Introduction

The backbone of my personal AI assistant system, OpenClaw, dropped two updates in back-to-back days. Versions 2.24 and 2.25 landed just 24 hours apart — too good to review separately, too packed to skip — so this time I’m doing a combined review.

In one sentence, the theme across both versions is: “A major Android app overhaul” and “security and policy hardening that touches the system’s core.” There’s also a legendary piece of drama where the Heartbeat DM policy changed in 2.24, then got reversed the very next day in 2.25… stick around until the end. 😂

1. 📱 Android App: Complete Overhaul (2.24 + 2.25)

Honestly, since I mostly run everything via web and CLI, Android updates didn’t feel all that relevant to me — until now. This isn’t just a bug fix. It’s a full skeleton replacement of the app.

[2.24] Onboarding & Navigation Redesigned:

  • The initial setup flow when you first launch the app has been rebuilt as a native four-step onboarding experience. The old clunky webview-based setup screen is completely gone.
  • The main screen after onboarding is now structured as a clean five-tab layout: Connect · Chat · Voice · Screen · Settings. All the scattered features are finally organized in one place.

[2.25] Chat UI Performance & Rendering Quality:

  • If 2.24 built the skeleton, 2.25 polishes the flesh — chat streaming stability has been improved. The stuttering and garbled rendering that could happen during AI streaming responses has been fixed. (Thanks @obviyus)
  • GitHub Flavored Markdown (GFM) rendering quality is better too. Code blocks and tables now render cleanly in the mobile app.
  • On small screens, the action buttons at the bottom of the chat input were overlapping. This has been resolved with a mobile stacked layout. (Thanks @junyiz)

2. 🗣️ “Stop!” — Now Works in Any Language

[2.24] The emergency abort shortcut — the feature that stops the AI when it goes rogue — has been significantly expanded.

Previously, only rigid English commands were recognized. Now:

  • Natural expressions like stop openclaw, stop action, stop run, please stop and related variants all work
  • STOP OPENCLAW!!! with trailing exclamation marks is recognized (no need to stay calm)
  • Multilingual support! You can shout “stop” in Spanish, French, Chinese, Hindi, Arabic, Japanese, German, Portuguese, or Russian and it’ll halt
  • The exact phrase do not do that is now also a recognized stop trigger
  • All of this uses strict standalone matching, so it won’t fire on phrases like “stop by the store later”

For those of us who panic-type a bunch of things when the AI goes off the rails — genuinely great news. (Thanks @steipete, @vincentkoc)

3. 🎙️ Talk / Gateway — Voice Config Gets More Open

[2.24] The Talk (voice) configuration has been redesigned to be provider-agnostic. In plain English: regardless of which TTS/voice engine OpenClaw uses, you can now manage it all through a unified configuration approach. Full backward compatibility with existing setups is maintained.

On top of that, ElevenLabs voice configuration metadata is now exposed in the gateway status surface, so you can see at a glance which voice setup is currently active. For those of us running ElevenLabs TTS, this makes debugging a lot more convenient.

4. 🛡️ Two Security Punches in a Row (2.24)

The 2.24 security update tightens things from two directions simultaneously.

① Multi-User Environment Warning System

A new config option security.trust_model.multi_user_heuristic has been added. OpenClaw is fundamentally designed around a “single trusted owner” model. If multiple users are detected connecting simultaneously (e.g., on a shared server), the system will now automatically raise a warning flag.

If you intentionally want to run a multi-user setup, hardening steps like sandbox.mode="all", filesystem isolation, and reduced tool surface are required. Think of this as a safety net that catches accidental personal data exposure before it happens.

② Docker Container Namespace Join — Blocked by Default (BREAKING)

⚠️ BREAKING CHANGE (Thanks @tdjackey for reporting)

Using network: "container:<id>" to join another container’s network namespace is now blocked by default for sandbox and sandbox-browser containers.

Why is this dangerous? Because this approach lets a supposedly isolated sandbox share another container’s full network stack, completely defeating the purpose of isolation. If you genuinely need this behavior, you must explicitly set agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin: true. (Notice the dangerously prefix — the team really wants you to think twice before enabling this.)

5. 💓 The Heartbeat DM Policy Rollercoaster (The Star of This Review)

Alright, here’s the real highlight of this combined review. I chuckled when I saw it.

[2.24 BREAKING]: Heartbeat (background periodic tasks) delivery to DM channels was changed to blocked by default. The intent was to prevent the bot from unilaterally spamming notification messages into your personal chat window.

[2.25 BREAKING]: Then, just one day later…

“The heartbeat DM default is now allow again.”

Apparently the 2.24 change caused quite a bit of user confusion. However, if you want to preserve the blocking behavior from 2.24, you now need to explicitly set agents.defaults.heartbeat.directPolicy: "block".

In 2.25, this policy was formalized into a proper agents.defaults.heartbeat.directPolicy option (allow | block), with per-agent override support as well.

The summary: “A change that broke things in 2.24 was fixed in 2.25, and the architecture came out more elegant for it.” Either way, the end result is better — credit to the team for the quick turnaround. 👏

6. 🏷️ Branding Cleanup & Agent Config Improvements (2.25)

Branding Unified: Lingering traces of the old bot.molt label scattered through the codebase — launch daemon labels, bundle IDs, logging subsystems, and command examples — have all been replaced with ai.openclaw. iOS app surfaces, documentation, CLI test fixtures: all updated in one sweep. This kind of backend branding cleanup is invisible to users but becomes a serious headache if left to pile up, so cleaning it up in one shot is the right call.

Schema-First Config Editing (Recommended Practice): Agents are now reminded to call config.schema before making config edits or answering config-related questions, rather than guessing at the structure. This prevents subtle misconfiguration caused by assuming field names and types instead of verifying them. (Thanks @thewilloftheshadow)

7. 📦 Dependency Updates

Key packages were updated across both versions:

  • Bedrock SDK → 3.998.0
  • @mariozechner/pi-* → 0.55.1
  • TypeScript native preview → 7.0.0-dev.20250225.1
  • OpenAI, Google Auth, oxlint/oxfmt refreshed
  • (Note: @buape/carbon intentionally kept pinned)

Conclusion

Reviewing both versions together, a consistent direction becomes clear: OpenClaw is getting serious about the Android app, and it keeps reinforcing the message that multi-user environments require explicit hardening — with sensible defaults being tightened each release.

The heartbeat DM policy flip-flop is actually a sign of healthy development culture — fast user feedback, fast response. For those of us running a custom agent like Serana with daily heartbeats, it’s reassuring to know the team is paying close attention to real-world usage.

Run openclaw update, enjoy the new five-tab Android UI if you’re on mobile, and stay safe out there! 🚀