OpenClaw March 2026 Update: PDF Tool, Telegram Streaming, Secrets Management & More

Release: 2026.3.2 — March 2026

The March 2026 OpenClaw release is a meaty one. It touches core tooling, security, channels, memory, and the plugin SDK. If you haven't updated yet:

npm i -g openclaw@latest

Or tell your agent:

/update

---

🗂️ First-Class PDF Tool

OpenClaw now has a built-in pdf tool — no workarounds needed.

It routes to native PDF analysis for Anthropic and Google models (which support PDFs directly), and falls back to text/image extraction for everything else. New config options:

• agents.defaults.pdfModel — dedicate a model for PDF tasks
• pdfMaxBytesMb — limit file sizes
• pdfMaxPages — restrict page ranges

Why it matters: Before this, PDF handling was patchy — convert to text, lose formatting, lose tables. Native PDF analysis means your agent can actually read contracts, invoices, and reports the way a human would.

---

📡 Telegram Streaming On By Default

Telegram now defaults to partial streaming mode, so you get live preview of responses as they're generated — no config change needed.

For DMs specifically, OpenClaw now uses sendMessageDraft for private preview streaming, keeping reasoning and answer previews in separate lanes.

If you prefer the old behavior (no streaming), set:

channels:
  telegram:
    streaming: off

---

🔐 Secrets Management Overhaul

Full SecretRef support now covers all 64 user-supplied credential surfaces in OpenClaw — runtime collectors, onboarding flows, config validation, the works.

What this means practically:

• Fail-fast behavior for unresolved secrets on active surfaces
• Non-blocking diagnostics for inactive surfaces
• openclaw secrets plan/apply/audit flows now fully integrated

If you've been using raw API keys in your config, consider migrating to SecretRefs. Your keys stay out of config files and logs.

---

🧠 Ollama Memory Embeddings

You can now run memory search entirely locally using Ollama:

memorySearch:
  provider: ollama
  fallback: ollama

OpenClaw will use your configured models.providers.ollama settings for embedding requests. Combined with a local Llama or Qwen model, this means your agent's memory system can be 100% local — no API calls, no costs.

---

📎 Subagent File Attachments

sessions_spawn now supports inline file attachments when using the subagent runtime. Pass base64 or UTF-8 encoded files directly when spawning an agent:

sessions_spawn({
  task: "Review this contract",
  attachments: [{ name: "contract.pdf", content: "...", encoding: "base64" }]
})

Files are redacted from transcripts and cleaned up after the session ends. Configurable via tools.sessions_spawn.attachments.

---

⚡ MiniMax M2.5 Highspeed

MiniMax-M2.5-highspeed is now a first-class model in the provider catalog. If you're using MiniMax for fast/cheap turns, this is the new default for the MiniMax OAuth plugin. Legacy MiniMax-M2.5-Lightning remains supported.

---

🛡️ Security Hardening

A large batch of security fixes landed in this release:

• SSRF guards on web tools — DNS pinning preserved even when proxy env vars are set
• Webhook auth-before-body — BlueBubbles, Google Chat, LINE now auth before reading request bodies (prevents slow-body DoS)
• Sandbox boundary — ACP spawns from sandboxed sessions now properly rejected
• Config backup permissions — rotated backups now 0600 (owner-only)
• Plugin HTTP hardening — explicit auth required for all plugin route registrations
• Gateway/WS security — plaintext ws:// restricted to loopback only

If you're running a self-hosted instance exposed to the internet, this update is worth prioritizing.

---

⚠️ Breaking Changes

Three things to watch if you're upgrading:

1. New install tool profile default New installs now default tools.profile to messaging — no broad coding/system tools out of the box. Existing installs are not affected.

2. ACP dispatch enabled by default acp.dispatch.enabled now defaults to true. If you want to pause ACP routing, set it explicitly to false.

3. Plugin HTTP handler API changed api.registerHttpHandler(...) is removed. Plugins must now use api.registerHttpRoute({ path, auth, match, handler }).

---

How to Upgrade

# npm global install
npm i -g openclaw@latest

# or via your agent
/update

The gateway restarts automatically. Sessions resume where they left off.

---

Full changelog and contributor credits: GitHub