Code Pluginsource linkedVerified

Twitchv2026.5.28

OpenClaw Twitch channel plugin for chat and moderation workflows.

@openclaw/twitch·runtime twitch·by @openclaw

openclaw plugins install clawhub:@openclaw/twitch

Latest release: v2026.5.28Download zip

Capabilities

Compatibility

Built With Open Claw Version

2026.5.28

Min Gateway Version

>=2026.4.10

Plugin Api Range

>=2026.5.28

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The package is an official @openclaw Twitch channel plugin for chat, moderation workflows, inbound message handling, and outbound replies; the observed Twitch API, chat connection, and token use are consistent with that purpose.

ℹ

Instruction Scope

Runtime behavior is scoped to Twitch channel accounts and explicit message handling, but the setup wizard can offer OPENCLAW_TWITCH_ACCESS_TOKEN as the token prompt initial value even when configuring a non-default account, which could cause accidental token reuse if the user accepts it.

✓

Install Mechanism

The package is a small npm-pack artifact with declared OpenClaw plugin metadata, no install scripts, and only expected Twurple and zod dependencies.

ℹ

Credentials

Network access to Twitch and use of Twitch OAuth credentials are proportionate for the plugin. Debug/verbose logging can include a short preview of inbound chat messages, so operators should avoid verbose logging where chat may contain sensitive text.

ℹ

Persistence & Privilege

The plugin persists access tokens and optional client secret/refresh token values into OpenClaw channel configuration as part of normal setup; this is expected for the integration but should be treated as sensitive local configuration.

Scan Findings in Context

[suspicious.exposed_secret_literal] expected: The static scan appears to flag schema/config property names such as clientSecret and accessToken rather than hardcoded secret values; artifact inspection did not show embedded credentials.

[SDI-4] unexpected: Artifact inspection supports the account-separation concern: setup reads OPENCLAW_TWITCH_ACCESS_TOKEN and passes it as a token prompt initial value even outside the dedicated default-account path. This is an interactive setup risk, not evidence of exfiltration or malicious behavior.

[SQP-2] expected: The plugin logs inbound Twitch message metadata and a 100-character preview only through debug/verbose logging. This is relevant privacy guidance for chat operators, but it is not hidden or unrelated to the chat-integration purpose.

[SQP-2] expected: Collecting and storing Twitch access tokens, client secrets, and refresh tokens is expected for a Twitch chat connector with optional token refresh, though users should understand these values are sensitive and persisted in configuration.

Assessment

Install only if you are comfortable giving OpenClaw a Twitch bot token with chat scopes. Prefer a dedicated bot account, restrict who can trigger the bot with allowFrom or allowedRoles, avoid verbose logging on sensitive channels, and be careful during multi-account setup not to reuse the default OPENCLAW_TWITCH_ACCESS_TOKEN for another account unless that is intended.

✗

dist/plugin-n6agZBWc.js:38

File appears to expose a hardcoded API secret or token.

✗

dist/setup-surface-CSxU-v0y.js:243

File appears to expose a hardcoded API secret or token.

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier

source linked

Scope

artifact only

Summary

Validated package structure and linked the release to source metadata.

Source

github.com/openclaw/openclaw

Commit

e93216080aa1

Tag

refs/heads/release/2026.5.28

Provenance

Scan status

clean

@openclaw/twitch

Twitch channel plugin for OpenClaw.

Install (local checkout)

openclaw plugins install ./path/to/local/twitch-plugin

Install (npm)

openclaw plugins install @openclaw/twitch

Onboarding: select Twitch and confirm the install prompt to fetch the plugin automatically.

Config

Minimal config (simplified single-account):

⚠️ Important: requireMention defaults to true. Add access control (allowFrom or allowedRoles) to prevent unauthorized users from triggering the bot.

{
  channels: {
    twitch: {
      enabled: true,
      username: "openclaw",
      accessToken: "oauth:abc123...", // OAuth Access Token (add oauth: prefix)
      clientId: "xyz789...", // Client ID from Token Generator
      channel: "vevisk", // Channel to join (required)
      allowFrom: ["123456789"], // (recommended) Your Twitch user ID only (Convert your twitch username to ID at https://www.streamweasels.com/tools/convert-twitch-username-to-user-id/)
    },
  },
}

Access control options:

requireMention: false - Disable the default mention requirement to respond to all messages
allowFrom: ["your_user_id"] - Restrict to your Twitch user ID only (find your ID at https://www.twitchangles.com/xqc or similar)
allowedRoles: ["moderator", "vip", "subscriber"] - Restrict to specific roles

Multi-account config (advanced):

{
  channels: {
    twitch: {
      enabled: true,
      accounts: {
        default: {
          username: "openclaw",
          accessToken: "oauth:abc123...",
          clientId: "xyz789...",
          channel: "vevisk",
        },
        channel2: {
          username: "openclaw",
          accessToken: "oauth:def456...",
          clientId: "uvw012...",
          channel: "secondchannel",
        },
      },
    },
  },
}

Setup

Create a dedicated Twitch account for the bot, then generate credentials: Twitch Token Generator
- Select Bot Token
- Verify scopes chat:read and chat:write are selected
- Copy the Access Token to token property
- Copy the Client ID to clientId property
Start the gateway

Full documentation

See https://docs.openclaw.ai/channels/twitch for:

Token refresh setup
Access control patterns
Multi-account configuration
Troubleshooting
Capabilities & limits