OpenClaw: Content-Boundary Hardening Suite Across Inbound Surfaces

What Changed

OpenClaw v2026.5.26 (2026-05-27) lands a multi-front content-safety push spanning browser, channels, plugins, memory, and gateway auth. The shape is consistent: prompt-injection and content-confusion countermeasures applied at policy-and-runtime layers, before the agent dispatches.

• Browser snapshot reads now honor SSRF policy before reading tab URLs (PR #78526).
• Queued system-event text is sanitized so untrusted plugin or channel labels cannot spoof nested prompt markers (PR #87094).
• Fetched file text and metadata are wrapped as external content (#87062), explicitly tagged for the model.
• ClickClack allowFrom sender allowlists run before agent dispatch (PR #83741) — not as post-dispatch blocking.
• RPCs from invalidated device-token clients are rejected during rotation (#70707).
• Serialized tool-call text is scrubbed from replies (#86924).
• A separate memory_store prompt-like-text reject matches the existing auto-capture prompt-injection filter (#87142).
• Gateway auth rate-limiter defaults on for remote non-browser/HTTP auth failures when gateway.auth.rateLimit is unset (#87148).

Why It Matters

The current OpenClaw profile names the accessibility-calibration purpose: chat, voice, mobile, gateway as familiar reachable surfaces. The 2026-05-13 → 2026-05-27 window is the moment the safety discipline catches up to the accessibility surface — without flattening the surface itself.

The structural choice that matters most: pre-dispatch allowlists. ClickClack allowFrom runs before the agent decides. That is the right primitive for authority over inbound senders — denying unauthorized senders the chance to influence agent behavior at all, rather than blocking specific actions after the agent has been biased.

The SSRF, sanitization, and serialized-tool-call cleanup are the companion pieces: content from outside the trust boundary is wrapped, scrubbed, or rejected before becoming model input.

Operator Implication

• Operators evaluating OpenClaw against "is it safe to put agents on real channels with real users" can use this suite as evidence of a threat model, not just a feature list.
• Gateway operators should verify whether gateway.auth.rateLimit was unset in their config — the on-by-default ratelimit changes observable behavior for non-browser/HTTP auth flows.
• Plugin authors should treat allowFrom sender allowlists as the canonical inbound boundary. Post-dispatch filtering is the older model.

Open

• 2026.5.22's "remove the old sender-owner tool gating path so configured tools stay visible for trusted sessions" overlaps with the 2026-05-13 per-sender tool policies. Whether this loosens something the per-sender policies tightened or whether they are complementary is worth a follow-up read against PR #66933.
• The browser snapshot SSRF policy default and how it interacts with operator-configured allow-domains is not in the release notes; worth a follow-up.
• Plugin SDK additions (embeddingProviders capability contract, defineToolPlugin, openclaw plugins build|validate|init) suggest OpenClaw is opening the typed-plugin-author surface. The signing and trust model for typed plugins is not yet documented.