OpenClaw v2026.4.23 Update: gpt-image-2 Now Accessible without an API Key, Subagent Introduces 'Forked Context' Mode
According to Insight Beating monitoring, the open-source AI agent framework OpenClaw has released v2026.4.23, with core changes focusing on image generation, sub-agent mechanism, and security hardening.
Regarding image generation, OpenAI's gpt-image-2 can now be directly invoked through Codex OAuth, eliminating the need to separately configure the OPENAI_API_KEY. The OpenRouter's image model has also been integrated, allowing use through the image_generate tool. Multi-reference image editing has transitioned from JSON data URLs to multipart uploads, addressing previous issues with complex edits failing. Agents can now specify image quality, output format, background transparency, and other parameters as needed.
A new "forked context" mode has been added for sub-agents: when a parent agent spawns a sub-agent, the parent can choose to have the sub-agent inherit the current conversation context instead of starting from a blank session each time. The default mode remains isolated, with the option to enable as needed. Furthermore, image, video, music, and TTS generation tools now support per-call timeouts, independent of the global timeout limit.
Security hardening constitutes the largest portion of this release. Fixes include: the MCP tool bridge no longer exposes cron and other privileged tools to non-owner callers; the Android app prevents external intents from automatically injecting prompts and only allows pre-filled drafts; gateway runtime configuration editing has shifted from a blacklist to a whitelist, restricting modifications to narrow fields such as prompts and models; freeform text in WhatsApp contact cards and location information is no longer directly concatenated into the message body but is rendered in isolated JSON to prevent prompt injection; Teams channels now require Bot Framework tokens to carry the correct app ID, thwarting cross-bot token replays.
In the memory system realm, the "dreaming" task (periodic automatic memory consolidation) has been decoupled from the heartbeat, as previously disabling the heartbeat would inadvertently disable dreaming. The two are now independent. Additionally, a new memorySearch.local.contextSize configuration option has been added to the local embedding context window, with a default of 4096, facilitating adjustments on low-spec devices.
