OpenClaw v2026.3.22 Deep Dive: ClawHub, Security, and Performance Unleashed
Explore the significant changes in OpenClaw v2026.3.22, including the introduction of ClawHub, extensive security patches, and substantial performance boosts.
OpenClaw v2026.3.22 Deep Dive: ClawHub, Security, and Performance Unleashed
OpenClaw, the popular open-source autonomous AI agent, has seen a substantial release with version v2026.3.22. Dropping on March 23, 2026, this update brings a wave of changes that users and developers alike need to be aware of. From a new default plugin store and a fortified security posture to significant performance enhancements and crucial breaking changes, this release marks a significant step forward for the platform.
OpenClaw: A Quick Refresher
Before diving into the specifics of v2026.3.22, it's worth a brief reminder of what OpenClaw offers. OpenClaw is a free, open-source AI agent designed to execute tasks across various messaging platforms like WhatsApp, Telegram, and Discord, leveraging large language models such as Claude and GPT, or even local models. Its open-source nature, local-first data storage in Markdown files, and extensibility through a portable skill format have garnered it over 310,000 GitHub stars.
The Headline Feature: ClawHub Takes the Helm
The most prominent structural change in v2026.3.22 is the adoption of ClawHub as the primary default plugin and skill registry. Previously, openclaw plugins install <package> commands would directly query npm. Now, the process first consults ClawHub, only falling back to npm if the requested package or version isn't found on ClawHub.
For end-users, this transition is designed to be largely seamless. However, for plugin and skill authors, ClawHub is now the central distribution channel. The newly introduced native commands such as openclaw skills search, openclaw skills install, and openclaw skills update are all powered by ClawHub, complete with built-in tracked update metadata. Similarly, gateway skill installations and updates via the dashboard will now default to ClawHub.
This move aims to streamline plugin management and provide a more robust, traceable ecosystem for OpenClaw extensions. For more details on this new system, refer to the official documentation: https://docs.openclaw.ai/tools/clawhub.
Critical Preparations: Breaking Changes Before You Upgrade
With any major release, especially one packed with over 30 security patches and foundational changes, preparation is key. OpenClaw v2026.3.22 introduces 12 breaking changes, many of which are cleanups originating from older project phases (like Clawdbot/Moltbot). Users must address these before upgrading to avoid disruptions.
Legacy Environment Variables Retired
Environment variables prefixed with CLAWDBOT_* and MOLTBOT_* have been permanently removed. There are no compatibility shims provided. Before upgrading, you must replace all instances of these old variable names with their corresponding OPENCLAW_* equivalents across your configuration files, environment scripts, and .env files.
Ejection of Old State Directory
The .moltbot state directory and the automatic detection of moltbot.json are no longer supported. If your current OpenClaw state resides in ~/.moltbot, it is imperative to migrate it to ~/.openclaw before proceeding with the upgrade. For users requiring custom storage locations, these can be explicitly defined using the OPENCLAW_STATE_DIR or OPENCLAW_CONFIG_PATH environment variables.
Chrome Extension Relay Deprecated
The legacy Chrome extension relay path has been removed. This includes the deprecation of bundled extension assets, the driver: "extension" setting, and browser.relayBindHost. After upgrading, running openclaw doctor --fix will automatically migrate your browser configuration to either the existing-session or user mode. Other browser interaction methods, such as Docker, headless, sandbox, and remote browser flows utilizing raw CDP, remain unaffected.
Plugin SDK Migration Required
The openclaw/extension-api path has been removed without a compatibility shim. Plugin authors are required to migrate their code to the new openclaw/plugin-sdk/* subpaths. The comprehensive migration guide can be found at https://docs.openclaw.ai/plugins/sdk-migration. For plugins that bundle runtime operations on the host side, they will now utilize injected runtimes, such as api.runtime.agent.runEmbeddedPiAgent.
Image Generation Tool Standardization
The older nano-banana-pro skill wrapper for image generation has been removed. To generate images, users should now configure agents.defaults.imageGenerationModel.primary with a model like "google/gemini-3-pro-image-preview" for the native path, or explicitly install a third-party skill for alternative models.
Matrix Plugin Overhaul
The Matrix plugin has been completely rebuilt and is now backed by the official matrix-js-sdk. Users upgrading from a previous version of the Matrix plugin should consult the migration guide available at https://docs.openclaw.ai/install/migrating-matrix.
