Security path moves to top priority in OpenClaw release train

OpenClaw Daily Brief

1. Security path moved to top priority in OpenClaw release train: The latest upstream release cycle calls out multiple security hardening fixes (SSRF enforcement, sender allowlists, and config redaction), signaling that operators should treat policy settings as production controls, not optional tuning.
2. Control UI markdown parser now hardened against ReDoS-style freezes: OpenClaw replaced marked.js with markdown-it, reducing a known denial-of-service risk in the chat UI rendering path.
3. Gateway tool config mutations now reject newly dangerous flag enables: The model-facing gateway tool blocks config.patch and config.apply when a patch attempts to newly enable audit-flagged dangerous options.
4. Channel allowlists now enforced on interaction paths too: Slack interaction handling applies the global sender allowlist and rejects ambiguous channel types, closing a bypass path in mixed channel setups.
5. Action for operators this weekend: Run a targeted config review for browser/network and channel allowlist settings before your next upgrade window, then test one real workflow per channel to confirm behavior after hardening.

Got a tip? Send it to tips@clawnews.org