Marmot
ReviewAudited by ClawScan on May 16, 2026.
Overview
Marmot appears to be a coherent messaging-channel plugin, but it runs an external marmot-cli daemon and can accept remote Nostr messages unless allowlists are configured.
Before installing, make sure you trust the marmot-cli you build or install, use a dedicated Marmot identity, keep the daemon host on localhost unless you intentionally trust a remote daemon, and configure dmPolicy/groupPolicy allowlists so only trusted people can message your agent.
Publisher note
Spawns marmot-cli daemon subprocess; uses TCP JSON-RPC on localhost:9222 for all messaging
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the plugin may run marmot-cli in the background with the same environment available to OpenClaw.
The plugin starts a configured local executable as a subprocess and passes through the OpenClaw process environment. This is expected for a marmot-cli channel plugin, but users must trust the binary.
const proc = spawn(config.cliPath, args, { stdio: ["ignore", "pipe", "pipe"], env: { ...process.env } });Install marmot-cli from a trusted source, set cliPath to the intended binary, and disable autoStart if you prefer to manage the daemon manually.
The security of the plugin depends partly on the external marmot-cli code and whichever revision the user installs.
The setup depends on building an external CLI from a GitHub repository rather than a pinned release in the provided artifacts.
git clone https://github.com/tkhumush/marmot-cli.git cd marmot-cli cargo install --path crates/marmot-agent-cli
Review the marmot-cli source, prefer a pinned commit or verified release, and rebuild/update deliberately.
Untrusted remote senders could send prompts or requests to the agent if open policies are used.
Remote Marmot/Nostr messages become inputs to the agent, and the documentation acknowledges that open policy can allow broad sender access.
**Inbound**: Polls marmot-cli daemon for new messages every `pollIntervalMs`, dispatches to agent pipeline ... With `"open"`, any Nostr user who obtains your agent's npub can send it messages.
Use dmPolicy: "allowlist" for production, populate allowFrom with trusted npubs, and consider restricting groupPolicy as well.
The configured Marmot identity can be used by the plugin/daemon to send encrypted messages through Nostr relays.
The channel operates using a local Marmot identity and its local state, which is expected but gives the daemon authority to send and receive as that identity.
marmot-cli identity create --name default ... marmot-cli identity set-default default ... State is stored under `~/.local/share/marmot-cli/`
Use a dedicated Marmot identity for the agent and protect the marmot-cli state directory.
A background marmot-cli process may continue running while the OpenClaw gateway/channel is active.
The plugin is designed to keep a helper daemon running as part of its messaging channel lifecycle. This is disclosed and aligned with the stated purpose.
**Daemon**: Auto-starts `marmot-cli daemon` as a subprocess, health-checks via `ping` RPC, auto-restarts on crash
Leave autoStart enabled only if you want OpenClaw to manage the daemon; otherwise set autoStart to false and run the daemon yourself.