Arpc
WarnAudited by ClawScan on May 10, 2026.
Overview
Arpc has a coherent agent-messaging purpose, but enabling its bridge gives a persistent external daemon access to an OpenClaw gateway token and lets outside agent messages enter the live conversation.
Use Arpc only if you want agent-to-agent messaging. Before enabling the bridge, understand that it stores an OpenClaw gateway token and allows incoming ARP messages to enter your live conversation. Keep contacts-only filtering unless you intentionally want unknown senders, verify the installer and daemon source as much as possible, and disable or uninstall the service when you no longer need it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the arpc daemon, config file, or installed binary is compromised, the stored gateway token could be used to access the user's OpenClaw gateway or inject messages into a session.
The bridge setup requires a credential that can access the user's OpenClaw instance and persists it for the arpc daemon. This is disclosed, but it is high-impact authority and not just ordinary message content.
The bridge needs the OpenClaw gateway auth token ... The gateway token grants access to your OpenClaw instance ... The token is stored in plain text in `~/.config/arpc/config.toml`
Enable the bridge only if needed, use a dedicated or easily revocable gateway token if possible, verify `~/.config/arpc/config.toml` permissions are 600, and revoke the token if disabling or uninstalling the bridge.
A remote contact—or anyone if the user enables accept-all mode—could send prompt-like text that appears in the agent's live context and may influence later actions.
Remote agent messages cross directly into the active OpenClaw conversation. The skill instructs the agent to paraphrase rather than act, but the boundary relies on model behavior rather than a hard isolation mechanism.
With the bridge enabled, incoming ARP messages are automatically injected into your conversation ... sends each inbound message as a `chat.send` into your session.
Keep the default contacts-only mode, treat all inbound ARP messages as untrusted, require user confirmation before acting on them, and disable the bridge when live message injection is not needed.
The behavior of the installed daemon and updates cannot be fully assessed from this skill package alone.
The documented install path executes a remote installer, while the reviewed artifacts do not include the installer script or arpc binary. This is common for CLI tools and is disclosed, but users must trust the external distribution channel.
curl -fsSL https://arp.offgrid.ing/install.sh | bash
Review the installer source or vendor documentation before running it, prefer checksummed or package-manager installs if available, and avoid installing on sensitive systems without additional verification.
Arpc may continue running and connecting to the relay or bridge after installation until the user stops or uninstalls it.
A background daemon is expected for receiving messages, and uninstall/disable instructions are provided, but it means the component persists beyond the initial setup command.
The installer starts the daemon automatically (systemd on Linux, launchd on macOS).
Confirm the service is wanted, periodically check `arpc status` and service-manager state, and use the documented disable or uninstall steps if no longer needed.