OpenClaw v2026.3.8 Ships ACP Provenance and 12+ Security Patches
What Happened
OpenClaw released version 2026.3.8 on March 9, just days after the v2026.3.7 release that introduced the ContextEngine plugin interface. This rapid follow-up involved 43 contributors and focuses heavily on security hardening and operational reliability. The headline features include ACP (Agent Communication Protocol) provenance verification, which allows agents to cryptographically verify the identity of other agents they interact with, reducing the risk of spoofed identities in multi-agent workflows.
Other notable additions include a new openclaw backup CLI command for state rollback and deployment safety, a fix for duplicate Telegram events that had been causing redundant triggers in chat-based agent integrations, Brave search LLM-context mode for enhanced web research, and a Talk silent timeout feature. The release also ships over 12 security patches addressing vulnerabilities disclosed in the preceding weeks.
Why It Matters
The v2026.3.8 release signals a deliberate shift toward production-readiness. ACP provenance is particularly significant as it addresses one of the fundamental trust problems in agentic AI — verifying that the agent you're communicating with is who it claims to be. The backup CLI tool and fail-closed configuration behavior show the project taking operational concerns seriously, moving beyond feature velocity toward the reliability expectations of enterprise deployments. With over 280,000 GitHub stars and growing enterprise adoption, this hardening cycle is well-timed.
What's Next
Expect the security hardening cadence to continue as more CVEs are discovered and patched. The ACP provenance feature in particular may become a requirement for enterprise deployments, so skill developers should start integrating provenance metadata into their agent interactions. The backup tool suggests that more sophisticated deployment management features are on the roadmap.