OpenClaw v2026.3.13: Browser Profiles, Security Hardening, and the Ollama Fix You’ve Been Waiting For

The March 13 release dropped overnight and it’s a big one. Not big in the “flashy new feature” sense. Big in the “they finally fixed things that were quietly breaking real setups” sense.

I’ve been running OpenClaw on bare metal Ubuntu with a multi-model chain (Opus 4.6 orchestrating, GPT 5.4 for code, Ollama for embeddings and local inference). This release touches several parts of that stack. Here’s what matters, what changed in my setup, and what you should pay attention to.

Browser Automation Gets Real

This is the headline feature for anyone doing agent-driven browser work.

Chrome DevTools MCP Attach Mode

You can now attach OpenClaw directly to your signed-in Chrome session through Chrome DevTools Protocol. No more spinning up isolated browser instances that don’t have your cookies, sessions, or extensions. Enable chrome://inspect/#remote-debugging in your Chrome install and OpenClaw can connect to your live browser.

Why this matters: most useful browser automation needs your actual logged-in state. Checking dashboards, managing cloud consoles, interacting with authenticated web apps. A sandboxed browser with no sessions is useless for half the things you’d want an agent to do. This release makes the signed-in browser a first-class citizen.

Built-in Browser Profiles

Two new profiles ship out of the box:

  • profile="user" targets your logged-in host browser directly
  • profile="chrome-relay" targets the Chrome extension relay for the attach-tab flow

Before this, you had to mess with browserSession selectors to route agent browser calls to the right place. Now you just pass a profile name. Cleaner config, fewer gotchas.

In my setup, I use browser automation for monitoring dashboards and checking deployment status. The profile="user" option means my agent can hit authenticated pages on Vercel, GitHub, and Cloudflare without maintaining separate browser sessions. That was a real pain point before.

Batched Actions and Selector Targeting

Browser act requests now support batched actions, CSS selector targeting, and delayed clicks. If you’re building automation sequences that click through multi-step flows, you can now batch those actions instead of making individual calls and waiting for round-trips between each one.

The practical difference: a 5-step form fill that took 5 separate tool calls now takes one batched dispatch. Fewer tokens, faster execution, less chance of the page state changing between steps.

The Ollama Fix That Actually Matters

If you run local models through Ollama (and you should for embeddings and triage), this one’s important.

Before: Ollama models with native reasoning/thinking capabilities would leak their internal chain-of-thought into the final response text. If you were using a reasoning model like QwQ or DeepSeek-R1 through Ollama, the model’s internal “let me think about this step by step…” text would show up in what your agent treated as the actual answer.

After: OpenClaw now strips native thinking and reasoning fields from Ollama responses before surfacing the final text.

This matters for anyone using local reasoning models for triage or lightweight decision-making. I run Ollama for code search embeddings and commit message generation, but I’ve been experimenting with reasoning models for more complex local inference. Having the thinking tokens leak into outputs was a blocker for using them in any pipeline where the output gets parsed or forwarded. Fixed now.

If you’re running qwen3-coder or similar through Ollama and noticed weird verbose outputs, this is why. Update and the problem goes away.

Custom Provider API Key Handling

Another quiet fix that affects Ollama users: OpenClaw now correctly handles blank API keys for loopback OpenAI-compatible providers.

Ollama runs locally and doesn’t need authentication. But OpenClaw’s provider system expected an API key and would generate a synthetic Authorization: Bearer header even when you left the key blank. Some setups would silently work around this. Others would fail in confusing ways.

The fix: blank API keys for local providers now clear the auth header entirely. If you have Ollama configured as a custom OpenAI-compatible endpoint (which is the recommended pattern for embeddings), this eliminates a class of intermittent auth-related failures you might not have even noticed.

Security: 10+ Fixes, Several Critical

This release is heavy on security hardening. I’ll highlight the ones that matter most for production setups.

Device Pairing Codes Are Now Single-Use

Before: A bootstrap setup code generated during device pairing could be replayed. An attacker who intercepted the code could use it multiple times, potentially escalating to admin before the pairing request was approved.

After: Setup codes are consumed on first use. Period.

If you’re pairing mobile devices (Android or iOS companion apps) to your gateway, this is a meaningful improvement. The attack window was narrow but real, especially on shared networks.

External Content Sanitization Hardened

OpenClaw wraps untrusted external content (emails, web fetches, webhook payloads) in EXTERNAL_UNTRUSTED_CONTENT markers to help the model distinguish between system instructions and user-provided text. Attackers were using zero-width characters and soft hyphens to split the marker text, bypassing the sanitization.

Fixed. The boundary sanitization now strips these invisible characters before checking markers. This is the kind of prompt injection defense that matters in real deployments where your agent processes untrusted input daily.

