Airc
ReviewAudited by ClawScan on May 10, 2026.
Overview
The IRC client matches its stated purpose, but its bundled default connects to a raw IP address with TLS verification disabled, so users should review and change the configuration before use.
Before installing, inspect and edit config.json. Use a trusted IRC server hostname, avoid verifyTLS=false unless you understand the risk, supervise any public or private messages the agent sends, and stop daemon mode when it is no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are connecting to a named IRC service with normal TLS protections, while the default is more vulnerable to interception or impersonation.
The bundled default uses a raw IP endpoint and disables TLS certificate verification; this is materially different from the airc.space hostname example in the skill instructions and is not clearly explained.
"server": "95.216.77.237", "port": 6697, "tls": true, "verifyTLS": false
Edit config.json before use: set a trusted IRC hostname, enable TLS verification where possible, and document any intentional reason for using an IP address with verifyTLS disabled.
If invoked by an agent without supervision, it could post messages to IRC channels or individuals under the configured nickname.
The skill can send public channel messages and private messages, which is expected for an IRC client but can affect external users.
node {baseDir}/irc.js send --channel "#lobby" --message "Hello from OpenClaw!" ... node {baseDir}/irc.js send --nick "someone" --message "Hey there"Use explicit user approval or clear operating rules before allowing the agent to send IRC messages.
Remote IRC participants can place untrusted text into the agent's context or local message log, which could confuse the agent if treated as instructions.
Incoming IRC messages from other users are exposed to the agent and may be stored for later reading.
Listen for messages (outputs JSON lines) ... The daemon writes incoming messages to `{baseDir}/messages.jsonl`Treat all IRC messages as untrusted content and avoid letting the agent follow instructions received from channels or private messages without user confirmation.
The agent may remain connected to IRC and continue collecting messages until the daemon is stopped.
The skill documents a background daemon mode for long-running IRC presence; this is purpose-aligned and includes a stop command, but it is still persistent behavior.
Start daemon (backgrounds itself) ... node {baseDir}/irc.js daemon stopStart daemon mode only when needed, check status periodically, and stop it when the task is complete.