry across legacy applications, generating reports by navigating multiple browser tabs, or even assisting with software development by interacting directly with IDEs. The structured RPC approach ensures higher reliability and maintainability compared to screen-scraping or brittle scripting methods. The marketplace for computer-use configurations further accelerates development, allowing users to leverage community-contributed automation recipes for common applications like Microsoft Office suites, web browsers, or specialized enterprise software. This means less time spent on initial setup and more time on refining agent logic for specific business outcomes.
What Are Fail-Closed MCP Checks and Why Do They Matter?
Fail-closed MCP checks implement a default-deny security posture for OpenClaw’s Model Context Protocol, ensuring that authorization failures block actions rather than permit them. MCP governs how agents access tools, external systems, and now desktop environments. Previously, failed permission checks or network errors during validation might default to allowing access, creating vulnerabilities where misconfigured agents could execute unauthorized commands. Version 2026.4.27 inverts this logic for Codex Computer Use: if the system cannot verify permissions, the action halts immediately. These checks validate both agent identity and specific actions against policy manifests before allowing cursor movements, keystrokes, or application launches. The implementation requires explicit allow rules for each desktop interaction type, preventing the “confused deputy” problem where a compromised model might attempt privilege escalation. For production deployments, this means authentication service outages or configuration errors result in frozen automation rather than security breaches. You configure these policies through YAML manifests that define allowed applications, screen regions, and input types. This security model aligns with OpenClaw’s broader ecosystem including ClawShield and AgentWard, providing defense in depth for autonomous agents operating in sensitive environments.
The importance of fail-closed security cannot be overstated, especially when dealing with AI agents that have access to sensitive systems. In an ‘allow-by-default’ system, a single misconfiguration or network glitch could inadvertently grant an agent unauthorized control over critical infrastructure or access to confidential data. The fail-closed approach mitigates this by requiring explicit, positive authorization for every action. This creates a much stronger security perimeter, where any ambiguity or failure in the authorization process leads to immediate denial, thus preventing potential breaches. For organizations adhering to strict compliance standards such as GDPR, HIPAA, or PCI DSS, this default-deny posture is not merely a feature but a fundamental requirement. It provides a robust audit trail and ensures that all agent actions are traceable and explicitly sanctioned, significantly reducing the attack surface and enhancing overall system integrity.
DeepInfra Integration: A New Model Provider Ecosystem
DeepInfra joins OpenClaw’s bundled provider set as a fully integrated option for hosting open-weight models without local GPU infrastructure. The integration features automatic model discovery, allowing the Gateway to dynamically fetch available models from DeepInfra’s API rather than relying on static configuration files that require manual updates. You gain native access to media generation and editing capabilities, text-to-speech synthesis, and embedding models through unified endpoints that match OpenClaw’s standard provider interface. The provider-owned onboarding policy means DeepInfra manages authentication flows, rate limiting, and compliance requirements independently, reducing maintenance overhead for OpenClaw core while ensuring rapid updates when DeepInfra adds new capabilities. This contrasts with community-maintained providers that often lag behind API changes or lack comprehensive feature support. For builders, DeepInfra enables immediate experimentation with models like Llama 3, Mistral, and Qwen without provisioning hardware or managing model files. The integration supports both synchronous and streaming response patterns, fitting seamlessly into existing agent conversation flows. Configuration requires only adding your DeepInfra API key to the provider settings, after which models appear in the standard selection interface alongside OpenAI and Anthropic options.
This integration significantly broadens the horizons for OpenClaw developers, providing access to a diverse range of open-source models without the complexities of managing local hardware. DeepInfra’s platform specializes in optimized deployment of these models, offering performance and scalability that would be challenging for individual developers or smaller organizations to achieve on their own. The automatic model discovery feature is particularly beneficial, as it keeps your OpenClaw deployment current with the latest advancements in the open-source AI community without manual intervention. This means agents can leverage cutting-edge models as soon as they become available on DeepInfra, ensuring that your AI applications remain competitive and performant. Furthermore, the unified endpoint for various capabilities like media generation and embeddings simplifies agent development, allowing developers to switch between models and providers with minimal code changes. This flexibility is crucial for building adaptable and future-proof AI solutions.
