romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
513f3556e7
openclaw/extensions/twitch
History
Joel Cooper 513f3556e7 fix: enforce allowlist for explicit sends across all channels 
Explicit-mode sends (agent tool calls, gateway send command) bypassed
the allowFrom allowlist on every channel adapter. An agent hallucination
or prompt injection could send messages to arbitrary recipients despite
dmPolicy: "allowlist" being configured.

Fix by:
- Adding allowlist enforcement to the default fallback in targets.ts,
  covering all channels without a custom resolveTarget (Discord, Slack,
  Matrix, MS Teams, etc.)
- Fixing WhatsApp (core + extension), Twitch, and Google Chat adapters
  to reject explicit sends to non-allowlisted targets
- Enforcing allowlist on WhatsApp group JIDs (previously unguarded)

Implicit and heartbeat modes still fall back to allowList[0] as before.

AI-assisted (Claude). Tested locally.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 14:34:19 -07:00
..
src fix: enforce allowlist for explicit sends across all channels 2026-01-29 14:34:19 -07:00
test feat: Twitch Plugin (#1612) 2026-01-26 13:48:10 -06:00
CHANGELOG.md chore(release): bump versions to 2026.1.29 2026-01-29 16:48:13 +00:00
clawdbot.plugin.json feat: Twitch Plugin (#1612) 2026-01-26 13:48:10 -06:00
index.ts refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
package.json chore(release): bump versions to 2026.1.29 2026-01-29 16:48:13 +00:00
README.md chore: update molt.bot domains 2026-01-27 12:21:01 +00:00

README.md

@clawdbot/twitch

Twitch channel plugin for Clawdbot.

Install (local checkout)

clawdbot plugins install ./extensions/twitch

Install (npm)

clawdbot plugins install @clawdbot/twitch

Onboarding: select Twitch and confirm the install prompt to fetch the plugin automatically.

Config

Minimal config (simplified single-account):

⚠️ Important: requireMention defaults to true. Add access control (allowFrom or allowedRoles) to prevent unauthorized users from triggering the bot.

{
  channels: {
    twitch: {
      enabled: true,
      username: "clawdbot",
      accessToken: "oauth:abc123...", // OAuth Access Token (add oauth: prefix)
      clientId: "xyz789...", // Client ID from Token Generator
      channel: "vevisk", // Channel to join (required)
      allowFrom: ["123456789"], // (recommended) Your Twitch user ID only (Convert your twitch username to ID at https://www.streamweasels.com/tools/convert-twitch-username-%20to-user-id/)
    },
  },
}

Access control options:

  • requireMention: false - Disable the default mention requirement to respond to all messages
  • allowFrom: ["your_user_id"] - Restrict to your Twitch user ID only (find your ID at https://www.twitchangles.com/xqc or similar)
  • allowedRoles: ["moderator", "vip", "subscriber"] - Restrict to specific roles

Multi-account config (advanced):

{
  channels: {
    twitch: {
      enabled: true,
      accounts: {
        default: {
          username: "clawdbot",
          accessToken: "oauth:abc123...",
          clientId: "xyz789...",
          channel: "vevisk",
        },
        channel2: {
          username: "clawdbot",
          accessToken: "oauth:def456...",
          clientId: "uvw012...",
          channel: "secondchannel",
        },
      },
    },
  },
}

Setup

  1. Create a dedicated Twitch account for the bot, then generate credentials: Twitch Token Generator
    • Select Bot Token
    • Verify scopes chat:read and chat:write are selected
    • Copy the Access Token to token property
    • Copy the Client ID to clientId property
  2. Start the gateway

Full documentation

See https://docs.molt.bot/channels/twitch for:

  • Token refresh setup
  • Access control patterns
  • Multi-account configuration
  • Troubleshooting
  • Capabilities & limits