2026 OpenClaw v2026.5.12 modular install guide:
optional WhatsApp/Slack/Bedrock plugins, lean-core migration, and openclaw plugins acceptance (day-rent macOS isolation)
After you upgrade a self-hosted OpenClaw Gateway to v2026.5.12, it is common to see the process healthy while WhatsApp or Slack feels “uninstalled,” with doctor complaining about missing plugins even though channels still show configured. That is usually lean core + externalized channel plugins, not a broken model router. This guide gives three pain clusters, a full-core vs on-demand plugin matrix, seven ordered steps, a triage table, three datapoints, and a 1–3 day rental cadence, with links to the install/deploy guide, ClawPack/Git external plugins, v2026.5.7 acceptance, v2026.5.5 channels, and the SSH/VNC FAQ.
Table of contents
01. Three pain clusters after v2026.5.12
1) Channels “vanish” after upgrade: Release notes move WhatsApp, Slack, Amazon Bedrock, Anthropic Vertex, and related cones out of the core runtime. Your openclaw.json may still list channels.slack, but without an installed and enabled plugin the Gateway tool surface lacks inbound/outbound handlers. Treat config present and plugin installed + runtime scan passed as separate gates.
2) Disk and CI images stay bloated: Lean installs only pull providers and channels you actually use. Teams that still bake an old “everything included” global layer keep hundreds of megabytes of AWS SDK or Baileys artifacts. Pair this with the ClawPack supply-chain guide: audit plugins list plus manifest hashes, not memory.
3) pnpm 11, peers, and install scans: v2026.5.12 improves pnpm 11 support, preserves third-party peers, and scopes safety scans to plugin-owned runtime entrypoints. The wrong reflex is repeated npm install -g --force, which corrupts the managed plugin root. Prefer openclaw plugins subcommands and openclaw doctor, aligned with 5.7 update hygiene.
Runbooks written before May 2026 often assume “if channels.slack exists, Slack works.” After 5.12 that assumption is false: prove the Slack plugin is installed, enabled, and registered in the Gateway tool table after every restart. Provider credentials and channel plugins remain two different failure domains.
02. Full core vs on-demand channel plugins matrix
Use the table as an on-call acceptance sheet during the change window—not as marketing copy. Archive the right-column evidence on a rental Mac before you wipe secrets.
| Surface (5.12) | Pass signal | Rental evidence |
|---|---|---|
| WhatsApp plugin | plugins list shows whatsapp enabled; Baileys resolves from registry | Before/after channels status --channel whatsapp JSON |
| Slack plugin | Restart Gateway after install; media fetch survives bad redirects | Note scope hardening entries from 5.12 security pass |
| Bedrock / Vertex | No AWS cone in core until plugin installed; models visible after install | du delta core-only vs +Bedrock |
| Telegram groups | Explicit empty groups: {} no longer drops all group traffic (single-account fix) | One group probe log pre/post upgrade |
| Node runtime | Node 24 recommended (or ≥22.19) | node -v in runbook header |
Pair this with the v2026.5.5 channel/npm guide: npm sync fixes do not reinstall externalized channel plugins for you. Pair with the install guide so new estates default to “lean core + plugins” instead of one global package that implied every channel.
Security and pairing changes you should not ignore
Release notes for 5.12 include a broad hardening pass (Gateway scopes, node pairing, sandbox paths, Slack reaction policy). Modular install does not remove the need for pairing review—if you open groupPolicy or DM policies to “fix” missing plugins, you may trade a 20-minute install problem for a production exposure incident. Keep policy changes in a separate ticket from plugin installs.
03. Seven implementation steps
- Freeze baseline:
openclaw --version,plugins list,channels list --all, loaded config path. - Backup and upgrade: Snapshot config; upgrade to v2026.5.12; archive stdout/exit codes.
- Install only real channels: Avoid “install everything” which negates lean installs; restart Gateway after each plugin.
- Cross-check channels vs plugins: Match configured/enabled on both surfaces.
- Telegram groupPolicy regression: Validate root
channels.telegram.groupsif you used explicit-empty maps on a single account. - Doctor and disk budget: Resolve runtime scan WARN; measure managed root size change.
- Evidence and wipe: Redact logs; delete demo tokens on the rental host.
openclaw --version
openclaw plugins list 2>&1 | tee /tmp/oc512-plugins-before.txt
openclaw update
openclaw plugins install <plugin-id>
openclaw gateway restart
openclaw doctor 2>&1 | tee /tmp/oc512-doctor.txtKeep at least 15 GB free disk before you parallelize upgrade + multiple plugin installs + Gateway restarts; pnpm retries fail more often on full volumes. For SSH bandwidth expectations on rental hosts, see the SSH/VNC FAQ.
Plugin IDs vary by catalog channel—run openclaw plugins search slack (or your channel name) instead of copying IDs from screenshots. After install, always restart Gateway and re-run openclaw channels status --probe before you notify stakeholders.
Migration scenarios worth scripting
Scenario A — production Gateway on Linux, only Slack + Telegram: upgrade core first during a maintenance window, install slack and verify Telegram still receives group traffic after the explicit-empty groups: {} fix. Do not install WhatsApp “just in case”; unused plugins still expand your managed dependency tree and scan surface.
Scenario B — CI image rebuild: replace a fat global layer with a Dockerfile stage that runs openclaw plugins install for the channels your pipeline tests. Measure image size delta; teams that only need Slack often drop triple-digit megabytes compared with pre-5.12 monolithic layers.
