ii-IRC
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can speak in the watched channel and mention the bot can wake and influence the agent.
The watcher forwards matching IRC peer messages directly into OpenClaw as immediate system events without checking sender identity, authorization, or rate limits.
tail -n 0 -F "$CHANNEL_OUT" ... if echo "$line" | grep -qi "$NICK"; then ... openclaw system event --text "IRC mention: $MSG" --mode now
Use only trusted channels, add sender/channel allowlists and rate limits, and require human approval before the agent performs sensitive actions from IRC-triggered events.
A malicious or confused IRC user could try to steer the agent’s goals or induce unsafe responses through a mention.
Untrusted IRC text is presented as the event that wakes the agent, and the artifacts do not include guardrails telling the agent to treat channel content as untrusted instructions.
On match → `openclaw system event --text "IRC mention: <message>" --mode now` ... OpenClaw wakes and can respond via the `in` FIFO
Wrap IRC messages with clear untrusted-source context, constrain what the agent may do from IRC prompts, and require confirmation for actions beyond simple chat replies.
The bot can remain connected and monitoring after the original setup session, including after user login/startup depending on systemd user configuration.
The recommended user services keep the IRC connection and watcher running persistently and restart them automatically.
Restart=always ... systemctl --user enable --now irc-bot.service irc-watcher.service
Know how to stop and disable the services, for example with `systemctl --user disable --now irc-bot.service irc-watcher.service`, when the bot should no longer run.
Private channel content may persist on disk, and old or malicious channel text could be reintroduced into the agent’s context.
IRC channel history is retained locally in append-only files and may later be tailed back into agent context.
`out` # Append-only log of all channel messages ... **Never** read the entire `out` file — it grows indefinitely.
Set appropriate file permissions, rotate or delete logs, avoid using sensitive channels, and continue using bounded `tail` reads rather than loading entire logs.
If you choose the source build path, the installed system binary depends on the remote repository state at install time.
The optional source install path builds and installs the current remote repository contents with sudo, rather than a pinned or verified release.
git clone https://git.suckless.org/ii && cd ii && make && sudo make install
Prefer distribution packages where possible, or inspect and pin a trusted ii release before building from source.