OpenClaw's June 24 nightly merge window brought another security-focused hardening sweep, led by PR #96216, PR #95244, and PR #96224.
The three patches touch different parts of the runtime: exec approval detection, self-hosted provider discovery, and gateway authentication rate limiting. The shared theme is boundary discipline. OpenClaw is tightening cases where user-controlled inputs, local services, or repeated failed requests could put too much trust or too much memory pressure on the system.
Inline Interpreters Get Tighter Detection
PR #96216, "fix(exec): gate versioned inline interpreters," closes gaps in strict inline-eval approval detection.
OpenClaw already tries to detect inline interpreter usage because commands such as python -c or php -r can execute arbitrary code from the command line. The new patch expands that detection so version-suffixed Python and PyPy executable names are matched too. It also adds PHP inline-code flags -B, -E, and -R, plus R and Rscript -e handling.
The important operator-facing point is that allowlisted interpreter binaries should not accidentally become broad inline-code escape hatches. The PR also applies the same matching to allowlist-pattern recognition, so persistent "allow always" approval behavior remains suppressed for those interpreter forms.
The PR reports focused detector and handler regression coverage, including 65 passing tests across the inline-eval and system-run paths.
Provider Discovery Reads Are Now Bounded
PR #95244, "fix(providers): bound self-hosted provider discovery JSON reads," hardens OpenClaw's setup path for self-hosted model providers.
Before the patch, two provider discovery helpers parsed HTTP responses with unbounded response.json() calls. Those base URLs are user-supplied and can point at local or self-hosted endpoints. A buggy or hostile endpoint could stream an oversized JSON body and push the setup wizard toward out-of-memory behavior.
The fix adds a shared 4 MiB cap for self-hosted discovery JSON and routes both /props and /models discovery reads through OpenClaw's byte-limited response reader before parsing. If the response is too large, the stream is cancelled instead of being read indefinitely.
This follows the same pattern OpenClaw recently applied to Anthropic Messages error-body reads: parse only after a bounded read, and treat provider-adjacent HTTP responses as untrusted.
Gateway Auth Tracking Gets a Cap
PR #96224, "fix(gateway): cap auth limiter entries," adds a default 10,000-entry cap to Gateway auth rate-limiter bookkeeping.
Rate limiters need memory of recent failed attempts, but that memory cannot grow forever. The patch prunes expired entries before eviction, preserves active lockouts where possible, and fails closed with a temporary overflow lock if every tracked entry is actively locked.
That last detail matters. Saturation should not become a fail-open path.
Bottom Line
None of these patches is flashy, but they are the kind of changes that make OpenClaw safer to run as a real service. Inline code needs explicit approval semantics. Provider discovery needs bounded reads. Gateway auth bookkeeping needs a ceiling.
The June 24 nightly hardening sweep keeps pushing OpenClaw toward the boring reliability operators want from an agent runtime with real system access.