0.16.0 - 2026-05-18
Fixes
- CLI/API: make package publishes robust under parallel same-publisher release jobs by avoiding unnecessary shared publisher writes, retrying transient Convex contention, and labeling contention separately from package validation failures (#2291).
- Security: move upload ClawScan classification to a GitHub Actions Codex worker, treat VirusTotal as telemetry-only signal, and trust verified
@openclaw/*plugin packages by default. - Security: cancel pending skill ownership transfers before rejecting accept attempts when the requester is inactive or the skill is hidden, removed, or malicious (#2276, #2277) (thanks @vyctorbrzezowski).
- API/CLI: fix package delete returning 500 for packages with capability tags when no capability search digest row existed yet (#2212) (thanks @momothemage).
- API: return a clear 400 for
/api/v1/packages/searchwithout a non-emptyqinstead of treatingsearchas a package name (thanks @vyctorbrzezowski). - Web/API: keep search results limited to items with match evidence, preserve trust and popularity as tie-breakers, and show
N+counts without exact count queries (#2206) (thanks @vyctorbrzezowski). - Web: preserve
ownerHandlethrough legacy skill publish redirects so org admins land in the correct new-version owner context (#2177). - Settings: save display name/bio changes even when a legacy personal publisher handle conflict prevents publisher profile sync (#1199).
- Auth: show a visible error if the GitHub sign-in request fails before the provider redirect starts (#2197).
- Schema: include
.tsv,.conf,.properties, and.datin the exported text-file allowlist and regenerate the committed schema package runtime (#2172, #874) (thanks @alexuser). - API: return
400for invalid known public package filters and invalid skill list sort values, while continuing to ignore unknown query parameters (#2184). - API/docs: document v1 plain-text error responses and expose owner metadata in the OpenAPI search result schema (#2187) (thanks @vyctorbrzezowski).
- Web: rank publisher card preview items by downloads instead of recent publish order (thanks @vyctorbrzezowski).
- Web: keep skill/plugin detail tabs at mobile-friendly touch target height.
Changes
- CLI/API: include skill owner handles in search results so duplicate/common slugs are easier to disambiguate (thanks @vyctorbrzezowski).
- Web: let skill publishers pick a curated lucide icon for cards and listings (#2174) (thanks @momothemage).
- Web/API: add keyword-based plugin categories plus API-backed plugin search sorting for recently updated, newest, and name (#2118) (thanks @vyctorbrzezowski).
- Web: polish the starred skills page with grid/list controls, sorting, and optimistic unstar behavior (#2159) (thanks @vyctorbrzezowski).
- API/docs: expand the v1 OpenAPI contract with package/plugin catalog endpoints and align documented rate limits with the server constants (#2186) (thanks @vyctorbrzezowski).
- Admin/Ops: audit profile syncs, self-service account/profile changes, personal publisher syncs, and org trusted-publisher changes so slug and ownership investigations have a complete ledger.
- Dependencies: update production
@clack/prompts,tailwind-merge, andyamldependencies (#2198).
Release Proof
- npm: https://www.npmjs.com/package/clawhub/v/0.16.0
- tarball: https://registry.npmjs.org/clawhub/-/clawhub-0.16.0.tgz
- integrity: sha512-bUNuVGoO5XBzcYJut400VRZh6/fU02kwJUIxyoVavvpFb6GVTKs6sfhsU2tKMKjGl6pK2ua0UJdwlwnFTd63bQ==
- main CI: https://github.com/openclaw/clawhub/actions/runs/26017248510
- npm preflight: https://github.com/openclaw/clawhub/actions/runs/26017365247
- npm publish: https://github.com/openclaw/clawhub/actions/runs/26017398827