OpenClaw 2026.6.6-beta.1 landed today as the first beta after yesterday's stable 2026.6.5 release. The headline is not one giant feature. It is a broad tightening pass across the places where agents touch transcripts, sandboxes, channels, browser output, MCP transports, and provider sessions.
The release notes describe the security work as "substantially tighter" across transcripts, sandbox binds, host environment inheritance, MCP stdio, Codex HTTP access, native search policy, elevated sender checks, deleted-agent ACP bypasses, loopback tools, Discord moderation, Teams group actions, and exec approvals. That is a long list, but the pattern is clear: fewer ambiguous boundaries, fewer permissive fallbacks, and more fail-closed behavior.
Security Boundaries Move to the Front
The most important line for operators is that exec approvals now fail closed on timeout. That changes the failure mode from "approval path got weird" to "the action did not proceed," which is the direction security-sensitive automation needs.
The beta also continues the transcript and content-boundary work that appeared in recent releases. OpenClaw now suppresses Codex and Harmony protocol artifacts, neutralizes browser and LanceDB memory media directives, redacts transcript images, and preserves native /compact replies through source suppression.
For anyone running agents in inboxes, browsers, or shared team channels, those are not cosmetic fixes. They reduce the ways internal scaffolding, media payloads, or untrusted content can leak into user-visible replies or stored history.
Telegram Gets Safer Delivery
Telegram receives one of the densest channel updates in the beta. The release notes call out account-scoped topics, streamed text that survives tool calls, /compact support on generic ingress, concrete callback APIs, shared draft chunking, SDK-level durable dispatch dedupe, and a boundary that keeps unauthorized direct-message text out of cache and prompt context.
That last item matters most. The more Telegram is used as a remote control surface for self-hosted agents, the more important it becomes that unauthorized messages do not quietly become memory, prompt context, or future behavior.
iMessage and Browser Connectivity Improve
iMessage recovery also gets attention: always-on inbound restart, durable echo markers, block streaming, idle approval discovery, hardened outbound transport, and clearer startup diagnostics. The practical effect should be less mystery when an iMessage channel comes back after downtime or fails to deliver outbound messages.
Browser and MCP connectivity moved forward too. Existing-session CDP support, WebSocket validation, default-profile cdpUrl handling, safer browser-output boundaries, Streamable HTTP loopback transport, and OAuth/SSE authorization fixes all landed in the same beta.
Faster Startup, Cleaner Providers
OpenClaw's control UI should also feel faster at startup. The beta caches model metadata, removes a startup catalog wait, lazy-loads slash commands, and adds first-event tracing with slow-reply diagnostics.
Provider support expands with OpenRouter OAuth onboarding and Claude Fable 5 adaptive thinking. Codex sessions keep correct compaction ownership, local models skip guardian review, dynamic tool progress normalizes more cleanly, and Gemma 4 reasoning replay is preserved.
Should You Install It?
This is a beta, so production operators should read the full release notes before upgrading. But the direction is worth watching closely: 2026.6.5 stabilized SQLite-backed state, and 2026.6.6-beta.1 follows with a security and channel-boundary hardening pass.
If your OpenClaw deployment depends on Telegram, iMessage, browser control, MCP loopback transport, or strict approval handling, this beta contains several fixes you will want to evaluate early.
Full release notes are available on the OpenClaw GitHub release page.