vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: clarify WhatsApp group allowlist and reply mention behavior

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 09:19:27 +01:00
parent ad4c784f20
commit 9c2640a810
2 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/channels/whatsapp.md
View File

@@ -169,6 +169,7 @@ OpenClaw recommends running WhatsApp on a separate number when possible. (The ch
Sender allowlist fallback:
- if `groupAllowFrom` is unset, runtime falls back to `allowFrom` when available
- sender allowlists are evaluated before mention/reply activation
Note: if no `channels.whatsapp` block exists at all, runtime group-policy fallback is effectively `open`.
@@ -183,6 +184,11 @@ OpenClaw recommends running WhatsApp on a separate number when possible. (The ch
- configured mention regex patterns (`agents.list[].groupChat.mentionPatterns`, fallback `messages.groupChat.mentionPatterns`)
- implicit reply-to-bot detection (reply sender matches bot identity)
Security note:
- quote/reply only satisfies mention gating; it does **not** grant sender authorization
- with `groupPolicy: "allowlist"`, non-allowlisted senders are still blocked even if they reply to an allowlisted user's message
Session-level activation command:
- `/activation mention`
@@ -407,6 +413,7 @@ Behavior notes:
- `groupAllowFrom` / `allowFrom`
- `groups` allowlist entries
- mention gating (`requireMention` + mention patterns)
- duplicate keys in `openclaw.json` (JSON5): later entries override earlier ones, so keep a single `groupPolicy` per scope
</Accordion>

2
docs/gateway/security/index.md
View File

@@ -301,6 +301,8 @@ OpenClaw has two separate “who can trigger me?” layers:
- `channels.whatsapp.groups`, `channels.telegram.groups`, `channels.imessage.groups`: per-group defaults like `requireMention`; when set, it also acts as a group allowlist (include `"*"` to keep allow-all behavior).
- `groupPolicy="allowlist"` + `groupAllowFrom`: restrict who can trigger the bot _inside_ a group session (WhatsApp/Telegram/Signal/iMessage/Microsoft Teams).
- `channels.discord.guilds` / `channels.slack.channels`: per-surface allowlists + mention defaults.
- Group checks run in this order: `groupPolicy`/group allowlists first, mention/reply activation second.
- Replying to a bot message (implicit mention) does **not** bypass sender allowlists like `groupAllowFrom`.
- **Security note:** treat `dmPolicy="open"` and `groupPolicy="open"` as last-resort settings. They should be barely used; prefer pairing + allowlists unless you fully trust every member of the room.
Details: [Configuration](/gateway/configuration) and [Groups](/channels/groups)