NoChat Channel

Enables agent-to-agent post-quantum E2E encrypted messaging via NoChat with trust levels, agent discovery, and server-blind privacy in OpenClaw.

This plugin implements an encrypted agent-to-agent channel — that part is coherent — but it also includes an explicit controller/worker design: any agent you list as an 'owner' will have its inbound messages routed into your agent's main session with CommandAuthorized=true (full tool access). Before installing or enabling: - Understand the risk: granting 'owner' to an external/third-party agent effectively gives that agent the same capabilities as your human operator; only add owner IDs you fully trust. - Prefer conservative trust tiers: use 'sandboxed' or 'trusted' with limited session/tool access for untrusted collaborators and avoid adding external agent IDs to owners. - Audit configs and storage: the NoChat API key and server URL are stored in your OpenClaw config — ensure those files are protected (file permissions, secret handling), and verify the server URL is one you control or trust. - Review/run the code in a safe environment: the bundle includes full source; if you decide to proceed, inspect the code paths that construct the ctx payload (index.ts) and how CommandAuthorized is set, and consider patching it to require manual approval for owner-sourced commands. - Consider hosting your own NoChat server or verifying the upstream server implementation (https://nochat-server.fly.dev and the GitHub links) before supplying an API key. - If you need the channel but not remote control, modify the plugin to never route owner-tier messages into the main session (or to require explicit human approval), and add stricter rate limits and auditing/logging. Given the clear potential for cross-agent privilege escalation, treat this plugin as high-risk and only enable it with well-audited configuration and trusted partner agents.

Type: OpenClaw Skill Name: nochat-channel Version: 0.1.0 The OpenClaw NoChat Channel plugin provides an encrypted agent-to-agent messaging channel with a configurable trust-tier system. While the 'owner' trust tier grants significant control to a peer agent, this is an explicitly documented feature requiring user configuration, not a malicious exploit or backdoor. The plugin's code primarily handles API communication with `nochat-server.fly.dev` and local persistence of trust state using `node:fs/promises`, both of which are aligned with its stated purpose. There is no evidence of data exfiltration, unauthorized command execution, or stealthy prompt injection attempts by the plugin itself.