mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-04 11:43:32 +00:00
An IRC sender mask is nick!user@host where only host is server verified; nick and user (ident) are client supplied and spoofable. The allowlist identity classifier treated any entry containing "!" or "@" as a verified stable identity, so a host-less nick!user entry was classified stable and matched by the host-less nick!user subject candidate. With dangerouslyAllowNameMatching at its secure default (off), the mutable identifier policy only strips entries owned by a dangerous field, so the host-less entry was never stripped and a remote sender presenting the same nick and ident was admitted regardless of host. Require a verified @host component before an entry or subject is classified stable. Host-less nick and host-less nick!user are now both routed to a dangerous (mutable) field so they are gated by the same name-matching policy. The doctor mutable-allowlist detector now also flags host-less nick!user entries so operators who typed that undocumented shape get a warning. The documented full nick!user@host mask stays stable and unaffected.
IRC OpenClaw channel
Official OpenClaw channel plugin for IRC.
Install
openclaw plugins install @openclaw/irc
Docs
See docs/channels/irc.md in the OpenClaw repository, or the published docs at https://docs.openclaw.ai/channels/irc.