Provider Comparison: DeepInfra vs Existing Options
Choosing between DeepInfra and existing OpenClaw providers involves trade-offs between convenience, cost, and data sovereignty. DeepInfra offers immediate access to open-weight models without hardware investment, while OpenAI and Anthropic provide proprietary frontier capabilities. Local providers ensure complete data privacy but require significant GPU resources and maintenance overhead.
| Feature | DeepInfra | OpenAI | Local LLM |
|---|---|---|---|
| Model Discovery | Automatic | Static list | Manual config |
| Media Generation | Native | Native | Depends on model |
| TTS/Embeddings | Built-in | Built-in | Separate setup |
| Data Privacy | Provider-hosted | Provider-hosted | Fully local |
| GPU Required | No | No | Yes |
| Cost Structure | Usage-based | Usage-based | Hardware + power |
DeepInfra fills the gap between expensive proprietary APIs and resource-intensive local deployment. You get the benefits of open models with the reliability of managed infrastructure. The provider-owned policy means updates propagate automatically without waiting for OpenClaw releases. DeepInfra particularly excels for teams needing specific open-weight model versions or custom fine-tunes without managing inference infrastructure. The automatic discovery means new models appear in your Gateway immediately upon DeepInfra release, eliminating the lag time typical of community provider updates. For hybrid deployments, route sensitive queries to local models and general tasks to DeepInfra, optimizing both privacy and cost.
Consider a scenario where an organization needs to process a large volume of non-sensitive customer inquiries using an open-source model for cost efficiency, while simultaneously handling highly confidential internal documents with a locally hosted, privacy-preserving model. DeepInfra provides an excellent solution for the former, allowing for scalable and cost-effective inference without the need for internal GPU clusters. For the latter, OpenClaw’s local LLM option ensures that data never leaves the organization’s controlled environment. This hybrid approach allows businesses to tailor their AI infrastructure to specific use cases, balancing performance, cost, and data security requirements. The ability to seamlessly integrate and switch between these providers within the OpenClaw framework offers unparalleled flexibility for diverse operational needs.
Tencent Yuanbao and QQBot: Expanding Channel Coverage
OpenClaw v2026.4.27 significantly expands communication channel coverage through Tencent Yuanbao and QQBot integrations, targeting China’s massive user base where QQ remains a dominant workplace platform. Yuanbao documentation and catalog entries now appear in the standard plugin registry, enabling deployment on Tencent’s AI platform with proper metadata and configuration schemas. The QQBot implementation supports group chat interactions, streaming responses, and media uploads, transforming QQ from a simple notification channel into a full agent interaction surface capable of handling complex workflows. The underlying pipeline refactor separates message handling from protocol-specific logic, creating a cleaner architecture that simplifies adding future Tencent services or similar protocols. You configure QQBot through standard channel configuration using Tencent app credentials and API keys. Streaming support means long-running agent tasks can send progress updates rather than blocking until completion, improving user experience for operations lasting minutes or hours. Media upload capabilities allow agents to share generated images, documents, or audio directly in QQ groups, enabling rich content distribution. This integration proves essential for teams building customer service bots, internal tools, or automation systems for Chinese operations where WeChat and QQ dominate business communications.
This strategic expansion into the Tencent ecosystem is crucial for organizations looking to deploy OpenClaw agents in markets where QQ and WeChat are primary communication platforms. The integration moves beyond basic messaging, offering robust features like streaming responses, which are vital for maintaining user engagement during complex or time-consuming agent tasks. Imagine a customer support agent providing step-by-step troubleshooting in a QQ group, with each step delivered as it’s processed, rather than a single, delayed block of text. Similarly, the media upload functionality allows agents to enrich interactions with visual aids, audio instructions, or relevant documents, enhancing clarity and user experience. This level of integration ensures that OpenClaw agents can operate effectively and naturally within the specific communication paradigms prevalent in the Chinese market, making them more accessible and useful to a larger user base.
