HomeBlog Book a free call →
← Back to blog
OpenClaw

OpenClaw Update: Feb 23, 2026

By the CodeClaw Team· February 23, 2026·5 min read

If you're running multi-model setups (and you should be), having another gateway option is always welcome.

Moonshot/Kimi Vision + Video Support

Moonshot (Kimi) now supports vision and video inputs through OpenClaw. Send an image, send a video — Kimi can process both.

This matters if you're building agents that handle visual content: product photos, document scans, video summaries. Moonshot's pricing is competitive, and having vision+video support makes it a real option for multimodal workflows.

Exec Hardening

The exec tool — the one that lets your agent run shell commands — got hardened. Tighter sandboxing, better input validation, more restrictive defaults.

This is the kind of change where you don't notice it until something goes wrong. And now, fewer things will go wrong. If your agent has exec access (and many do for file management, git operations, or API calls), the hardening reduces the attack surface significantly.

ACP + OTEL Secret Redaction

If you're using ACP (Agent Communication Protocol) or OTEL (OpenTelemetry) for observability, secrets are now automatically redacted from logs and traces. API keys, tokens, passwords — they won't show up in your telemetry data.

This is a "should have always been there" fix. If you're shipping traces to Datadog, Grafana, or any observability platform, you don't want credentials leaking into your log aggregator. Now they won't.

⚠️ Breaking Change: allowFrom Is Now ID-Only

This is the one you need to act on. The allowFrom config — which controls who can interact with your agent — now only accepts user IDs. Usernames are no longer valid.

Why? Usernames can change. IDs can't. Accepting usernames meant someone could change their username and potentially bypass access controls. ID-only is more secure, even if it's slightly less convenient to configure.

What to do: Check your OpenClaw config. If allowFrom contains usernames instead of IDs, update them before upgrading. Your agent will reject non-ID values after the update.

The Daily Shipping Cadence

Two releases in three days. This isn't a fluke — it's the pace OpenClaw is setting. Security audits, stability fixes, new providers, hardening. All shipping daily.

For context: most AI agent frameworks ship monthly if you're lucky. OpenClaw is treating this like infrastructure software — because that's what it is. Your AI agent is infrastructure. It deserves infrastructure-grade release velocity.

Quick summary of v2026.2.23: 50 security advisories audited (12 patched), compaction overflow recovery, Kilo Gateway provider, Moonshot/Kimi vision + video support, exec hardening, ACP + OTEL secret redaction, allowFrom now ID-only (breaking change). Ship daily.

Upgrading is the same as always:

npm update -g openclaw
# Then restart your gateway
openclaw gateway restart

If you're new to OpenClaw, start with our complete setup guide. And if you want all of this managed for you — security patches, config updates, the works — that's literally what CodeClaw exists for.

Skip the upgrade treadmill

CodeClaw keeps your OpenClaw agent patched, configured, and running. You focus on your business.

Get Started →

Related Posts

Ready to automate your business?

We build custom AI agents for solopreneurs and small business owners. Book a free 15-minute call — no commitment.

Book a free call → ← More articles