Files
openclaw/extensions/irc
Yuval Dinodia acb0e8e88d fix(irc): classify host-less nick!user allowlist entries as mutable
An IRC sender mask is nick!user@host where only host is server verified;
nick and user (ident) are client supplied and spoofable. The allowlist
identity classifier treated any entry containing "!" or "@" as a verified
stable identity, so a host-less nick!user entry was classified stable and
matched by the host-less nick!user subject candidate. With
dangerouslyAllowNameMatching at its secure default (off), the mutable
identifier policy only strips entries owned by a dangerous field, so the
host-less entry was never stripped and a remote sender presenting the same
nick and ident was admitted regardless of host.

Require a verified @host component before an entry or subject is classified
stable. Host-less nick and host-less nick!user are now both routed to a
dangerous (mutable) field so they are gated by the same name-matching policy.
The doctor mutable-allowlist detector now also flags host-less nick!user
entries so operators who typed that undocumented shape get a warning. The
documented full nick!user@host mask stays stable and unaffected.
2026-07-01 04:01:05 -07:00
..
2026-06-04 21:33:54 -04:00

IRC OpenClaw channel

Official OpenClaw channel plugin for IRC.

Install

openclaw plugins install @openclaw/irc

Docs

See docs/channels/irc.md in the OpenClaw repository, or the published docs at https://docs.openclaw.ai/channels/irc.