104 people rewrote the underlying code. OpenClaw is equipped with a "task brain" and can even manage QQ bots.

[Introduction] 104 developers have joined forces, and OpenClaw, the world's most popular open - source AI assistant, has released another significant update. For the first time, it equips the AI Agent with a task control panel at the "operating system" level: enabling the AI to manage itself, schedule tasks, and say no. The second half of the Agent competition has arrived.

A month ago, Alexander Feick, an expert from the cybersecurity company eSentire, made a statement on The New Stack that worried the AI Agent community for a long time:

The most fundamental gap in OpenClaw is not a certain checkbox, but the lack of a control plane that can express fine - grained trust boundaries.

https://thenewstack.io/openclaw-github-stars-security/

Feick issued such a warning when he saw that the adoption of OpenClaw had far exceeded the normal level.

His subtext is obvious: The more capable your AI assistant is, the more dangerous it is because no one can control it at all.

At that time, OpenClaw had just set a record: starting from scratch, it surpassed React's ten - year accumulation with 250k Stars in just about 60 days, becoming the software project with the most Stars on GitHub.

However, challenges also followed: An AI Agent platform without a scheduling kernel and permission control will crash more severely the faster it runs.

Just now, the problem of the absence of the "control panel" mentioned by Feick has been solved.

Peter Steinberger (@steipete), the founder of the OpenClaw project, officially announced the release of OpenClaw v2026.3.31 - beta.1 on X.

https://github.com/openclaw/openclaw/releases

This release marks that the background task scheduling of OpenClaw has moved from scattered record - keeping to a unified control plane.

The ambition behind SQLite: The formation of the background task control plane

How did the "background tasks" of OpenClaw work before this update?

Actually, it hardly "worked" at all.

Previously, the background tasks of OpenClaw were just a record - keeping tool at the ACP (Agent Client Protocol) level.

After a subtask was completed, the result might not be traced back to the parent session; cron scheduled tasks and CLI background executions went their own ways; once a task crashed midway, the recovery mechanism was ineffective.

This time, v2026.3.31 - beta.1 did a major thing: It unified all four execution entities, namely ACP, subagent, cron, and background CLI, onto a SQLite - backed task ledger.

This means the following aspects of upgrades:

First, all background tasks now have unified lifecycle management. Heartbeat monitoring, automatic recovery of lost tasks, auditing, and maintenance are all built - in.

Second, a task flow registry is introduced. For the first time, developers can use openclaw flows list|show|cancel to view and control task flows. The concept of "parent records" is introduced for multi - task orchestration, and it is no longer a bunch of scattered "orphan processes".

Third, blocked tasks can persist in the blocked state and be retried cleanly on the same flow instead of fragmenting into new tasks.

The results of subtasks can also be traced back to the parent session: After your Agent completes a complex task in the background, it knows which conversation thread to report to.

More importantly, this is not just a functional enhancement.

Kubernetes unified the scheduling of containers onto a control plane, and what OpenClaw did this time is very similar: it unified four different background execution paths onto a SQLite ledger.

The difference is that Kubernetes schedules containers, while OpenClaw schedules the tasks of AI Agents.

The founder warns: It's best to upgrade quickly

This version has 6 breaking changes, 4 of which are directly related to security.

The most important one: The approval mechanism for dangerous tools in ACP has been rewritten.

The previous logic was to override by tool name: adding the tool name to the whitelist would automatically allow it.

The problem is obvious: A tool named "read_file" may have the ability to execute code indirectly, and the name does not show the real risk.

Now it has been changed to approval by semantic category: only a narrow range of read - only operations (search, read) can be automatically approved. Tools with indirect execution capabilities and control plane tools all require explicit user confirmation.

This change targets the ACP approval link, not a unified switch for the entire OpenClaw approval system, but it blocks the biggest permission vulnerability before.

This is not all.

Plugin installation now defaults to fail - closed: If the built - in security scan detects dangerous code, the installation will fail directly.

Want to force the installation?

You have to manually add the deliberately long parameter: dangerously - force - unsafe - install.

Gateway authentication has been tightened comprehensively: The trusted - proxy no longer accepts mixed shared token configurations; the node command remains disabled before the pairing approval is passed; tasks triggered by the node are restricted to the reduced trusted surface.

There are also these detailed fixes:

Prevent Docker endpoints, TLS trust roots, Python package indexes, and compiler include paths from being overwritten by request - level environment variables; block the approval bypass of caffeinate and sandbox - exec; detect inline eval in command carriers such as awk, find, xargs, make...

