let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): lock down inbound DMs by default

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-06 17:51:38 +01:00
parent 327ad3c9c7
commit 967cef80bc
36 changed files with 2093 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/signal.md
View File

@@ -51,7 +51,8 @@ You can still run Clawdbot on your own Signal account if your goal is “respond
httpPort: 8080,
// Who is allowed to talk to the bot (DMs)
allowFrom: ["+15557654321"], // your personal number (or "*")
dmPolicy: "pairing", // pairing | allowlist | open | disabled
allowFrom: ["+15557654321"], // your personal number ("open" requires ["*"])
// Group policy + allowlist
groupPolicy: "open",
@@ -64,6 +65,10 @@ You can still run Clawdbot on your own Signal account if your goal is “respond
- Expect `signal.probe.ok=true` and `signal.probe.version`.
5) DM the bot number from your phone; Clawdbot replies.
## DM pairing
- Default: `signal.dmPolicy="pairing"` — unknown DM senders get a pairing code.
- Approve via: `clawdbot pairing approve --provider signal <code>`.
## “Do I need a separate number?”
- If you want “I text her and she texts me back”, yes: **use a separate Signal account/number for the bot**.
- Your personal account can run `signal-cli`, but you cant self-chat (Signal loop protection; Clawdbot ignores sender==account).