Manifest-First Metadata and Gateway Performance
The transition to manifest-first metadata fundamentally restructures how OpenClaw handles plugin startup and model catalog management, delivering significant performance improvements for Gateway initialization. Previously, the Gateway performed extensive runtime computation to resolve provider aliases, model suppressions, and configuration rows, often adding seconds to boot time. Now, this metadata resides in static JSON manifest files that load at startup, reducing initialization to milliseconds while making configurations auditable through version control. The manifest schema defines provider capabilities, model aliases, suppression rules, and authentication requirements explicitly, eliminating the need for database queries during boot. You audit provider configurations by reading these declarative files rather than querying running services or inspecting environment variables. This change particularly benefits large deployments managing dozens of providers and hundreds of model aliases across multiple environments. The manifests support inheritance and environment-specific overrides, allowing you to define base configurations and layer production or staging modifications. When adding new providers, you simply drop a manifest file into the providers.d/ directory. The Gateway validates manifests at startup, failing immediately on schema errors rather than discovering them during request processing, promoting infrastructure-as-code practices.
This architectural shift profoundly impacts the operational efficiency and reliability of OpenClaw deployments. By moving configuration validation and loading to static manifests, the Gateway becomes more predictable and faster to start. This is especially critical in dynamic environments where services might need to restart frequently or scale elastically. The ‘infrastructure-as-code’ paradigm enabled by manifest-first metadata allows development teams to manage their OpenClaw configurations using standard version control systems like Git, facilitating peer review, automated deployments, and easier rollback procedures. This significantly reduces the risk of configuration errors in production and streamlines the process of onboarding new providers or updating existing ones. For large-scale enterprise deployments, where uptime and configuration consistency are paramount, this improvement translates directly into enhanced system stability and reduced operational overhead.
GPU Passthrough for Docker Sandboxes
Sandboxed agents gain hardware acceleration capabilities through the new sandbox.docker.gpus configuration option, allowing Docker containers to access host GPU resources for local inference and training workloads. When enabled, OpenClaw passes the --gpus flag to the Docker daemon during container creation, exposing NVIDIA or AMD devices to the sandboxed environment without compromising filesystem isolation. This resolves issue #57976, which previously forced users to choose between security isolation and GPU acceleration for compute-intensive tasks. You configure GPU access in your sandbox settings:
sandbox:
docker:
gpus: all # or specific device IDs like "0,1"The implementation requires the NVIDIA Container Toolkit or equivalent AMD ROCm support installed on the host Docker runtime. Once configured, agents running inside sandboxes can execute PyTorch, TensorFlow, or ONNX workloads at full speed without CPU fallback. This enables secure execution of computer vision tasks, local LLM inference, or fine-tuning on agent-collected data. Security boundaries remain intact because GPU access does not imply container escape; the agent cannot access the host filesystem despite having hardware acceleration. For production deployments, this allows GPU-intensive skills to run in isolated environments without exposing sensitive host resources.
This feature is a game-changer for deploying AI agents that require significant computational power while maintaining strict security protocols. Previously, organizations faced a dilemma: sacrifice security for performance by running agents directly on the host, or sacrifice performance for security by running them in isolated CPU-only containers. GPU passthrough eliminates this trade-off, allowing agents to leverage the full power of dedicated hardware accelerators within a secure, containerized environment. This opens up new possibilities for on-premise AI applications, such as real-time video analysis for security systems, complex scientific simulations, or running large language models for internal knowledge management, all while ensuring that the agent’s access is strictly controlled and isolated from the host system. The ability to specify all GPUs or particular device IDs offers granular control, enabling optimized resource allocation for different agent types or workloads.
Mobile Presence Protocol Updates
Mobile nodes receive durable presence tracking through new authenticated protocol events that maintain accurate last-seen metadata across network transitions and battery optimization events. The node.presence.alive event fires when iOS or Android clients wake from background states or reconnect after brief disconnections, updating the Gateway’s node registry without establishing resource-intensive persistent connections. This carries forward work from issue #63123, addressing the problem where mobile nodes appeared offline during normal operation due to aggressive power management or network switching. On iOS, the Gateway accepts node.presence.alive as an authenticated heartbeat, updating node.list last-seen fields while distinguishing between “recently active” and “fully connected” states. Android implements similar logic after node connect and background transitions, ensuring paired devices retain durable metadata even after disconnects. You benefit from accurate presence information when building mobile-first agents that need to know if a user’s phone is reachable for push notifications or task handoffs. The protocol uses existing JWT authentication tokens, requiring no additional configuration. This architecture reduces battery drain on mobile devices by eliminating keep-alive polling while maintaining an accurate network map for routing decisions and presence-aware agent behaviors.
