OpenClaw Latest Update: GPT-image2 adopts OAuth, eliminating the need for API keys; three-tier nested sub-agents are now live.

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯1413 words

Open-source AI Agent framework OpenClaw has released v2026.4.23, with core updates focusing on three main areas: image generation, sub-agent mechanisms, and security hardening. OpenAI gpt-image-2 can now be called directly via Codex OAuth without an API key. Sub-agents have added conversation context inheritance and a three-layer nested architecture, while security is built upon the foundation of patching 13 CVEs in early April. (Previous coverage: Jensen Huang sends all-hands letter embracing OpenAI Codex: Over 10,000 NVIDIA employees are already using it, with GPT-5.5 running on GB200) (Background: White House OSTP calls out China: Industrial-scale AI distillation attacks violate security protocols, four-step counter-sanctions to be initiated) v2026.4.23 was released last night, featuring updates in three main directions. OpenClaw, which has garnered 360,000 stars on GitHub, is currently one of the fastest-growing open-source AI Agent frameworks. Since founder Peter Steinberger joined OpenAI in February this year, the project has been maintained by the community and a non-profit foundation, yet the pace of updates has not slowed down. Image generation is the most intuitive change this time; OpenAI's gpt-image-2 can now be called directly via the Codex OAuth 2.1 + PKCE flow, obtaining short-lived tokens from ChatGPT Plus/Pro subscriptions, eliminating the need to configure an OPENAI_API_KEY separately. Launch command: openclaw onboard --auth-choice openai-codex OpenRouter's image models are also integrated, accessible via the image_generate tool. Multi-reference image editing has been changed from JSON data URL to multipart upload, fixing previous issues where complex edits were prone to failure. Agents can now specify parameters such as image quality, output format, and background transparency on demand, while xAI has added support for image generation and speech-to-text. For general users, whereas previously one had to apply for an API key and enter it into a configuration file to use OpenAI's image features, now one can simply log in via OAuth. The core change to the sub-agent mechanism is "forked context": sub-agents can now inherit the conversation history of the parent agent, no longer starting from scratch. They run in independent sessions during execution and report results back to the original chat channel upon completion. The nested architecture is also officially live. By setting maxSpawnDepth to 2, one can run a main → orchestrator → workers three-layer architecture, with a single agent spawning up to 5 sub-agents, and a global concurrency limit of 8. Security updates: Sub-agents are now restricted from accessing sensitive tools like sessions_list and sessions_history by default, requiring explicit enablement via a whitelist. This design ensures each sub-agent is granted only the minimum necessary permissions, preventing the attack surface from expanding as nested depth increases. Cybersecurity is the primary focus of this update. v2026.4.23 is built on the foundation of patching 13 CVEs in early April, two of which were Critical: CVE-2026-35639, which allowed privilege escalation via scope validation bypass, and CVE-2026-35641, which allowed arbitrary code execution during local plugin installation via malicious .npmrc files. However, patching vulnerabilities does not mean the danger is over. Blink research found that among approximately 135,000 publicly exposed OpenClaw instances globally, 63% have not enabled authentication. This means that Critical-level vulnerabilities can be exploited remotely without credentials. Patching vulnerabilities is one thing; how many people will actually update is another.

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-04-22

OpenAI launches GPT-Image-2: Visual generation achieves crushing superiority, designers are truly going to be unemployed this time

Similarity 170%關鍵字 image/gpt同分類 zh

2026-04-21

Get free NVIDIA model API keys! Register in 3 minutes to access Kimi, DeepSeek, and Llama for all your needs.

Similarity 170%關鍵字 api/key同分類 zh

2026-04-20

Vercel hacked, crypto developers rush to rotate API keys: AI tool Context.ai identified as the breach point, Web3 frontend supply chain on high alert

Similarity 170%關鍵字 api/key同分類 zh

2026-04-24