OpenClaw 3.23 Update: Qwen API, DashScope, and Bug Fixes [March 2026]

What Is New in OpenClaw 3.23?

OpenClaw 3.23 (version 2026.3.23) was released on March 23, 2026, the same day as the major 3.22 release. It serves as a critical patch that fixes several issues discovered immediately after 3.22 shipped, while also adding new model provider support.

The key additions and fixes in 3.23:

• Qwen and DashScope model support: Connect to Alibaba Cloud's Qwen models through the DashScope API.
• WhatsApp sidecar restored: The WhatsApp plugin runtime sidecar that was accidentally missing from 3.22 is back.
• Matrix sidecar restored: Same fix for the new Matrix messaging plugin introduced in 3.22.
• CSP security improvements: Content Security Policy headers now use inline script hashing instead of unsafe-inline.
• Plugin runtime fixes: Resolved issues with the restructured plugin SDK that caused some community plugins to fail.
• Token reversion fix: Fixed a bug where gateway tokens would revert to previous values during the Configure and Onboard flows.
• Operator scope handling: Corrected scope handling in read-backed pages for multi-operator deployments.
• ClawHub compatibility checks: Fixed package compatibility verification when installing skills from ClawHub.
• UI consolidation: Refined Knot theme with visual improvements throughout the dashboard.

How Does Qwen and DashScope Support Work?

DashScope is Alibaba Cloud's AI model service platform. It hosts the Qwen family of models, which are competitive alternatives to GPT and Claude, particularly strong for Chinese language tasks and multilingual use cases.

To configure Qwen via DashScope in OpenClaw 3.23, add the following to your .env file:

# DashScope / Qwen configuration
OPENCLAW_DASHSCOPE_API_KEY=your-dashscope-api-key
OPENCLAW_DASHSCOPE_MODEL=qwen-max
OPENCLAW_DASHSCOPE_ENDPOINT=https://dashscope.aliyuncs.com/api/v1

Supported Qwen models include:

• qwen-max — The most capable Qwen model, comparable to GPT-4 class
• qwen-plus — Balanced performance and cost
• qwen-turbo — Fastest response times, suitable for high-volume tasks
• qwen-long — Extended context window for processing long documents

DashScope support is particularly valuable for operators in Asia-Pacific regions where Alibaba Cloud infrastructure provides lower latency than US-based providers. It also opens up cost optimization opportunities — Qwen models are significantly cheaper per token than equivalent Western models.

You can use DashScope alongside other providers. OpenClaw's multi-model routing lets you assign Qwen to cost-sensitive tasks while keeping Claude or GPT for tasks that need their specific strengths.

What Was the WhatsApp and Matrix Sidecar Fix?

This was the most impactful bug in 3.22. When the 3.22 Docker image was built, the bundled sidecar runtimes for WhatsApp and Matrix were accidentally excluded. The sidecars are separate Node.js processes that handle the messaging protocol connections — WhatsApp uses the Baileys library, and Matrix uses the matrix-js-sdk.

Without these sidecars, OpenClaw's WhatsApp and Matrix plugins had no runtime to execute. The main OpenClaw process would try to communicate with the sidecar, find nothing listening, and either throw connection errors or silently fail.

This was reported as GitHub issue #53907 and was the top priority fix for 3.23. The sidecars are now correctly bundled in the Docker image and start automatically when the corresponding plugins are enabled.

If you updated to 3.22 and your WhatsApp stopped working, updating to 3.23 will restore the sidecar. You may also need to clear your WhatsApp session data and re-scan the QR code — see our WhatsApp fix guide for step-by-step instructions.

What Are the CSP Security Fixes?

Content Security Policy (CSP) headers tell the browser which scripts, styles, and resources are allowed to load on a page. They protect against cross-site scripting (XSS) attacks by preventing unauthorized scripts from executing.

In OpenClaw 3.22, the web UI used unsafe-inline in its CSP headers, which weakened the protection. This meant any injected inline script could execute — a potential security risk if an attacker found a way to inject HTML into the UI.

OpenClaw 3.23 replaces unsafe-inline with specific inline script hashes. Each legitimate inline script in the UI is hashed, and only scripts matching those hashes are allowed to execute. This means:

• Legitimate OpenClaw UI scripts continue to work normally
• Any injected script that doesn't match the hash list is blocked
• XSS attacks via inline script injection are effectively prevented

For most operators, this change is transparent — the UI works the same way. If you have custom scripts or browser extensions that inject content into the OpenClaw dashboard, they may be blocked by the stricter CSP policy.

What Plugin Runtime Issues Were Resolved?

OpenClaw 3.22 restructured the plugin SDK, moving imports from the old path to openclaw/plugin-sdk/*. This broke some community plugins that hadn't been updated to use the new import paths.

OpenClaw 3.23 adds a compatibility shim that translates old import paths to new ones at runtime. This means:

• Plugins using the old import paths will continue to work (with a deprecation warning in the logs)
• Plugins using the new import paths work as expected
• The shim will be removed in a future major release, giving plugin authors time to update

Additionally, 3.23 fixes a bug where the plugin runtime would crash if a skill returned an unexpected data type. Previously, a skill returning undefined instead of a string would crash the plugin runtime for all skills, not just the one that misbehaved. Now, unexpected return types are caught and converted to error messages.

The ClawHub compatibility checker was also fixed. In 3.22, the openclaw skills install command sometimes allowed installation of skills marked as incompatible with the current version. The fixed checker now properly validates version requirements before installation.

What UI Changes Were Made?

OpenClaw 3.23 continues the UI refresh that started in 3.22 with the Knot theme. The changes are visual refinements rather than functional overhauls:

• Dashboard cards: Improved spacing and contrast for better readability on high-DPI displays
• Conversation view: Message bubbles now have clearer visual distinction between user messages, agent responses, and tool call results
• Settings pages: Form inputs and toggle switches are more consistent across browsers
• Mobile layout: The sidebar navigation now collapses properly on screens narrower than 768px
• Plugin management: The installed skills list now shows version numbers and ClawHub compatibility status

The Knot theme is OpenClaw's default theme starting with 3.22. If you were using a custom theme or CSS overrides, they should continue to work — the class names and element structure haven't changed, only the default styles.

How Do You Update to OpenClaw 3.23?

The update process is the same as any OpenClaw update, but remember that the 3.22 breaking changes apply if you're coming from an earlier version:

Docker (recommended):

cd ~/openclaw
docker compose pull
docker compose up -d

npm global install:

npm update -g openclaw

Before updating from pre-3.22 versions:

1. Back up your .env file and session data
2. Replace any CLAWDBOT_* or MOLTBOT_* environment variables with their OPENCLAW_* equivalents
3. If you have custom plugins, check that they work with the new openclaw/plugin-sdk/* import paths (or rely on the compatibility shim)
4. Update and monitor logs for any issues

If you're already on 3.22: The update to 3.23 is seamless. Pull the new image and restart. No configuration changes needed.

Remote OpenClaw managed clients: Your deployment has already been updated to 3.23. No action needed.

For detailed information on the 3.22 features that 3.23 includes, see our OpenClaw 3.22 update guide.