OpenClaw 3.28 brings approval gates

OpenClaw 3.28 landed after a four-day burst that pushed out more than 100 changes. The headline feature is simple to describe and easy to underestimate: the agent can now pause before risky actions and ask for approval, instead of charging ahead.

That matters because the recent 3.22 packaging mistake already showed what happens when an agent toolchain slips. A missing UI resource file left many users staring at white screens, which is the kind of failure that turns “automation” into “why is my bot broken again?”

This release also adds native Grok search, MiniMax image generation support, and a tighter path for Qwen authentication through Model Studio. If you use OpenClaw as a chat-driven workbench, 3.28 is less about flashy demos and more about reducing the number of places where the system can surprise you.

What changed in 3.28

The biggest shift is not one feature, it is the accumulation of smaller ones that make the agent easier to trust. OpenClaw now treats xAI’s Grok search as a first-class built-in option, moves Qwen onboarding to Model Studio, and adds MiniMax’s image model for generation and image editing.

That combination matters because agent users usually want one thing: fewer context switches. Before this release, getting search, model selection, and image work lined up often meant toggling plugins and checking which provider was actually active. Now more of that logic lives inside the product itself.

There is also a new config schema command, better handling for old config keys, and a long list of provider fixes across Google, Mistral, OpenAI, and Anthropic. In practice, that means fewer silent fallbacks and fewer sessions that fail because a provider alias changed under the hood.

• More than 100 changes shipped in 4 days
• Grok search is now built into the xAI path
• MiniMax image generation supports image creation and image-to-image editing
• Qwen auth moved from the old portal flow to Model Studio
• OpenClaw now prints JSON Schema for openclaw.json

One detail I like here is the shift away from magical config migration. Old keys now fail validation instead of being rewritten behind your back. That is annoying for legacy users, but it is the right kind of annoying: the kind that makes hidden drift visible.

The release also cleans up how built-in CLI backends are loaded. Claude CLI, Codex CLI, and Gemini CLI support now live deeper in the plugin layer, which should make the system easier to extend without stuffing every provider rule into the core runtime.

The approval gate is the real story

The most important line item in 3.28 is the new async requireApproval hook in before_tool_call. It lets a plugin pause a tool call and ask the user for permission through Telegram, Discord, a command-line prompt, or a channel-specific /approve command.

That is a big deal because agent permissions are where most real-world failures happen. Search and image generation are nice, but the dangerous part is tool execution: file writes, network calls, token access, and anything that can mutate state outside the chat window.

“We need to build systems that are safe by default and secure by design.” — Sundar Pichai, Google I/O 2017

Pichai’s line is old, but it fits this release perfectly. OpenClaw 3.28 is trying to make approval part of the workflow instead of an afterthought, which is exactly where it should have been from the start.

The update also aligns with the broader warning sign in agent ecosystems: once a tool can act on your behalf, a malicious plugin or skill can do real damage. OpenClaw’s own docs now push users toward Skill Vetter, which inspects code for data exfiltration, private key access, and memory-file snooping.

This is not paranoia. The release notes mention a malicious-skill pattern that disguises itself as ordinary utility software while trying to pull data from the machine. If you are running agents with broad permissions, the approval gate is the feature you will miss most when it is gone.

How it compares with the old setup

Compared with the pre-3.28 setup, this release trims a lot of friction from the provider layer and adds more explicit control over high-risk actions. The numbers tell the story better than the marketing copy.

For example, the new approval hook is asynchronous, which means the agent can stop mid-flight and wait for a human answer without blocking the whole runtime. That is a different class of control from a simple yes/no confirmation dialog glued onto the UI.

Here are the practical deltas:

• Before: Grok search setup required manual plugin toggling; now it is built in
• Before: Qwen auth used the deprecated portal flow; now it uses Model Studio
• Before: image generation support was narrower; now MiniMax image-01 supports generation and editing
• Before: risky actions could run straight through; now they can pause for approval across several channels
• Before: old config keys were auto-migrated; now they fail fast during validation

There is also a security angle that should matter to anyone shipping agent software to non-technical users. OpenClaw now defaults OpenAI and Codex models to apply_patch with sandbox policy aligned to write permissions, and it exposes more explicit error handling for provider failures instead of dumping raw crashes into the user flow.

That kind of work is boring in the best way. It does not get the same attention as a shiny image model, but it is the difference between a tool people demo once and a tool they can keep running every day.

OpenClaw also tightened a lot of messaging and transport behavior across Telegram, Discord, WhatsApp, Matrix, Slack, and Microsoft Teams. Those fixes look small on paper, but they reduce the odds of loops, empty-message crashes, broken thread handling, and bad reply routing.

Why this release matters now

OpenClaw 3.28 is a sign that agent products are moving from “can it do the task?” to “can I trust it to stop when needed?” That shift is more important than another model checkbox because it changes how people will actually use these systems in shared workspaces.

The release also hints at where the next round of competition will happen: approval workflows, model/provider routing, and safer plugin execution. Those are the parts that determine whether an agent is a neat demo or a daily driver.

If OpenClaw keeps shipping at this pace, the next version to watch is the one that makes policy easier to express than risk. That is the bar now. Not more autonomy for its own sake, but better control over when autonomy is allowed to act.

For teams testing agent tools today, the takeaway is pretty clear: turn on approval gates, audit third-party skills, and check whether your provider configs still rely on deprecated auth paths. If you skip those checks, the next “small” update could be the one that breaks your workflow in a way the changelog does not warn you about.

And if you are wondering what to watch next, I would keep an eye on whether OpenClaw turns these approval hooks into policy rules that are easy to read and hard to bypass. That is the feature that would move this release from a useful cleanup to the foundation of a safer agent stack.