Discord Slash Commands Re-architected
Native Discord command deployment now defaults to using Carbon's reconciliation process. This change prevents Discord restarts from causing OpenClaw's local deployment path to churn through slash commands unnecessarily, leading to a more stable integration.
Build-Tool JVM Injection Blocked
As a security hardening measure, environment variables such as MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, and ANT_OPTS are now blocked from the host execution environment. While GRADLE_USER_HOME is restricted, it functions as an override-only block, meaning user-configured Gradle home directories will still propagate correctly.
Significant New Features and Enhancements
Beyond the necessary breaking changes, v2026.3.22 introduces several exciting new features and improvements designed to enhance user experience and functionality.
Introducing /btw — Context-Aware Side Questions
A seemingly small addition, the /btw command offers a significant quality-of-life improvement. This command allows users to ask quick, tool-less questions relevant to the current session without impacting future session context. Answers are presented as dismissible in-session TUI replies and also appear explicitly on external channels. This is invaluable for clarifying points like "what did we just decide?" without disrupting the flow of an active conversation.
Pluggable Sandbox Backends and OpenShell
The sandbox system has been made extensible, paving the way for more flexible and secure execution environments. This release ships with a new OpenShell backend, offering two distinct workspace modes:
- Mirror: Replicates your local environment for development and testing.
- Remote: Executes tasks within a remote workspace, enhancing security and resource management.
Additionally, a new SSH sandbox backend has been introduced, supporting secure authentication through key, certificate, and known_hosts inputs managed via secrets. This underlying technology is also being leveraged by NVIDIA for their NemoClaw safety layer, highlighting its robust security architecture.
Anthropic Claude Integration via Google Vertex AI
For organizations operating within the Google Cloud ecosystem, OpenClaw now offers built-in Anthropic Claude support through Google Vertex AI. This integration allows teams to route Claude requests directly through Vertex AI, benefiting from full GCP authentication and discovery mechanisms without requiring any third-party plugins.
Expanded Web Search Capabilities
OpenClaw v2026.3.22 bundles three new web search providers, each offering distinct features:
- Exa: Native support for date filtering, search mode selection, and optional content extraction is integrated via
plugins.entries.exa.config.webSearch.*. - Tavily: Provides dedicated
tavily_searchandtavily_extracttools for streamlined search operations. - Firecrawl: Offers explicit
firecrawl_searchandfirecrawl_scrapetools for content retrieval.
All these providers are configured under their respective plugins.entries.<provider>.config.webSearch.* settings.
Model Catalog Updates
The model catalog has seen significant updates across major providers:
- OpenAI: GPT-5.4 is now the default model, replacing GPT-5.2. Forward compatibility support has been added for
gpt-5.4-miniandgpt-5.4-nano. - MiniMax:
M2.7andM2.7-highspeedmodels have been added. The API and OAuth plugins for M2.5 and M2.7 have been consolidated into a singleminimaxplugin. - Z.AI / GLM: New models GLM 4.5, 4.6, and
glm-5-turboare now available.
Security is Paramount: Over 30 Hardening Patches
A critical aspect of this release is the extensive security overhaul, featuring over 30 hardening patches. These updates address various vulnerabilities, including a significant Windows SMB credential leak that has now been patched. The focus on security demonstrates OpenClaw's commitment to providing a safer, more robust platform for its users.
Performance Boost: Cutting Gateway Cold Starts
Users will notice a dramatic improvement in performance, particularly concerning gateway cold starts, which have been reduced from minutes down to mere seconds. This optimization drastically improves the initial responsiveness and usability of the OpenClaw gateway.
Conclusion
OpenClaw v2026.3.22 is a commanding update that brings substantial improvements across the board. The introduction of ClawHub, the enhanced security measures, and the remarkable performance gains, especially in cold start times, make this a must-apply upgrade for all users. While the breaking changes require attention, the overall benefits and new features, such as the /btw command and improved sandbox capabilities, significantly outweigh the migration effort. For developers, the plugin SDK migration and new web search integrations offer exciting possibilities. Stay informed, prepare your upgrades, and continue to explore the evolving capabilities of OpenClaw.
Sources:
- OpenClaw v2026.3.22: ClawHub, 30+ Security Patches, and a Massive Performance Overhaul - https://renovateqr.com/blog/openclaw-v2026-3-22-update
- Patch Notes for OpenClaw - https://patchbot.io/ai/openclaw