OpenClaw
Give an OpenClaw agent a real, routable, verifiable Whisper network identity — and, with a key, source-bind its egress to a Whisper /128.
Status: Staged — install from source, registry publish pending. Built and proven end-to-end locally; there is no one-command registry install yet. The real add-step below works today. Rebuilt against the real OpenClaw Plugin SDK and inspector-clean; the ClawHub registry publish is the remaining step (clawhub install whisper once published).
Add it
Once published, clawhub install whisper. Until then, install from the adapter directory in whisper-sec/whisper-adapters:
npm install
npm run plugin:build # tsc → dist/, then generates openclaw.plugin.json
openclaw plugins install . # load it into OpenClaw
Prerequisite: the whisper CLI on your PATH — the adapter runs whisper mcp (the tool surface) and, for egress, whisper connect:
curl -fsSL https://get.whisper.online | sh
Two tiers, auth optional
Like every Whisper integration, the adapter is two-tier by design — liberal in what it asks of you (Postel's Law):
- No API key — the keyless tools work for everyone:
whisper_verify(is an address or hostname a real Whisper agent, and whose?) andwhisper_rdap(its RDAP registration). Real value, zero setup. - With your key (
WHISPER_API_KEYin the client's environment, or a savedwhisper login) — the full control plane unlocks (whisper_register,whisper_list,whisper_policy,whisper_logs,whisper_revoke,whisper_egress_config), and the session can egress from its routable/128.
The plugin declares the eight Whisper tools as a static list via defineToolPlugin and forwards each call to whisper mcp; on the first control-plane call it best-effort brings egress up (whisper connect --ensure, idempotent, non-blocking).
Verify without a key
# keyless — no account, no key
whisper verify 2a04:2a01:f3c6:4261:9887:4349:306a:52c8
# → verified Whisper agent (DANE-anchored)
# fqdn a98874349306a52c8.botboss.app
In an agent chat, the same check is one tool call — ask the model to run whisper_verify {target:"api.openai.com"} and it comes back with is_whisper_agent, dane_ok, and jws_ok.
Egress from your /128
Set your key in the client's launch environment, then let the agent mint its own identity and route through it:
export WHISPER_API_KEY=whisper_live_… # set in the CLIENT's launch env
# in chat: whisper_register {name:"scout"} → a routable /128 + DNS name
whisper ip # ✓ egress verified — source IP == the agent's /128
dig -x <that /128> # reverse-DNS → the agent's Whisper hostname
Verify it worked
Restart the client and ask it, in chat, to run whisper_verify against any address. A true/false is_whisper_agent verdict back means the whisper mcp server is wired in correctly, end to end. With a key present, whisper_list returns your agents.
Next: OpenCode · MCP server.