These updates are essential for building reliable mobile-centric agent experiences. In previous versions, the aggressive power management of modern mobile operating systems could lead to inconsistent presence reporting, causing agents to incorrectly assume a user was offline. This resulted in missed notifications, failed task handoffs, and a generally unreliable user experience. The new authenticated presence protocol resolves this by providing a more intelligent and battery-efficient way for mobile clients to signal their availability. For example, a personal assistant agent can now more accurately determine if it should send a push notification to a user’s phone or route a message to a desktop client, based on real-time and accurate presence data. This improvement enhances the responsiveness and usefulness of mobile agents, making them a more integral part of a user’s daily workflow without compromising device battery life.
Reliability Improvements Across Channels
This release hardens message delivery and startup sequences across Telegram, Slack, and Windows deployments, addressing production pain points reported by teams running continuous operations. Telegram bots now handle startup races where the Gateway attempts to send messages before the bot fully initializes with Telegram’s servers, preventing dropped notifications during agent restarts or network reconnections. Slack integrations resolve socket mode stalls that previously caused agents to stop receiving messages after network hiccups, implementing automatic reconnection logic that preserves conversation context and pending message queues. The Gateway startup sequence now includes prewarming steps that initialize provider connections and validate authentication tokens before accepting requests, eliminating cold-start latency on first inference and preventing cascading failures during high-traffic restarts. Session and history defaults have been adjusted to prevent unbounded memory growth in long-running conversations, implementing automatic pruning of old context windows. Windows deployments gain proper restart handoffs, ensuring that agent processes terminate cleanly before updates install, preventing port conflicts and zombie processes that previously required manual intervention. These fixes collectively improve uptime for 24/7 agent operations, reducing the operational burden of maintaining stable messaging integrations across diverse platforms.
The cumulative effect of these reliability improvements is a significantly more robust and resilient OpenClaw system. For businesses relying on agents for critical operations, stability is paramount. The fixes for Telegram and Slack, in particular, address common scenarios where temporary network instability could lead to service interruptions, ensuring that agents remain connected and responsive. The Gateway prewarming steps are vital for high-availability environments, as they minimize the impact of restarts and ensure that agents are fully operational from the moment they come online. Furthermore, the memory management improvements for long-running conversations prevent resource exhaustion, which is a common issue in continuous agent deployments. For Windows users, the enhanced restart handoffs simplify maintenance and updates, reducing the need for manual intervention and improving overall system health. These enhancements demonstrate OpenClaw’s commitment to providing a production-grade platform for AI agent development and deployment.
Handling Non-Image Attachments in Chat
The Gateway’s chat pipeline now properly handles non-image attachments through chat.send, staging files as agent-readable media paths rather than silently dropping unsupported formats or returning cryptic errors. Previously, sending PDFs, documents, audio files, or archives through chat channels resulted in either RPC failures or silent data loss, forcing developers to implement parallel file handling systems outside the standard message flow. The v2026.4.27 implementation stages these files in a temporary location accessible to the agent container, passing the filesystem path through the standard message attachment structure alongside metadata indicating file type and size. Unsupported RPC attachment paths now return explicit, actionable error messages instead of failing silently, making debugging straightforward. This fixes issue #48123 and enables workflows where users share documents with agents through Slack, Telegram, or QQ, and agents process them using local tools like OCR or text extraction. You handle these attachments in agent logic by checking the message attachment MIME type and reading from the provided staging path. The staging area implements automatic cleanup after processing or timeout, preventing disk bloat on long-running Gateways. This unification reduces code duplication across channel implementations and simplifies agent development for document-heavy workflows.
This enhancement significantly broadens the types of interactions agents can have with users, moving beyond simple text and image exchanges. Imagine an agent that can receive a PDF document via Slack, extract key information using OCR, summarize it, and then respond to user queries about its content—all within the same chat interface. This was previously a complex endeavor, requiring custom workarounds for file handling. Now, with native support for various attachment types, developers can build more sophisticated and versatile agents that seamlessly integrate into document-centric workflows. The explicit error messages for unsupported paths also contribute to a better developer experience, allowing for quicker identification and resolution of issues. This feature is particularly valuable for enterprise applications where agents need to interact with a wide range of file types, from spreadsheets and presentations to audio recordings and code archives, making OpenClaw a more comprehensive platform for business automation.
