# OpenClaw

Give an OpenClaw agent a real, routable, verifiable Whisper network identity — and, with a key, source-bind its egress to a Whisper `/128`.

> **Status: Staged — install from source, registry publish pending** — built and proven end-to-end locally; there is no one-command registry install yet. The real add-step below works today. Rebuilt against the real OpenClaw Plugin SDK and inspector-clean; the ClawHub registry publish is the remaining step (`clawhub install whisper` once published).

## Add it

Once published, `clawhub install whisper`. Until then, install from the adapter directory in [`whisper-sec/whisper-adapters`](https://github.com/whisper-sec/whisper-adapters):

```bash
npm install
npm run plugin:build          # tsc → dist/, then generates openclaw.plugin.json
openclaw plugins install .     # load it into OpenClaw
```

**Prerequisite:** the `whisper` CLI on your PATH — the adapter runs `whisper mcp` (the tool surface) and, for egress, `whisper connect`:

```bash
curl -fsSL https://get.whisper.online | sh
```

## Two tiers, auth optional

Like every Whisper integration, the adapter is two-tier by design — liberal in what it asks of you ([Postel's Law](/docs/integrations)):

- **No API key** — the keyless tools work for everyone: `whisper_verify` (is an address or hostname a real Whisper agent, and whose?) and `whisper_rdap` (its RDAP registration). Real value, zero setup.
- **With your key** (`WHISPER_API_KEY` in the client's environment, or a saved `whisper login`) — the full control plane unlocks (`whisper_register`, `whisper_list`, `whisper_policy`, `whisper_logs`, `whisper_revoke`, `whisper_egress_config`), and the session can **egress from its routable `/128`**.

The plugin declares the eight Whisper tools as a static list via `defineToolPlugin` and forwards each call to `whisper mcp`; on the first control-plane call it best-effort brings egress up (`whisper connect --ensure`, idempotent, non-blocking).

## Verify without a key

```bash
# keyless — no account, no key
whisper verify 2a04:2a01:f3c6:4261:9887:4349:306a:52c8
# → verified Whisper agent (DANE-anchored)
#   fqdn a98874349306a52c8.botboss.app
```

In an agent chat, the same check is one tool call — ask the model to run `whisper_verify {target:"api.openai.com"}` and it comes back with `is_whisper_agent`, `dane_ok`, and `jws_ok`.

## Egress from your /128

Set your key in the client's launch environment, then let the agent mint its own identity and route through it:

```bash
export WHISPER_API_KEY=whisper_live_…   # set in the CLIENT's launch env
# in chat: whisper_register {name:"scout"}  → a routable /128 + DNS name
whisper ip                          # ✓ egress verified — source IP == the agent's /128
dig -x <that /128>                  # reverse-DNS → the agent's Whisper hostname
```

## Verify it worked

Restart the client and ask it, in chat, to run `whisper_verify` against any address. A true/false `is_whisper_agent` verdict back means the `whisper mcp` server is wired in correctly, end to end. With a key present, `whisper_list` returns your agents.

---

**Next:** [OpenCode](/docs/agents-opencode) · [MCP server](/docs/mcp).
