OpenClaw 2026.6.6 is now the stable June 12 release, replacing this morning's beta signal with a verified production tag. The release landed at 11:04 UTC and is available from the official GitHub release page with npm, tarball, integrity, release SHA, and CI evidence links.
The headline is not one feature. It is a security and reliability sweep across the parts of OpenClaw that make agents useful and risky at the same time: transcripts, sandboxes, host environment inheritance, MCP stdio, Codex HTTP access, channel moderation, native search policy, loopback tools, provider replay, and message delivery.
For operators, that makes 2026.6.6 less of a shiny feature release and more of a boundary release. It tightens what agents can see, where channel content can flow, how provider state recovers, and what evidence exists when the package gets published.
What Changed Since the Beta
This morning's 2026.6.6-beta.2 already showed the direction of the train: stronger channel handling, release proof, Telegram and Docker fixes, and provider work. The stable release turns that beta into the npm latest line, with a published openclaw@2026.6.6 package and a dependency evidence bundle.
The release notes lead with a large security cluster. OpenClaw says boundaries are tighter across:
- transcript image and media handling
- sandbox binds and host environment inheritance
- MCP stdio and Streamable HTTP loopback transport
- Codex HTTP access and native search policy
- elevated sender checks and deleted-agent ACP bypasses
- Discord moderation and Teams group actions
- exec approval timeout handling
One small wording detail matters: exec approvals now fail closed on timeout. In agent systems, a timeout is not just a UX edge case. It can decide whether a tool action proceeds without a clear human answer. Failing closed is the safer default.
Channels Get a Stability Pass
OpenClaw is only as useful as the places it can speak and listen. This release includes a broad channel pass across Telegram, iMessage, WhatsApp, Feishu, Mattermost, LINE, Discord, Matrix, Google Chat, QQBot, Android, iOS, and Zalo-related paths.
Telegram gets the largest operator-facing section. The release notes call out account-scoped topic routing, streamed text that survives tool calls, /compact support on generic ingress, concrete callback handling APIs, shared draft chunking, SDK-level durable dispatch dedupe, and a privacy fix so unauthorized direct-message text stays out of cache and prompt context.
iMessage also receives recovery and delivery work: always-on inbound restart, durable echo markers, block streaming, idle approval discovery, hardened outbound transport, and better inbound startup diagnostics.
That pattern is important. OpenClaw's channel layer has moved past "can the bot reply?" into "does the runtime preserve ownership, privacy, and recovery when the transport gets weird?"
Browser, MCP, and Provider Work
The browser and MCP sections are equally practical. The stable release adds existing-session CDP support, discovered WebSocket validation, safer browser-output boundaries, Streamable HTTP loopback transport, corrected OAuth/SSE authorization handling, and broader schema compatibility.
Provider support expands with OpenRouter OAuth onboarding and Claude Fable 5 adaptive thinking. The release also preserves Gemma 4 reasoning replay, keeps Codex sessions attached to the correct compaction ownership, and avoids guardian review for local models.
Those are not headline-grabbing changes, but they reduce friction for real deployments. OpenClaw users increasingly run mixed-provider stacks, local models, browser sessions, MCP servers, and long-lived agent memory in the same gateway. Recovery and boundary behavior matter more as that graph gets denser.
Performance and Release Evidence
The stable tag includes startup and performance improvements: cached model metadata, removal of startup catalog waits, lazy slash-command loading, first-event tracing, slow-reply diagnostics, TUI plugin prewarming, plugin auto-enable dedupe, /models rescan storm reduction, and trimmed dense text-delta snapshots.
The release verification block is also stronger than a typical changelog footer. It links the npm package, registry tarball, integrity hash, release SHA, CI report, release publish workflow, npm preflight, validation workflow, plugin npm publish, ClawHub publish dispatch, and OpenClaw npm publish job.
That gives teams a concrete audit trail before they update a long-running agent host. If you run OpenClaw in a personal environment, the release proof is useful. If you run it near production systems, it is essential.
Should You Upgrade?
If you are already on the 2026.6.6 beta train, the stable release is the obvious next stop. If you are on 2026.6.5, this is a meaningful security and channel-reliability upgrade rather than a cosmetic bump.
The highest-signal reasons to move are Telegram and iMessage delivery, stricter transcript and browser-output boundaries, MCP transport fixes, provider replay behavior, release evidence, and fail-closed exec approvals.
As always, operators should read the full release notes, back up state, and test channel credentials before upgrading a 24/7 assistant. But 2026.6.6 looks like the release where the June beta work becomes the stable baseline.