OpenClaw 2026.4.21: GPT-Image-2, Moonshot K2.6 & Session Maintenance

Headline Features

GPT-Image-2 Support

OpenAI's latest image generation model is now the default for OpenAI image generation. GPT-Image-2 brings improved quality and supports higher resolution outputs. The bundled provider now advertises 2K and 4K size hints, and the system automatically falls back to previous models if GPT-Image-2 is temporarily unavailable.

// GPT-Image-2 with high resolution
{
  "image": {
    "generate": {
      "prompt": "A futuristic AI agent workspace",
      "size": "2048x2048"
    }
  }
}

Moonshot Kimi K2.6 as Default

The bundled Moonshot setup now defaults to Kimi K2.6 for web search, media understanding, and general queries. K2.5 remains available for compatibility. K2.6 brings improved reasoning, better multilingual support, and enhanced tool use capabilities.

Automatic Session Maintenance

Sessions now enforce built-in entry caps and age-based pruning by default. Oversized session stores are pruned at load time, preventing accumulated cron and executor backlogs from causing OOM crashes before the write path runs. This is a significant reliability improvement for long-running deployments.

Strengthened System Prompts

The default system prompt and OpenAI GPT-5 overlay have been enhanced with:

• Clearer completion bias guidance
• Live-state checks for better situational awareness
• Weak-result recovery patterns
• Verification-before-final guidance

Image Generation Improvements

Provider Fallback Logging

Failed provider/model candidates are now logged at warn level before automatic fallback. This means OpenAI image failures are visible in the gateway log even when a later provider succeeds, making debugging much easier.

Smarter Provider Selection

The image generation system now better handles bare image-model overrides, keeping them on the configured image provider instead of incorrectly re-exposing the image-generation tool on native vision turns.

Session & Memory Fixes

Cost Tracking Accuracy

Estimated costs are now snapshotted like token counters, preventing repeated persist paths from compounding the same run cost by up to dozens of times. Your usage reports will be significantly more accurate.

Session Reset Behavior

The /new and /reset commands now clear auto-sourced model, provider, and auth-profile overrides while preserving explicit user selections. Channel sessions no longer stay pinned to runtime fallback choices after a reset.

Active Memory Degradation

When memory recall fails during prompt building, the system now logs a warning and continues the reply without memory context instead of failing the entire turn. This graceful degradation prevents single memory issues from breaking conversations.

Channel & Integration Improvements

Mattermost Streaming

Mattermost now streams thinking, tool activity, and partial reply text into a single draft preview post that finalizes in place when safe. This provides much better real-time feedback for long-running agent responses.

Slack Thread Preservation

Slack now preserves thread aliases in runtime outbound sends, so generic runtime sends stay in the intended thread when the caller supplies threadTs.

BlueBubbles Group System Prompts

Per-group systemPrompt config is now forwarded into inbound context as GroupSystemPrompt, so configured group-specific behavioral instructions are injected on every turn. Supports "*" wildcard fallback matching the existing requireMention pattern.

Telegram Polling Reliability

The default polling watchdog threshold has been raised from 90s to 120s, with configurable channels.telegram.pollingStallThresholdMs per account. Long-running Telegram work gets more room before polling is treated as stalled.

Security Fixes

Owner Command Enforcement

Owner-enforced commands now require actual owner identity (owner-candidate match or internal operator.admin). Wildcard channel allowFrom or empty owner-candidate lists are no longer sufficient, preventing non-owner senders from reaching owner-only commands through permissive fallbacks.

MCP Environment Protection

MCP now blocks interpreter-startup environment keys like NODE_OPTIONS for stdio servers while preserving ordinary credential and proxy environment variables. This prevents potential code injection through environment manipulation.

Template Session Key Gate

The allowRequestSessionKey gate is now enforced on template-rendered mapping sessionKeys, preventing potential session key injection through template processing.

QQBot SSRF Protection

SSRF guards have been added to direct-upload URL paths in uploadC2CMedia and uploadGroupMedia operations.

Developer Experience

Cron State Separation

Runtime execution state is now split into jobs-state.json, keeping jobs.json stable for git-tracked job definitions. This makes version control of cron jobs much cleaner.

Plugin Test Optimization

Plugin loader aliases and Jiti config resolution are now reused across repeated same-context loads, significantly reducing import-heavy test overhead.

Detached Task Registration

A detached runtime registration contract has been added so plugin executors can own detached task lifecycle and cancellation without reaching into core task internals.

Context Compaction Notices

Agents now send opt-in start and completion notices during context compaction, giving users visibility into when and why their conversation context is being trimmed.

Model & Provider Fixes

OpenAI Codex Transport

Legacy openai-completions transport overrides on default OpenAI/Codex and GitHub Copilot-compatible hosts are now normalized back to the native Codex Responses transport, while leaving custom proxies untouched.

Anthropic API Scoping

Anthropic api: "anthropic-messages" now defaults to Anthropic-owned providers, preventing openai-codex and other providers without an explicit api from being incorrectly rewritten to the wrong transport.

Thinking Level Resolution

/think levels are now resolved against each GPT model's supported reasoning efforts, so /think off no longer becomes high reasoning or sends unsupported reasoning.effort: "none" payloads.

Model Selection Recovery

Transient auto-failover session overrides are now cleared before each turn, so recovered primary models are retried immediately without emitting user-override reset warnings.

Upgrade Guide

Immediate Upgrade Recommended If:

• You use image generation (GPT-Image-2 improvements)
• You use Moonshot/Kimi models (K2.6 default)
• You run long-running sessions (maintenance improvements)
• You've experienced OOM issues with session accumulation
• You use Mattermost, Slack, BlueBubbles, or Telegram
• Security hardening is a priority

Upgrade Commands

# Via CLI
openclaw update

# Or ask your agent
Update OpenClaw to the latest version

Post-Upgrade Checklist

• Verify image generation works with your existing prompts
• Check Moonshot K2.6 is selected for new conversations
• Review session sizes after a day of operation
• Test your primary channel integrations
• Monitor gateway logs for any new warnings

Full Changelog

This release includes 40+ additional fixes and improvements across plugins, channels, gateway core, and developer tools. Notable mentions include:

• Exec/YOLO promptless execution restored for heredoc forms
• Browser DevToolsActivePort failures now show proper connectivity errors
• WebChat inline image attachments handled correctly for empty-turn gating
• Gateway usage cache bounded with FIFO eviction
• Terminal logging optimized with regex-based sanitization
• Plugin startup dependencies isolated per-extension
• Setup TUI relaunches cleanly without exposing gateway secrets
• QA suite fails by default on scenario failures for CI automation

Full changelog available on GitHub.