📦 update

OpenClaw v2026.3.22 Ships ClawHub Marketplace, Multi-Model Sub-Agents, and 30+ Security Patches

Source: C# Corner
releaseclawhubmarketplacesub-agentssecuritygpt-5.4multi-modelsmb-credential-leak

OpenClaw v2026.3.22 Ships ClawHub Marketplace, Multi-Model Sub-Agents, and 30+ Security Patches

What Happened

OpenClaw v2026.3.22 dropped on March 23, 2026, delivering the most significant architectural update since the project's founding. According to multiple sources including C# Corner and RenovateQR, the release carries 12 breaking changes and introduces ClawHub as the default plugin and skill marketplace, replacing npm as the first-stop registry. When users run openclaw plugins install , the system now checks ClawHub first, falling back to npm only if the package isn't found.

The release adds support for GPT-5.4-mini and GPT-5.4-nano models, along with adjustable sub-agent thinking levels and the ability to assign different models to different sub-agents. A new /btw side conversation command lets users address the agent mid-task without interrupting the primary workflow. Gateway cold-start times were cut from minutes to seconds.

On the security front, v2026.3.22 includes over 30 hardening patches, most notably blocking a Windows SMB credential leak that could have exposed authentication credentials through specially crafted file paths. The release also coincided with the disclosure of multiple CVEs (CVE-2026-32048, CVE-2026-32064, CVE-2026-32025, CVE-2026-32013, CVE-2026-32016) affecting earlier versions, covering sandbox escape, VNC authentication bypass, WebSocket origin bypass, symlink traversal, and macOS path validation issues.

Why It Matters

The ClawHub-first approach is a strategic pivot that gives the OpenClaw project direct control over its plugin supply chain — critical given the ClawHavoc malware campaign that infected over 1,184 skills distributed through less-governed channels. Multi-model sub-agents fundamentally change how developers architect their agent setups, enabling cost-optimized task delegation where cheap, fast models handle routine work while more capable models tackle complex reasoning. The 30+ security patches, while welcome, underscore the ongoing tension between OpenClaw's breakneck development pace and the security rigor enterprises demand.

What's Next

The ClawHub marketplace sets the stage for potential curation, verification, and eventually monetization of OpenClaw skills. Watch for VirusTotal integration and automated security scanning to become more prominent in the ClawHub pipeline.

Related

Related News

🚀 OpenClaw v2026.3.22 Ships New Plugin SDK, ClawHub Marketplace, GPT-5.4 Support March 23, 2026 📦 OpenClaw v2026.3.23-2 Stabilizes Plugin SDK and Hardens Auth for Self-Hosters March 24, 2026 📦 OpenClaw v2026.3.13 Adds Local Backup Commands and Chrome DevTools MCP Browser Mode March 15, 2026 📦 OpenClaw v2026.3.12 Ships Dashboard v2, Fast Mode, and Provider Plugin Architecture March 13, 2026

Related Guides

📖 Securing Your OpenClaw Instance: A CVE Patching and Hardening Guide 📖 OpenClaw Security & Hardening 📖 OpenClaw Skills: Find, Install & Manage
← All News Guides Reviews Browse Skills