OpenClaw ships 2026.3.22 with ClawHub marketplace and OpenShell SSH sandboxes

• OpenClaw's 2026.3.22 release adds a ClawHub plugin marketplace, new model options including MiniMax M2.7 and GPT-5.4 mini/nano, the /btw side-question flow, and OpenShell plus SSH sandboxes.
• The follow-up 2026.3.23 patch lands a DeepSeek provider plugin, Qwen pay-as-you-go access, OpenRouter auto-pricing, and Chrome MCP fixes that now wait for tabs instead of timing out as often.
• Under the hood, the earlier beta notes show meaningful migration work: plugin installs now prefer ClawHub over npm, the Chrome relay path was removed, the plugin SDK moved to openclaw/plugin-sdk/*, and sandbox rules block more JVM, glibc, and .NET hijacking attempts.
• The bigger plugin surface also sharpens trust-boundary questions: a widely shared security critique points to malware in skills, prompt-injection exposure, and localhost auth issues, while the HN discussion in the thread summary centers on per-tool and per-function permissions.

The 2026.3.22 release is a broad platform update, not a single feature drop. OpenClaw's release post highlights five engineering-relevant changes: ClawHub as a plugin marketplace, more model backends with "per-agent reasoning," /btw for side questions, OpenShell plus SSH sandboxes, and search integrations for Exa, Tavily, and Firecrawl.

The beta notes in the prerelease add the implementation detail the headline post skips. Plugin installation now prefers ClawHub over npm for safer package handling; the Chrome extension relay path is gone and users must run openclaw doctor --fix to migrate; and the plugin SDK has been reworked around openclaw/plugin-sdk/*, with message discovery now requiring describeMessageTool(...). The same beta also deprecates the bundled nano-banana-pro wrapper in favor of a native model path and swaps in a Matrix plugin built on the official matrix-js-sdk.

A small but relevant governance point: amid speculation around the launch, founder Steipete said in a correction post that "OpenAI did not buy the project" and that OpenClaw is run by an independent foundation.

The 2026.3.23 patch reads like a fast stabilization release for a very large launch. According to the patch notes, OpenClaw added a DeepSeek provider plugin, Qwen pay-as-you-go API support, OpenRouter auto-pricing, and an Anthropic thinking-order change, alongside fixes across Discord, Slack, Matrix, the web UI, and Chrome MCP.

Steipete said in a postmortem note that a release step for the web control UI assets was missed, leaving the current release unable to load that UI correctly until users moved to beta or waited for a refreshed build. In the follow-up thread, he said the team is "automating the whole release pipeline" and adding end-to-end tests for web, while another reply called macOS release and Apple's notarization flow "the hardest part of automating." A separate post in the GitHub sponsorship note says OpenClaw also hit GitHub free-tier limits while automating releases.

There are already early signs that the plugin surface is being used to connect external agent stacks. Steipete wrote in a plugin note that Harold connected a Codex app server with OpenClaw, calling it "the power of plugins."

OpenClaw is expanding its plugin and sandbox surface while critics are arguing that its trust model is still immature. The Composio write-up linked from the HN-covered article alleges malware in marketplace skills, prompt-injection risk amplified by agent permissions, compromised integrations, and more than 30,000 exposed instances from localhost auth bypasses; it also notes some mitigations, including VirusTotal scanning.

The HN discussion summarized in the thread is more useful than the headline for deployment teams. Commenters argued for "limited scope permissions" and "per-function permissions" instead of blanket account access, while another noted that a containerized filesystem is only "a slightly more secure version" if the underlying account and tool permissions stay broad. That matters because OpenClaw's own beta changelog shows the team hardening sandboxes against JVM, glibc, and .NET hijacking attempts, but sandboxing and plugin distribution solve different layers of the risk model.