Over the past three weeks, OpenClaw has been evolving at a rate of almost "one release every two days," and Andrej Karpathy called it a "cool and exciting new layer" of the AI technology stack.Since February, OpenClaw (formerly known as Clawdbot and Moltbot) has become crazy in the AI circle. A version is released almost every two days, and more than ten updates are released in a row, advancing simultaneously on multiple fronts such as model ecology, full-scenario experience, multi-agent collaboration, and security reinforcement.
In the latest version released by OpenClaw on February 21, it officially integrates the preview version of Google Gemini 3.1 Pro, and also introduces real-time voice and continuous routing functions to Discord.
While OpenClaw was evolving rapidly, a post from Andrej Karpathy, a top figure in the AI circle, pushed the carnival to a climax:
He posted on social media: He bought a new Mac mini over the weekend and was ready to play around with "Claws".
He regards Claws as a "new layer" superimposed on the agent. This layer directly elevates orchestration, scheduling, context management, tool calling and persistence capabilities to a new level. It is a "cool and exciting new layer" in the AI technology stack.
Karpathy's entry injected a shot of excitement into the entire "Claw" circuit.
Simon Willison immediately wrote an article and pointed out,"Claw" is evolving into a common industry term to refer to all agent systems similar to the OpenClaw architecture.
In just two weeks, OpenClaw's Token usage has soared to about 13% of all Tokens on OpenRouter (mainly from the open source weight model).
Below, we briefly review the important updates of OpenClaw in February.
iOS Ecosystem: Complete the transition to mobile in twenty days
In February, OpenClaw made rapid progress in the iOS ecosystem.
February 9: The Alpha version of the iOS node application was released, with the setup-code boot process, enabling mobile phone access for the first time.
February 17: Added iOS sharing extension. Users can push URLs, text, and pictures directly from the system sharing menu to the AI assistant, minimizing interruptions.
February 19: Apple Watch companion app launched. Users can view their inbox, send and receive notifications, and even approve/deny action requests directly in the notification stream and respond quickly on the watch. The APNs push wake-up mechanism is simultaneously introduced to ensure that iOS nodes can be reliably woken up in the background.
February 21:Watch-side operations can be seamlessly transferred to the iOS main application for processing through the bridge mechanism; Talk Mode is also optimized to automatically disable voice interruption when the output route is the built-in speaker, greatly reducing false triggers caused by local TTS playback.
From the alpha test in early February to the end of the month, the functions are basically complete.OpenClaw is extending from a "server program running on Mac mini" to a full-scenario intelligent platform covering desktops, mobile phones, and watches.
Architecture evolution
Nested “sub-agents” unlock complex tasks
For developers trying to build complex AI workflows,The maturity of the subagents system is the core architectural breakthrough this month.
February 15th:Nested sub-agents are introduced for the first time, that is, sub-agents can regenerate their own sub-agents (sub-sub-agents).
System passedmaxSpawnDepthParameters control the depth, limiting each agent to generate up to 5 child nodes, and adding depth-aware tool strategies and announce link routing.
February 21:The default generation depth strategy is stable at maxSpawnDepth=2, which means that one layer of orchestrator can generate sub-agents by default.
The automatic truncation and recovery mechanism when the context overflows is also in place - when the tool output of the sub-agent exceeds the context window, the system will pre-truncate the excessively large output and compress the earliest tool result message, guiding the model to re-read with smaller chunks to avoid a simple and crude crash.
This system allowsOpenClaw has the ability to handle multi-level complex tasks, for example, let a main agent assign multiple subtasks, and each subtask can be split as needed to form a tree-like execution structure.
Discord
The main frontier for multi-agent collaboration
Discord is one of the most active channels in the OpenClaw community, and the February update has drastically changed its experience.
February 13: Support for sending voice messages with waveform preview.
February 15th: Milestone version, unlocking Components v2. For the first time, native interactive components such as buttons, drop-down selection menus, and modal boxes can be used in the dialogue interface of AI agents. Agents can present structured interaction options to users and no longer have to rely on plain text.
February 17: Reusable interactive components are online. Buttons and selection menus can be used multiple times before expiration; a per-button user permission list is added to control who can click specific buttons.
February 21st: Join/leave/status control of voice channels (via /vc command) is added, and automatic join configuration is supported to achieve real-time voice conversations; streaming preview replies and lifecycle status reaction emoticons are simultaneously online; sub-agent sessions can be bound to specific Discord threads.
After superimposing these functions, OpenClaw’s performance on DiscordIt is no longer like a simple chatbot, but closer to an AI native application with complete interactive capabilities.
Model layout
Large head models are fully assembled to practice model neutrality
As an important aspect of the update, the territory of OpenClaw’s February access model is also rapidly expanding:
February 6: Support for Anthropic Opus 4.6 (forward compatible) and xAI Grok.
