OpenClaw, the open-source autonomous AI assistant that has gained widespread adoption in early 2026, released version v2026.2.17 on February 17, 2026, introducing support for Anthropic’s latest Claude Sonnet 4.6 model.
The release comes amid growing security concerns after researchers documented the first in-the-wild credential theft targeting OpenClaw configuration files by infostealer malware.
New Anthropic Model Integration
The v2026.2.17 update expands OpenClaw’s model-agnostic architecture to support Anthropic’s newly released Claude Sonnet 4.6 model, which users had previously encountered errors when attempting to use.
OpenClaw already supported various Anthropic Claude models including Opus and Sonnet variants through API key authentication, with features like extended prompt caching and access to Anthropic’s beta 1-million-token context window.
New Features
| Category | Feature | Description |
|---|---|---|
| Anthropic Support | 1M Context Beta | Opt-in 1 million token context window for Opus/Sonnet via context1m: true parameter |
| Anthropic Support | Claude Sonnet 4.6 | Native support for Anthropic’s latest Sonnet 4.6 model with forward-compatibility fallback |
| Subagents | /subagents spawn | Deterministic subagent activation from chat commands for workflow automation |
| iOS | Share Extension | Forward shared URLs, text, and images directly to gateway agent with delivery fallback |
| iOS Talk Mode | Background Listening | Toggle to keep Talk Mode active while app is backgrounded (off by default) |
| iOS Talk Mode | Voice Directive Hint | Disable ElevenLabs voice-switching instructions to save tokens when not needed |
| Slack | Native Text Streaming | Single-message streaming with chat.startStream/appendStream/stopStream APIs |
| Telegram | Inline Button Styles | Support for primary, success, and danger button styles in message interfaces |
| Telegram | Reaction Notifications | Surface user message reactions as system events with configurable scope |
| Cron | Usage Telemetry | Per-run model/provider token usage logging in cron run logs and webhooks |
| Web Tools | URL Allowlists | Security restrictions for web_search and web_fetch operations |
| Memory | FTS Fallback | Full-text search fallback with query expansion for improved memory search |
The framework allows users to configure Anthropic models via CLI setup or direct config file modification, with options for different cache retention durations and enhanced context capabilities.
Security researchers at Hudson Rock reported the first documented case of infostealer malware successfully exfiltrating OpenClaw configuration files from a victim’s system.
The malware captured sensitive files including openclaw.json containing gateway authentication tokens and user credentials, device.json with private cryptographic keys used for device pairing and signing, and memory files storing personal context like daily activities and private messages.
The stolen gateway token could enable attackers to remotely connect to the victim’s local OpenClaw instance if exposed or impersonate the client in authenticated requests.
This incident marks a significant shift in the threat landscape as AI agents become more integrated into professional workflows.
Security experts warn that infostealer developers will likely create dedicated modules specifically designed to target OpenClaw files, similar to existing modules for Chrome or Telegram.
The attack was described as a “grab-bag” operation where the infostealer used broad file-harvesting routines that unintentionally captured the complete operational environment of the victim’s AI agent.
OpenClaw runs locally on user machines with full system access capabilities including file operations and shell commands, making proper security configuration critical.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
