From 79e9cc79b5edb05fc95f3038d9bd07b3b07905c2 Mon Sep 17 00:00:00 2001
From: Jonathan Santilli <1774227+jonathansantilli@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:56:19 +0100
Subject: [PATCH] =?UTF-8?q?feat(kb):=20add=20OpenClaw=20=E2=80=94=20messag?=
 =?UTF-8?q?ing-channel=20gateway=20for=20LLM=20agents?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenClaw (openclaw.ai, github.com/openclaw/openclaw) exposes LLM agents
through WhatsApp, Telegram, Signal, Slack, iMessage, Discord, LINE,
Matrix, Teams, Zalo, and voice-call channels. Not a coding assistant,
but a materially different agentic-LLM surface worth scanning:

- Untrusted inbound messages feed LLM tool-use directly (prompt-injection
  surface on every connected channel).
- Plugin system installs via `npm install --omit=dev` with arbitrary
  package content — lifecycle scripts execute in-process.
- hooks.json5 declares shell commands run before/after agent tool calls.

Registered KB entry covers:
- config_paths (6): openclaw.json, custom.json, hooks.json5,
  exec-approvals.json, .env, telegram.token
- skill_paths (3): extensions/*/package.json (plugin manifests),
  agents/*/agent (agent configs), workspace/IDENTITY.md (persona)
- extension_mechanisms (3): npm_plugin, messaging_channel, hook
---
 src/knowledge-base/openclaw.json | 96 ++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 src/knowledge-base/openclaw.json

diff --git a/src/knowledge-base/openclaw.json b/src/knowledge-base/openclaw.json
new file mode 100644
index 0000000..c6e3475
--- /dev/null
+++ b/src/knowledge-base/openclaw.json
@@ -0,0 +1,96 @@
+{
+  "tool": "openclaw",
+  "version_range": ">=0.1.0",
+  "config_paths": [
+    {
+      "path": ".openclaw/openclaw.json",
+      "scope": "user",
+      "format": "jsonc",
+      "risk_surface": ["agent_config", "channel_bindings", "provider_credentials", "mcp_config"],
+      "fields_of_interest": {
+        "agents": "agent definitions and the messaging channels they expose",
+        "providers": "configured LLM providers (API keys, custom base URLs)",
+        "channels": "enabled inbound/outbound channels (whatsapp, telegram, signal, slack, imessage, discord, line, matrix, teams, zalo, voice)",
+        "mcpServers": "MCP servers exposed to the agent",
+        "tools": "plugin-provided tools registered on the agent"
+      }
+    },
+    {
+      "path": ".openclaw/custom.json",
+      "scope": "user",
+      "format": "jsonc",
+      "risk_surface": ["agent_config", "user_override"]
+    },
+    {
+      "path": ".openclaw/hooks.json5",
+      "scope": "user",
+      "format": "text",
+      "risk_surface": ["hooks", "command_exec", "consent_bypass"],
+      "fields_of_interest": {
+        "pre": "pre-tool-use shell commands (runs with agent privileges)",
+        "post": "post-tool-use shell commands"
+      }
+    },
+    {
+      "path": ".openclaw/exec-approvals.json",
+      "scope": "user",
+      "format": "jsonc",
+      "risk_surface": ["consent_bypass", "command_exec"],
+      "fields_of_interest": {
+        "approved": "commands the agent can run without prompting the operator"
+      }
+    },
+    {
+      "path": ".openclaw/.env",
+      "scope": "user",
+      "format": "dotenv",
+      "risk_surface": ["secret_leak", "env_override"]
+    },
+    {
+      "path": ".openclaw/telegram.token",
+      "scope": "user",
+      "format": "text",
+      "risk_surface": ["secret_leak", "channel_token"]
+    }
+  ],
+  "skill_paths": [
+    {
+      "path": ".openclaw/extensions/*/package.json",
+      "scope": "user",
+      "type": "plugin_manifest",
+      "risk_surface": ["plugin_install", "supply_chain", "command_exec", "remote_resource"]
+    },
+    {
+      "path": ".openclaw/agents/*/agent",
+      "scope": "user",
+      "type": "agent",
+      "risk_surface": ["agent_config", "tool_access", "channel_bindings", "prompt_injection"]
+    },
+    {
+      "path": ".openclaw/workspace/IDENTITY.md",
+      "scope": "user",
+      "type": "identity",
+      "risk_surface": ["prompt_injection", "persona_override"]
+    }
+  ],
+  "extension_mechanisms": [
+    {
+      "type": "npm_plugin",
+      "install_pattern": ".openclaw/extensions/*/package.json",
+      "risk": "Plugins install via `npm install --omit=dev` with arbitrary package content; lifecycle scripts (postinstall, etc.) execute during install. Plugin code runs in-process with agent privileges.",
+      "fetchable": false
+    },
+    {
+      "type": "messaging_channel",
+      "install_pattern": ".openclaw/credentials/*",
+      "risk": "Inbound messages from external channels (WhatsApp, Telegram, Signal, Slack, iMessage, Discord, LINE, Matrix, Teams, Zalo, voice) feed untrusted text directly into LLM tool-use. Classic prompt-injection surface — every connected channel is an attacker-controllable input to the agent.",
+      "fetchable": false
+    },
+    {
+      "type": "hook",
+      "install_pattern": ".openclaw/hooks.json5",
+      "risk": "hooks.json5 declares shell commands to run before/after agent tool calls. An attacker with write access to this file can silently intercept or tamper with every agent action.",
+      "fetchable": false
+    }
+  ]
+}