Contributions from AntAISecurityLab are spread throughout the entire Changelog, including path resolution races, early rejection of image bombs, cross - domain redirection cookie leakage, and sandbox symbolic link escapes - each of which is an attack surface dug out in actual combat.

Steinberger repeatedly emphasized when releasing the beta version before: This update mainly focuses on security reinforcement, so you really'd better upgrade quickly.

Multimodal and multi - terminal explosion: The tentacles of the global Agent are extending

In addition to the above framework and nervous system, there are also some "muscle - level" modifications, mainly referring to the updates in channel coverage.

They point to a clear signal: The tentacles of OpenClaw's Agent are extending globally.

One of the changes is that the QQ Bot has officially joined as a bundled channel plugin.

It supports multi - account configuration, SecretRef credential management, slash commands, reminder functions, and media sending and receiving.

The update of WhatsApp seems small, but its design intention is worth pondering: The Agent can now use emojis to respond to messages with expressions: using ❤️ instead of typing a text reply.

This is to make chatting with the robot closer to "natural conversation".

Matrix has added streaming responses: Some replies will now update the same message in place instead of sending a new message for each chunk.

LINE supports sending out pictures, videos, and audios.

Microsoft Teams has added member information query backed by Graph.

There are also fixes for the CJK package.

The context cropping finally no longer underestimates the length of Japanese and Chinese Extension B Chinese characters;

Ternary word segmentation and short CJK substring fallback have been added to memory search;

The sandbox browser has installed fonts - noto - cjk: Chinese, Japanese, and Korean characters in screenshots are finally no longer tofu blocks;

TTS automatically detects CJK - dominated text and switches to Chinese voice;

The Markdown rendering has fixed the problem of bare links swallowing adjacent CJK characters.

The cumulative effect of these "small fixes" shows that OpenClaw is moving from a geek toy for English developers towards the goal of a "global multilingual infrastructure".

What it wants is no longer just to be on GitHub Trending; it has set its sights on a broader global market.

Behind 343k Stars: Putting wild growth on an institutionalized track

In addition to the technical details, there is also a number worth pondering: 104 contributors participated in this beta version.

Steipete once sighed on Twitter about the "happy troubles" that OpenClaw faced:

PRs were growing at an impossible speed: about 600 commits were submitted in one day, so he needed an AI to scan each PR and Issue and remove duplicates.

The netizen jonahships_ said: "Claw can continuously build new capabilities on itself. You just need to talk to it on Discord. The future has arrived."

The netizen rovensky's judgment is sharper, believing that OpenClaw is the real thing that may kill a large number of SaaS companies.

It is the real thing that will kill a large number of SaaS startups: not ChatGPT. Because it can be hacked, more importantly, it can self - hack, and it can be deployed locally. This will crush traditional SaaS.

In terms of data: As of March 2026, 172 startups have built products based on the OpenClaw ecosystem, and the monthly ecosystem revenue has reached $361K.

The number of skills in the ClawHub skill market has increased from 5700 at the beginning of February to 13729. The monthly traffic is 27 million, and the monthly active users are 2 million.

However, under the hustle and bustle, security issues are becoming increasingly severe.

There are more than 5000 open issues.

There is a review pressure of 3100 commits per day.

An Agent of a Meta executive accidentally deleted the entire email.

A computer science student found that his Agent created a profile on a dating website without permission. Security researchers have disclosed zero - click hijacking vulnerabilities...

There is no doubt that the speed of the open - source community has exceeded the product iteration rhythm of any company. If speed loses order, it will be a disaster.

This task control plane and security tightening in v2026.3.31 - beta.1 are essentially using architectural means to put this wild growth on an institutionalized track.

The wave of technological democratization

A month ago, Feick warned that the control plane should be embedded in tools like OpenClaw instead of being added later.

The market will push tools like OpenClaw far ahead of the governance framework: unless we embed the control plane instead of adding it later.

This upgrade of v2026.3.31 - beta.1 just responds to this point: It embeds the first AI task control plane into the governance system of the AI Agent.

The background task control plane solves the scheduling problem; the ACP semantic approval tightens permission control; the multi - channel capabilities continue to expand. These three things together show that the governance ability of OpenClaw has been substantially enhanced in this version.

Looking at the project history, OpenClaw exceeded React's ten - year Star accumulation in 60 days.