Scenario C — Bedrock-only inference estate: keep core lean until you install the Bedrock plugin; validate IAM role or keys via SecretRef, then run a single model completion before you enable customer traffic. If models are empty, the first check is plugin presence—not openclaw models auth on unrelated providers.
Document each scenario as a one-page runbook section: version pin, plugin IDs, restart order, probe commands, rollback snapshot path. That document becomes the artifact you replay on a day-rent Mac before touching production.
What changed in Telegram group allowlists
Before 5.12, a single-account setup with an explicit but empty per-account groups: {} map could silently ignore every group update while root-level channels.telegram.groups allowlists looked correct on paper. After the fix, undefined and explicit-empty diverge: multi-account estates can still scope-disable one account without affecting siblings. When you validate, send one benign group message pre-upgrade and post-upgrade and compare Gateway ingress logs—do not only read static JSON.
Observability checklist for stakeholders
Export four artifacts after a successful pass: (1) redacted plugins list, (2) channels status --json truncated snapshot, (3) doctor WARN/INFO summary, (4) disk usage on the managed plugin root. Stakeholders care that customer channels work; engineers care that installs are reproducible. The same four files satisfy both audiences without sharing live tokens.
04. Triage table
| Symptom | First action | Wrong move |
|---|---|---|
| Slack configured, no Slack tools | Install Slack plugin; restart Gateway | Rewriting model routes all night |
| Install blocked by scan | Read plugin entry path; confirm 5.12 binary | Global npm --force |
| Telegram groups silent | Check explicit-empty groups: {} semantics | Blind groupPolicy: open |
| Bedrock models empty | Install Bedrock plugin; verify IAM/region + SecretRef | Hunt removed AWS paths inside core |
| WhatsApp connects then stalls | Confirm Baileys 7.0.0-rc11 resolves; check debounce/shutdown fixes in 5.12 notes | Reinstall global openclaw without plugins |
Command reference (what each surface proves)
openclaw plugins list answers “what is installed and enabled in the managed plugin root,” not “what channels are configured.” openclaw channels list without flags is channel-centric after recent CLI splits; use --all when you need bundled/catalog visibility during upgrades. openclaw channels status --probe is the customer-facing health check—run it only after Gateway restart following plugin work.
openclaw doctor should be treated as a change-window gate, not a monthly chore: plugin runtime scan warnings often cite the plugin id and entry file—fix those before you widen DM policies or disable sandbox paths. openclaw backup create (when enabled in your build) belongs before openclaw update; 5.12 also improves preserving plugin install records across doctor cleanup—still keep your own config snapshot outside the tool.
When Git-sourced installs fail on pnpm minimum-release-age gates, prefer release tags with lockfiles as release notes suggest; on rental Macs, cloning a pinned tag plus --no-git-update prevents surprise ref moves during reinstall drills.
05. Datapoints, myths, and 1–3 day rental schedule
- Datapoint 1: GitHub release v2026.5.12 shipped 2026-05-14 with documented externalization of WhatsApp/Slack/Bedrock/Vertex.
- Datapoint 2: Docs recommend Node 24; on an M4 rental host, CLI + Control UI acceptance often fits a 2–4 hour focused window.
- Datapoint 3: Single- or dual-channel estates often see 30–55% smaller global dependency trees versus legacy full core (varies by history).
These numbers are planning aids, not SLAs: your savings depend on which providers you previously pulled into core. The operational win is faster installs on fresh nodes and fewer unrelated SDK CVEs in supply-chain scans when WhatsApp or Bedrock cones are absent.
If you operate multiple Gateways, roll out 5.12 to a canary rental Mac first: install only the plugins that canary uses, capture the four observability artifacts, then promote the same plugin ID list to production. Skipping the canary and installing every plugin on production “to be safe” reverses the lean-install benefit and lengthens restart time.
Myth A: “npm i -g openclaw@latest still bundles WhatsApp.” Myth B: judging plugin success without a Gateway restart. Myth C: mixing Telegram group silence with missing Slack plugins in one root-cause story.
Day 1 (freeze + upgrade + one plugin): Morning: capture plugins list and channels list --all. Afternoon: upgrade to 5.12, save doctor output. Evening: install only your highest-traffic channel plugin, restart Gateway, store probe JSON.
Day 2 (second surface + Telegram): Add Bedrock or a second channel plugin; run a Telegram group message probe if you rely on groups; record du on the managed plugin root before/after.
Day 3 (rollback + wipe): Restore pre-upgrade config snapshot on the rental host; delete Bot tokens, Slack signing secrets, and temporary AWS keys; publish the runbook section that lists which plugins production must keep enabled.
06. Headless Linux vs day-rent Mac
A VPS is cheap for Gateway uptime, but splitting plugins logs, ClawHub docs in a browser, and Keychain deploy keys across machines hides cost. A short native macOS rental keeps plugins list, channels status, and Control UI in one evidence chain before production cutover.
You can complete much of this runbook over SSH on Linux, but that path shines for low-budget spikes, not for teaching a team how to operate modular channels: copying redacted logs between laptops costs more wall-clock time than a 1–3 day Apple Silicon rental when M365 or WhatsApp credentials must stay off personal hardware.
Although a container plus read-only volumes can validate CLI checks, containers are a poor place to learn pairing UX and Control UI auto-scroll behavior that changed in 5.12. When you want a handoff-ready document in 1–3 days without buying hardware, day-rent Mac is usually the smoother path—and rental spend is often smaller than one mis-routed on-call night. Compare packages on the pricing guide; connectivity and cost trade-offs live in the SSH/VNC FAQ.