Exec Approval Hardening (macOS Focus)

Six separate fixes to the exec approval system, mostly targeting macOS:

  • PowerShell -File and -f wrapper forms now get properly analyzed
  • env dispatch wrappers (env FOO=bar /path/to/bin) resolve against the actual executable
  • Backslash-newline continuations in shell commands fail closed instead of slipping past checks
  • Skill auto-allow trust now binds to both executable name AND resolved path
  • pnpm runtime wrapper forms get properly unwrapped
  • Perl -M and -I preload paths fail closed

The theme: every edge case where a command could look different enough to bypass approval checks has been closed. If you’re running with exec approvals enabled (and you should be on any multi-user or externally-accessible setup), these fixes tighten the perimeter significantly.

iMessage Remote Attachment Path Injection

If you use the iMessage integration, sender-controlled filenames in remote attachments could inject shell metacharacters into the SCP command used for media staging. Now rejected before the spawn. This is the kind of vulnerability that sounds obscure until you realize anyone who sends you an iMessage with a crafted filename could potentially execute commands on your host.

Telegram Webhook Auth

Telegram webhook requests are now validated (secret checked) before the body is even parsed. Previously, unauthenticated requests would consume up to 1 MB of body parsing before being rejected. Not a code execution risk, but a resource exhaustion vector that’s now closed.

Dashboard and UI Fixes

Tool-Heavy Runs No Longer Freeze the UI

If you use the Dashboard v2, you’ve probably noticed the UI freezing during tool-heavy agent runs. Every live tool result was triggering a full chat history reload. On a run with 20+ tool calls, that meant 20+ complete re-renders.

Fixed. Live tool results now update incrementally. The full history refresh only happens on the final event. This is a quality-of-life improvement that makes the dashboard actually usable during complex agent operations.

Long Replies Render Properly

Plain-text replies that exceeded a size threshold were getting rendered as gray code blocks instead of normal paragraphs. If you’ve seen your agent’s longer responses suddenly switch to monospace font, that’s gone now.

Platform-Specific Fixes

Windows Gateway (3 Fixes)

Windows users get three gateway lifecycle fixes: schtasks calls are now bounded with a fallback to Startup-folder login items when task creation hangs, gateway stop actually kills fallback-launched processes, and gateway status correctly reports port and running state for startup-fallback gateways. If you’ve been fighting Windows gateway installs that hang or report incorrect status, update immediately.

Telegram Media Downloads

Two fixes for Telegram media: file downloads now thread the correct proxy/direct transport policy through SSRF-guarded fetches, and there’s an IPv4 fallback for hosts where IPv6 is broken. If you’ve had intermittent failures downloading images sent to your Telegram bot, this is likely the fix.

Discord Gateway Startup

Plain-text and transient failures during Discord’s /gateway/bot metadata fetch no longer crash the entire gateway on startup. Transient network blips during Discord connect used to bring down the whole agent. Now they’re retried properly.

Gateway Session Reset

/reset now preserves lastAccountId and lastThreadId, so replies keep routing to the correct account and thread after a session reset. Before this fix, resetting your session could cause the next reply to route to the wrong channel. Small fix, big impact if you use /reset regularly (which I do, multiple times a day).

Mobile Improvements

Android Chat Settings Redesign

The chat settings sheet got a visual overhaul: grouped device and media sections, refreshed Connect and Voice tabs, and a denser mobile layout for the composer and session header. If you run the Android companion app, the settings experience is noticeably cleaner.

iOS Onboarding

New first-run welcome pager before gateway setup, and the QR scanner no longer auto-opens. Instead, you get clear /pair qr instructions on the connect step. The Android QR scanner also switched from the legacy ZXing library to Google Code Scanner for more reliable scanning.

Docker Timezone Override

A small but welcome addition: OPENCLAW_TZ lets you pin your Docker containers to a specific IANA timezone instead of inheriting from the daemon. If you run OpenClaw in Docker and your container timezone doesn’t match your actual timezone, your cron jobs and heartbeats fire at the wrong time. Now you just set OPENCLAW_TZ=America/New_York (or whatever your zone is) in your docker-compose and everything aligns.

I run bare metal so this doesn’t affect me directly, but I’ve seen multiple people in the Discord community confused by their scheduled tasks firing at unexpected times. This solves it cleanly.

Updating

openclaw update run

Or if you’re running from npm:

npm update -g openclaw
openclaw gateway restart

Check the full release notes for the complete changelog. There are additional fixes I didn’t cover here (Slack probe mapping, macOS voice wake crash, Google Vertex model normalization) that might be relevant to your specific setup.

The Takeaway

This release is maintenance-heavy in the best way. The browser profiles and Chrome DevTools MCP features are genuinely new capabilities. But the bulk of the value is in security hardening and bug fixes that make existing setups more reliable.

The security fixes alone make this a mandatory update for anyone running OpenClaw in production. Single-use pairing codes, hardened content sanitization, and closed exec approval edge cases are the kind of unglamorous work that separates a toy from a tool you can actually trust.

If you’re running a multi-model setup with Ollama and OpenClaw, the reasoning visibility fix and custom provider API key fix remove two friction points that have been annoying since reasoning models got popular. Worth updating for those alone.

Need help setting up a hardened multi-model OpenClaw deployment? I’ve been running this stack in production for months. Reach out.