OpenClaw Security Architecture: Fail-Closed Design Philosophy
The fail-closed MCP checks in v2026.4.27 embody a fundamental security philosophy shift within OpenClaw: default denial over default permission, assuming hostility rather than trust. This architectural approach requires explicit authorization for every sensitive operation, treating the language model itself as a potentially compromised component. When applied to Codex Computer Use, it means the agent cannot interact with the desktop unless every link in the authorization chain validates successfully, from JWT token verification through policy manifest checks to action-specific permissions. This aligns with existing security infrastructure like ClawShield and AgentWard, which provide runtime enforcement and behavioral monitoring. The three-layer defense prevents the “confused deputy” problem where a compromised or misled model attempts privilege escalation or unauthorized data access. You configure this security model through policy manifests that define allowed actions, required authentication levels, resource limits, and escalation procedures. The fail-closed model extends beyond desktop control to other high-risk operations as the framework evolves, creating a consistent security boundary across all agent capabilities. For enterprise deployments handling sensitive data or operating in regulated industries, this provides the auditability and safety guarantees required for production autonomy.
This design philosophy is a cornerstone of building secure AI systems, especially as agents gain more autonomy and access to critical resources. The ‘fail-closed’ principle ensures that security is baked into the core of the system, rather than being an afterthought. By treating the language model as a potentially untrustworthy entity, OpenClaw forces explicit verification at every step, significantly reducing the risk of malicious or erroneous actions. For instance, if an agent is designed to interact with a specific financial application, the MCP policy can be configured to allow only certain types of interactions (e.g., reading data, but not initiating transactions) and only within defined screen regions. Any attempt outside these parameters, even if generated by the language model, would be immediately blocked. This layered defense, combined with transparent policy manifests, allows security teams to have a clear understanding and control over agent behaviors, providing the peace of mind necessary for deploying AI in highly regulated and sensitive environments.
Production Deployment Implications
Shipping OpenClaw v2026.4.27 to production requires rethinking your security posture, provider strategy, and mobile client handling. The fail-closed MCP checks mandate explicit whitelisting of desktop automation capabilities; without proper policy configuration, legitimate workflows will fail with authorization errors rather than execute. Audit your existing agent policies before upgrading to prevent service disruptions. DeepInfra integration offers cost optimization opportunities for workloads currently running on expensive proprietary APIs, but requires due diligence on their data handling practices against your compliance requirements. The manifest-first metadata changes mean invalid provider configurations now cause hard failures at boot rather than runtime warnings; validate all manifests in staging environments first. GPU passthrough enables new use cases like local document processing and vision tasks, but requires Docker GPU drivers on all production hosts and careful resource management to prevent contention. Mobile presence updates improve reliability for phone-based agents but may change how your applications handle “offline” states, potentially affecting user experience if you rely on immediate disconnect detection. Test Telegram and Slack integrations thoroughly, as the reliability fixes alter reconnection timing and message queuing behavior.
The transition to this new version is not merely a software update but a strategic decision that impacts various facets of your AI operations. Organizations must undertake a comprehensive review of their current agent workflows and security policies. For instance, if you plan to leverage Codex Computer Use, developing and testing granular MCP policies is paramount. This involves defining which applications agents can access, what actions they can perform, and under what conditions. Similarly, while DeepInfra offers compelling cost and flexibility benefits, evaluating its security and compliance certifications against your organizational standards is a critical step. The manifest-first metadata, while improving performance, also introduces a stricter configuration validation process, necessitating thorough testing of all provider manifests in pre-production environments. Furthermore, the GPU passthrough feature, while powerful, requires careful planning for hardware provisioning, driver installation, and resource isolation to prevent performance bottlenecks or security vulnerabilities. Finally, the mobile presence and channel reliability improvements, while beneficial, might necessitate adjustments to existing mobile application logic that relies on specific presence states or message delivery timings. A phased rollout with extensive testing in controlled environments is highly recommended to ensure a smooth and secure transition.