OpenClaw 2026.4.1 shipped this morning. Most updates are incremental, but there's one exec behavior change in this release that will surprise you on upgrade if you don't read carefully โ and one genuinely exciting new capability for Android users.
In this post
โ ๏ธ The Exec Default Change โ Read This First
This is the one that will catch people off guard. From the release notes:
"Exec defaults: make gateway/node host exec default to YOLO mode by requesting security=full with ask=off, and align host approval-file fallbacks plus docs/doctor reporting with that no-prompt default."
In plain English: if you run exec commands through a gateway or remote node connection, OpenClaw no longer prompts for approval by default.
Previously, commands routed through a gateway would respect whatever approval policy you had configured โ often prompting before running. Now the default is security=full, ask=off, meaning commands run immediately without asking.
โ ๏ธ Who this affects: Anyone using OpenClaw via a remote gateway or node (i.e., you connect from your phone or another machine). If your agent is configured to run exec commands and you haven't explicitly set an approval policy, those commands now run without prompting after upgrading.
This does NOT affect local connections with approval policies you've already set explicitly.
What to do: After upgrading, run openclaw doctor to review your exec policy. If you want to keep prompts for specific command types, set your policy explicitly in your config rather than relying on defaults. The old behavior is still available โ it's just no longer the default for gateway/node hosts.
If you're a ClawReady customer and you're unsure about your current exec policy, reply to your setup email and we'll check your config.
๐ฑ Android Google Assistant Integration
Launch OpenClaw from Google Assistant on Android
OpenClaw now registers Google Assistant App Actions metadata so Android users can invoke their agent directly from the assistant trigger and pass prompts into the chat composer.
This is a big quality-of-life upgrade for Android users. Instead of opening the OpenClaw app and navigating to a chat, you can now say "Hey Google, ask OpenClaw [your question]" and it routes directly to your agent.
It also means OpenClaw can now act as an assistant-role entrypoint โ useful for users building voice-triggered workflows on Android devices. This requires updating the Android app alongside the server.
๐ Task Flow Substrate Restored
Managed Task Flows with durable state and recovery
The core Task Flow substrate is back โ managed vs. mirrored sync modes, durable flow state and revision tracking, and openclaw flows inspection/recovery primitives for background orchestration.
Task Flows allow OpenClaw to run long-running background jobs that persist across sessions. This is primarily relevant for advanced users and plugin developers building multi-step orchestration โ things like "research this topic for an hour and report back" without requiring an active session to stay open.
The new additions include managed child task spawning and sticky cancel intent, so you can stop scheduling immediately and let parent flows settle cleanly when cancelled.
๐ New Plugin Hook: before_agent_reply
Plugins can now short-circuit the LLM with synthetic replies
The before_agent_reply hook lets plugins intercept the reply pipeline after inline actions and return a synthetic response without calling the LLM.
For plugin developers, this opens up patterns like: run a tool action, and if the result is deterministic, return a canned response immediately instead of passing to the model. Useful for performance optimization and cost reduction in high-frequency automation flows.
Breaking: Plugin Config Paths Changed
xAI x_search config moved to plugin-owned path
Settings previously at tools.web.x_search.* now live at plugins.entries.xai.config.xSearch.*. Auth migrated to plugins.entries.xai.config.webSearch.apiKey or the XAI_API_KEY env var.
Firecrawl web_fetch config moved to plugin-owned path
Settings previously at tools.web.fetch.firecrawl.* now live at plugins.entries.firecrawl.config.webFetch.*.
Both can be auto-migrated. Run openclaw doctor --fix after upgrading and it will move the config for you.
Fixes Worth Knowing
- Pairing-required errors fixed โ Gateway/exec loopback now has proper fallbacks for empty paired-device token maps, so local exec and node clients stop failing with "pairing required" after the 2026.3.31 changes.
- sessions_spawn on loopback fixed โ Sub-agent gateway calls now pin to the correct admin scope, fixing
close(1008) "pairing required"errors. - Malformed exec-approvals.json handled โ Invalid security/ask values in your approvals file are now stripped and fall back to documented defaults instead of corrupting runtime policy.
- Plugin SDK deprecation warnings โ Legacy provider compat subpaths now emit migration warnings. These will be removed in a future major release.
- Context window reporting fixed โ
/statusnow correctly shows the 1.0M context window for fresh Anthropic 4.6 model overrides instead of reporting an undercount.
How to Upgrade
npm update -g openclaw
openclaw doctor --fixThe --fix flag handles the xAI and Firecrawl config migrations automatically. After upgrading, check your exec policy if you use remote gateway or node connections (see the exec default section above).
โ
Already a ClawReady customer? Your config was set up with explicit policies โ you're less likely to be surprised by the exec default change than someone who installed OpenClaw from scratch. Still worth running openclaw doctor to confirm your posture after upgrading.
Not Sure If Your Config Is Ready for 2026.4.1?
We offer a $49 audit that reviews your exec policy, plugin list, security posture, and model config. Results in 24 hours.
Book an Audit โ