[Release] openclaw/openclaw v2026.5.20: openclaw 2026.5.20

OpenClaw v2026.5.20 is a maintenance and feature release that enhances Discord voice session handling with context awareness, adds device-code OAuth for xAI, introduces a bundled Policy plugin for workspace conformance checks, and includes numerous bug fixes across CLI tasks, provider integrations, and agent configurations. Key improvements focus on security (symlink validation, plaintext secret warnings), reliability (task maintenance tracking, image timeouts, hook timeouts), and user experience (model pinning clarity, typing indicators, Discord button preservation).

Key Points

• •Exec approvals: Removed legacy SKILL.md allowlist compatibility path; skill files must now be loaded with read tool and only real skill executable is auto-allowed
• •Discord voice sessions: Added support for following configured users into voice channels with allowed-channel checks, multi-user handoff, bounded reconciliation, and DAVE recovery preservation
• •Voice context bootstrapping: Include bounded IDENTITY.md, USER.md, and SOUL.md profile context in realtime voice session instructions by default (configurable via voice.realtime.bootstrapContextFiles)
• •CLI/Policy plugin: Added bundled Policy plugin for policy-backed channel conformance checks, doctor lint findings, and opt-in workspace repair
• •Agent-level local model lean: Allow agents.list[].experimental.localModelLean to enable lean local-model mode per agent instead of globally
• •xAI device-code OAuth: Added device-code OAuth login for remote and headless setups without localhost browser callback requirement
• •OpenRouter provider routing: Honor provider-level params.provider routing policy with model and agent params overriding defaults
• •Task maintenance tracking: Include stale-running task maintenance decisions in openclaw tasks maintenance --json with backing-session, cron, CLI, and wedged-subagent state
• •Security hardening: Restore fail-closed contract for tryReadSecretFileSync with symlink rejection; warn on plaintext secret-bearing config fields in openclaw.json
• •Reliability improvements: Apply 30-second default timeout to before_compaction and after_compaction hooks; add 120s watchdog for image_generate dynamic-tool calls; bound cron job lookup pagination

Workflow Diagram

Concepts