OpenClaw v2026.4.1 Ships Major Security Hardening: Dangerous Skills Fail-Closed, Node Pairing Lockdown, Background Task Unification

OpenClaw published version 2026.4.1 (with 2026.4.1-beta.1 also available on GitHub) on April 1-2, 2026. This is a major release focused on security hardening and operational infrastructure, with several breaking changes that directly address vulnerabilities highlighted in recent CertiK and Adversa AI audits.

BREAKING SECURITY CHANGES:

1. DANGEROUS SKILLS FAIL-CLOSED: Skills and plugin installs that trigger dangerous-code critical findings or install-time scan failures now fail closed by default. Previously, these would succeed silently. Operators must now use an explicit --dangerously-force-unsafe-install override. This directly addresses the CertiK finding that 12% of the OpenClaw skills registry contained malware.

2. NODE PAIRING LOCKDOWN: Node commands now stay disabled until node pairing is explicitly approved, so device pairing alone is no longer enough to expose declared node commands. This closes an attack vector where rogue devices could execute commands on partially-paired nodes.

3. TRUSTED-PROXY HARDENING: Gateway auth now rejects mixed shared-token configs, and local-direct fallback requires the configured token instead of implicitly authenticating same-host callers. This addresses the CVE-2026-25253 class of authentication bypass vulnerabilities.

4. NODE EVENT SURFACE REDUCTION: Node-originated runs now stay on a reduced trusted surface, limiting broader host/session tool access for notification-driven or node-triggered flows.

MAJOR NEW FEATURES:

5. UNIFIED BACKGROUND TASK CONTROL PLANE: The biggest architectural change unifies ACP, subagent, cron, and background CLI execution under one SQLite-backed ledger. This replaces separate bookkeeping systems with a shared control plane including detached lifecycle updates, audit/maintenance/status visibility, auto-cleanup, and lost-run recovery. A new linear task flow control surface (openclaw flows list|show|cancel) enables orchestrated multi-step workflows.

6. MCP IMPROVEMENTS: MCP tools now materialize with provider-safe names (serverName__toolName), support optional streamable-HTTP transport, per-server connection timeouts, and preserve real tool results from aborted/error turns.

7. NEW CHANNELS: QQ Bot added as a bundled channel plugin with multi-account setup, slash commands, reminders, and media support. Matrix channel gets optional room history context, account-level proxy config.

8. LINE OUTBOUND MEDIA: LINE channel now supports image, video, and audio outbound sends.

9. IDLE-STREAM TIMEOUT: New configurable idle-stream timeout for embedded runner requests prevents stalled model streams from hanging.

10. ANDROID NOTIFICATIONS: New notification-forwarding controls with package filtering, quiet hours, and rate limiting.

The release demonstrates OpenClaw is responding aggressively to the security audit findings from CertiK (100+ CVEs) and Adversa AI, with the fail-closed default for dangerous skills being the most impactful change for ecosystem safety.