The OpenClaw 4.20 update went live and the security changes alone make it worth installing.
Agents can't rewrite their own config anymore.
Bad requests get blocked before they hit your server.
Device pairing got tightened.
If you're running OpenClaw anywhere near a production workflow, the 4.20 security lockdown is the update you should install today.
Let me walk through what changed.
Why Security Matters More in the OpenClaw 4.20 Update
Running an agent that talks to customers, handles files, or touches your calendar?
One bad input could let someone mess with your setup.
That was a real risk in older versions.
In the OpenClaw 4.20 update, that risk gets dialled way down.
Agent can't rewrite its own config
This is the change that scared me most about older versions.
Before 4.20, the AI agent could technically rewrite parts of its own config.
It could change its own permissions.
It could change the tools it has access to.
Think about that for a second.
An agent that can grant itself new capabilities based on a prompt injection?
That's a huge attack surface.
In 4.20, the model can't touch sandbox settings, trust rules, or MCP server configs.
Even if it tries to sneak an edit through, it gets blocked.
SSRF guard
All that means is a bad request can't trick your server into doing something silly.
If someone sends a crafted URL or file, your server no longer honours it blindly.
Workspace ENV injection blocked
Someone drops a weird file into your project folder.
Before, it could silently change your setup.
Now it can't.
Device pairing tightened
If you connect a phone or a laptop to your OpenClaw setup, that device only sees its own pairing info.
Can't peek at other devices.
Can't approve them.
If it fails to connect, you get a real error telling you why.
Not a useless generic "auth failed".
๐ฅ Want to deploy OpenClaw agents safely in your business? Inside the AI Profit Boardroom, I've got a full 30-day roadmap for OpenClaw โ install, wire, secure, automate. Four weekly coaching calls where you bring your setup and we fix it live. 2,800 business owners already inside. Plus the map so you find OpenClaw users near you. โ Get the full roadmap here
Kimi K2.6 Is Now the Default in the OpenClaw 4.20 Update
Before 4.20, Moonshot's Kimi inside OpenClaw was K2.5.
Now it's K2.6 by default.
K2.5 still available if you need it.
Why K2.6 is a real improvement
Kimi is open-source.
Fast.
Cheap to run.
K2.6 is much better than K2.5 at thinking, replying, and handling tools.
Handling tools is the key one for agent work.
If you were already running Kimi, your agent got smarter automatically.
Where K2.6 shows up
Web search inside OpenClaw uses K2.6 when you pick the bundled Kimi setup.
Media understanding uses it.
Token cost tracker knows K2.6 pricing.
Thinking keep all mode
New thinking mode you can leave on all the time.
Model thinks before every reply.
Works out the answer first instead of guessing.
Kimi is one of the cheapest models in OpenClaw.
Now it reasons like an expensive model.
Lower cost + better answers.
iMessage Agents Actually Send in the OpenClaw 4.20 Update
This is the flagship practical fix.
If you've got a Mac on the newest macOS and you tried running an AI agent through iMessage using Blue Bubbles before โ you know the pain.
Messages wouldn't send.
Or took a full minute and broke.
Sometimes vanished into nothing.
All fixed.
The three fixes
Send time limit pushed from 10 seconds to 30 seconds.
System uses a private path on new macOS so text goes out.
Weird error breaking plain text on TAH removed.
What opens up
Run an AI agent from your Mac.
Text customers over iMessage like a real person.
Messages actually land.
Local shop owner gets a text at 10pm about opening hours โ agent replies straight away.
Coach gets a DM from a lead on weekend โ agent can book them into a call.
Tapback fallback
Agent reacts with a non-standard emoji โ before, the whole reaction would fail.
Now OpenClaw falls back to a related standard reaction.
Customer still feels seen.
iMessage over SMS
Someone has both iMessage and SMS on the same number.
OpenClaw picks iMessage first.
Before it sometimes sent SMS when the blue bubble was working.
Now it does the right thing.
Cron Jobs Rebuilt in the OpenClaw 4.20 Update
Nobody's talking about this.
It's huge.
Cron jobs = scheduled tasks = work on a timer without you touching it.
What was broken
Jobs would say "delivered" but silently keep skipping.
Jobs set to no-delivery would throw false errors.
Jobs running every hour piled up and ate memory.
What got rebuilt
Runtime state split into its own file so your job list stays clean.
Main session delivery fixed โ scheduled jobs land in the right chat.
Multi-channel jobs get validated at save so you can't build broken ones that fail at 3am.
Practical example
Local gym owner wants an agent to text every new sign-up on day 3 with a pep talk and day 7 checking in.
In 4.20, set it up once.
Runs forever.
If something breaks, real error โ not fake success.
The /think Command Got Smarter in the OpenClaw 4.20 Update
Before 4.20, telling a model to think when it couldn't think would break mid-task.
Now OpenClaw checks first.
Knows what each model can handle.