February 9: Grok web search capabilities go online.
February 13: Access to Hugging Face Inference and vLLM, including guidance process and default model selection.
February 17th: Support Anthropic Sonnet 4.6; launch Anthropic 1 million token context beta (enabled through model params.context1m: true).
February 21: Access to Google Gemini 3.1 Pro preview version.
OpenClaw's model-neutral strategy is quickly being realized - users can flexibly switch between Claude, GPT, Gemini, Grok and other models according to task needs.
Polishing details: updating streaming experience and underlying reliability
In addition to the evolution of the macro architecture, OpenClaw has also been updated accordingly on some key details.
Slack native streaming output
Slack has ushered in an important experience improvement in version 2.17: the introduction of native single message streaming output of chat.startStream/appendStream/stopStream, completely bidding farewell to the clumsy way of simulating the "typing" effect by repeatedly editing messages.
Streaming output is enabled by default, and automatically falls back to normal delivery when it fails. The reply thread behavior is consistent with the replyToMode configuration.
Scheduled task overhaul
It mainly includes changes that are easily overlooked but extremely practical.
In version 2.12, a number of problems that have long troubled users have been solved:
Prevent repeated triggering, isolate scheduler errors (one bad task no longer drags down all tasks), fix one-time at tasks to be executed repeatedly after restarting, and add support for webhook delivery and authentication tokens.
Version 2.14 adds precise delivery and identity maintenance of Telegram topics.
For users who rely on OpenClaw for scheduled automation, these seemingly trivial fixes are directly related to whether the system can run reliably.
Message delivery reliability
Version 2.13 adds a write-ahead delivery queue, so unsent messages will no longer be lost after the gateway is restarted.
Reply thread routing across platforms (iMessage, Telegram, Matrix, etc.) has been uniformly fixed, and chunked messages no longer frequently "jump" out of the main thread.
Safety
An offensive and defensive battle with 400,000 lines of code
Behind the carnival, OpenClaw is facing a severe security test. Despite his excitement, Karpathy also confessed that he was extremely uneasy:
I do feel a little uneasy about running OpenClaw - handing over my private data/keys to a 400,000-line behemoth code base that is basically "written by feel", and it is still being watched on a large scale... It feels like a complete wild west and a security nightmare.
Facts have proven that his worries were by no means unfounded.
Since its popularity at the end of January, OpenClaw has become a "firing range" for hackers and security experts:
Kaspersky disclosed in the report that it discovered 512 vulnerabilities in a security audit as early as the end of January, 8 of which were rated as critical.
Security researcher Jamieson O'Reilly discovered tens of thousands of public instances without any authentication set up through Shodan scans. He was even able to obtain API keys, messaging platform bot tokens, Slack account credentials, and complete chat history.
Bitsight's analysis shows that during the analysis window from the end of January to the beginning of February, more than 30,000 OpenClaw instances were exposed on the public Internet.
The disclosure of CVE-2026-25253 (CVSS 8.8) is particularly alarming - an attacker only needs to induce the victim to visit a malicious web page to achieve remote code execution in milliseconds, even if OpenClaw is only bound to the local loopback address.
Supply chain pollution is equally serious.
Security firm Koi Security discovered the campaign dubbed "ClawHavoc": attackers uploaded hundreds of well-disguised malicious skills to the official skills marketplace ClawHub, using professional documentation and innocuous names. Once installed, they deployed keyloggers or Atomic Stealer malware.
According to statistics, about 341 of 2,857 skills (about 12%) were confirmed to be malicious.
Cisco's security team called OpenClaw "an absolute nightmare from a security perspective" and released the open source Skill Scanner tool.
Trend Micro's research also points out that misconfigurations and unvetted skills have led to the disclosure of millions of records, including API tokens, email addresses, private messages and third-party service credentials.
Faced with these threats, every update of OpenClaw in February evolved into a high-intensity offensive and defensive battle. Key measures include:
Encryption and protection upgrade: Comprehensively eliminate SHA-1 and enable SHA-256; tightly block SSRF vulnerabilities covering IPv6, NAT64 and other bypass methods; repair the command injection vulnerability of the Windows daemon process.
Sandbox and isolation mechanism: Forcibly block dangerous configurations in the Docker sandbox (such as Host network, turn off security policies); the browser removes the --no-sandbox flag by default, and adds VNC password authentication and dedicated Docker network isolation.
Permission closure: Block backdoors such as Discord privilege escalation, ACP session management, Webhook path traversal, etc., and introduce a mechanism for owner-ID obfuscation to use independent HMAC keys in version 2.21.
Project founder Peter Steinberger announced in a post on February 16 that he would join OpenAI to be responsible for the development of personal intelligence. OpenClaw transitioned to an independent foundation provided with financial and technical support by OpenAI.
Whether this shift will result in more adequate security resources for the project remains to be seen.