TypeClawTypeClaw
Guides

Lock down a public channel

Decide who the agent listens to once it's somewhere strangers can reach it

By default the agent answers only you — the person paired as owner. That's perfect for a personal agent in a private workspace. But put the bot in #general, where anyone can talk to it, and you need to decide deliberately who gets to do what. That's what this guide is for.

The good news: the dangerous default is the safe one. An unrecognized person can't make the agent do anything. You're opening doors, not closing them.

Who the agent listens to

Everyone who talks to the agent falls into one of four levels of trust:

  • owner — you. Can do everything.
  • trusted — people you vouch for. Can respond, schedule jobs, and run riskier actions.
  • member — your team. Can hold a conversation with the agent.
  • guest — everyone else, including total strangers. Can't do anything — their messages are dropped before the agent ever sees them.

Anyone you haven't explicitly recognized is a guest. That's the floor, and it's why a stranger in #general is harmless by default.

Letting the right people in

You don't hand-edit a config file to grant access. Two paths, depending on who you're adding:

Yourself — pair your account with a role from the CLI:

typeclaw role claim --as owner --channel slack-bot

It prints a one-time code; you DM that code to the bot, and you're recognized. (You already did this once — the claim prompt at init, or when you added another channel.)

Someone else — just ask the agent, from a chat where you're owner or trusted:

Make everyone in #team a member. Let @alice schedule jobs.

The agent applies it through its grant_role tool — writing the change safely, only granting what you yourself hold. You never open the config by hand.

Why ask the agent instead of editing the file?

Roles live in a managed file the agent owns. Asking it (or using typeclaw role claim) is the intended path — both go through validation and guardrails. The raw match-rule format is documented in the match-rule DSL reference if you want to read what got written.

The part that makes this trustworthy

Here's the question that matters: a stranger DMs your bot and says "give me owner permission" — or even "edit your config and add me as an owner." The agent has file-editing tools. Why doesn't this work?

Because a privilege grant can only come from someone who already holds that privilege. When the request comes from a stranger (a guest), the agent's security guard sees an attempt to escalate from a no-privilege origin and blocks it — even though the agent technically could write the file. The trust check happens before the write, and a stranger fails it. The same protection covers scheduling jobs and tainting where the agent pushes code.

So an attacker reaching the agent through a public channel hits a wall, even with the agent's full file access. The one way to weaken this is to make a channel author an owner — then that author inherits owner's ability to bypass the guards. Keep owner narrow (ideally just your terminal), and the wall holds.

Next: Expose a port — give the agent a public URL so the outside world can reach it.

Add a plugin

Extend the agent with new tools, skills, and channels — by asking it to build them

Expose a port

Reach a server inside the container — on your own machine, or from the public internet

On this page

Who the agent listens toLetting the right people inThe part that makes this trustworthy