No more random errors.
When you turn thinking off, it stays off.
Some models used to quietly keep thinking anyway.
Gone.
Agent is more reliable.
Memory and Sessions Cleaned Up in the OpenClaw 4.20 Update
This was getting messy before.
Memory pile-up fix
Heavy cron usage used to pile up old sessions until the gateway ran out of memory and crashed.
In 4.20 there's a built-in cap and age-based cleanup.
Old sessions get pruned automatically.
Gateway stays healthy at hundreds of jobs per day.
Cost tracking honest
Session saved multiple times used to count costs 2x or 10x.
Numbers were wrong.
Now snapshot properly.
Month-end number is real.
/new and /reset actually clear state
Before, fresh sessions kept old model/provider choices stuck.
You'd think you were on Kimi K2.6 but were stuck on some fallback from three mistakes ago.
Now they clear stale stuff while keeping intentional choices.
Matters when you run separate agents for replies and content.
Each session starts clean.
Personality Improved on GPT-5 and Codex in the OpenClaw 4.20 Update
OpenClaw uses SOUL.md and IDENTITY.md files to define your agent's voice.
Before, GPT-5 and Codex were stiff about these.
They'd read them, but replies still sounded like a corporate support bot.
In 4.20, they pick up personality properly.
OpenClaw team described the goal as "more like your weirdly capable little friend and less like a polished customer support automation".
Their exact words.
Why it matters
Agent handles DMs, messages, texts, leads?
Has to sound like you.
Not a generic chatbot.
4.20 makes that way easier on GPT-5 and Codex.
Video notes + links to the tools ๐ here
Smaller Updates in the OpenClaw 4.20 Update
Quick list:
Auto-reply context-aware
Direct chat: helpful reply.
Group: quiet unless tagged.
Agent doesn't spam group chats, still helps 1-on-1.
Setup wizard cleaner
Proper walkthrough with loading spinner, clear headings, clear warnings.
Anyone can follow it.
Telegram polling grace period
Longer before OpenClaw calls the connection broken.
Stateless reactions work properly.
Matrix allow-list without restart
Change settings on the fly.
No channel restart needed.
Manus live draft preview
Agent shows a live draft as it writes.
Final reply lands in place.
Feels natural.
Discord fixes
/think only shows valid options for your model.
Missing slash commands don't crash anymore.
What the OpenClaw 4.20 Update Means for Your Business
Five things:
1. Kimi K2.6 bundled: smarter, cheaper model by default.
2. iMessage agents real: huge channel for customer-facing businesses.
3. Scheduled tasks deliver: cron jobs finally reliable.
4. Security locked down: hand it to a team, no fear.
5. Personality picks up on GPT-5 and Codex.
My Claude Code AI SEO post pairs well if you want to see how I combine these tools for SEO work.
Honest Take on the OpenClaw 4.20 Update
OpenClaw 4.20 is still going to be buggy in spots.
Most AI agent tools are.
They break.
They hallucinate.
They run up weird numbers.
When I've tested Hermes, it sometimes feels smoother than OpenClaw.
I switch between both depending on the job.
Sometimes updating your setup breaks things and you have to restart the whole thing.
Back up first.
My Hermes vs OpenClaw comparison covers this in more depth.
How to Install the OpenClaw 4.20 Update
Type update inside OpenClaw.
Grabs the latest.
Under a minute on most setups.
OpenClaw 4.20 Update FAQ
What are the biggest security fixes in the OpenClaw 4.20 update?
Three main ones: agent can't rewrite its own config, SSRF guard blocks bad requests, workspace ENV injection blocked.
Plus tightened device pairing.
Does the OpenClaw 4.20 update affect performance?
Speed improvements come mostly from Kimi K2.6 being smarter and cron jobs no longer eating memory.
You'll feel it in long-running setups.
Is the OpenClaw 4.20 update safe for production agents?
Safer than 4.19 โ that's the point.
Still test your specific workflows before rolling out everywhere.
Can the OpenClaw 4.20 update be reverted?
Yes, if you backed up before updating you can restore.
Does the OpenClaw 4.20 update require a fresh install?
No โ runs as an in-place update.
How do I get the OpenClaw 4.20 update?
Type update inside OpenClaw.
Related Reading
Learn how I make these videos ๐ here
Get a FREE AI Course + Community + 1,000 AI Agents ๐ here
๐ฅ The people who figure out AI agents in 2026 run circles around those who don't. AI handles the boring stuff โ follow-ups, replies, reminders, scheduling. The AI Profit Boardroom gives you step-by-step videos on OpenClaw agents, cron jobs, SOUL.md tuning. Four coaching calls a week, 2,800 members, prompt library, 30-day roadmap, member map. โ Get access here
The OpenClaw 4.20 update is locked-down security, Kimi K2.6 bundled, iMessage agents real, cron jobs reliable, and personality that lands โ type update inside OpenClaw to install.