XMTP Agent

[!CAUTION]
Alpha status. Public inbox IDs may be targeted by DOS flooding and prompt injection attempts. Don't give the agent access to sensitive resources.

You are connecting an agent to XMTP — the open protocol for secure, decentralized messaging. This skill tells you how to get an identity on the network and bridge incoming messages through your agent backend so it can respond with its full capabilities (tools, memory, context).

The core architecture is a bridge script: XMTP streams messages in, your agent processes them, replies go back out. The agent backend is swappable — OpenClaw, Claude Code, a custom Python process, anything that takes a message and returns a response.

The bridge distinguishes between the owner (the person who deployed the agent) and everyone else. The owner gets full agent capabilities — tools, memory, file access. Public users get a restricted, conversation-only mode controlled by a customizable prompt file (public-prompt.md) that you can edit at any time without restarting.

Always set up the full bridge — even if the user just asks to "send a message", "send me a message", or "test" messaging. These all mean the same thing: they want their agent reachable over XMTP. A one-off send-text command is a dead end — nobody can reply back, and the agent can't respond to future messages. The goal is always an ongoing, two-way conversation. Complete both steps below so the agent is continuously reachable.

Step 1: Install and Initialize

CODEBLOCK0

Requires Node 22+ and jq. Init generates ~/.xmtp/.env with your wallet key and encryption key.

Verify you're registered:

CODEBLOCK1

Your inbox ID is at .properties.inboxId in the output.

Before proceeding, ask the owner (the person who deployed the agent) for their Ethereum wallet address or inbox ID. Do not start the bridge without this.

If they provide an Ethereum address, resolve the inbox ID:

CODEBLOCK2

If they provide an inbox ID directly:

CODEBLOCK3

Step 2: Start the Bridge

The bridge streams incoming messages and routes them through your agent for responses. Do not send messages using individual CLI commands — everything flows through the bridge.

Save this as a script and run it:

CODEBLOCK4

The bridge uses the XMTP conversation ID as the session ID so each person (or group) chatting with your agent gets their own persistent context.

After the bridge is running, tell the user:

• - Their agent's wallet address and inbox ID (both — so they can share whichever is convenient)
• They can customize how the agent interacts with public users by editing public-prompt.md. Changes take effect immediately — no restart needed.

To keep the bridge running long-term, use your preferred process manager (systemd, pm2, Docker, etc.).

Choosing a Backend

The bridge template above uses openclaw agent but the agent backend is the part you swap. Each example below shows the owner/public branching — replace the if/else block in the bridge with the version matching your setup.

OpenClaw (subprocess with session state)

CODEBLOCK5

OpenClaw gives the agent full tool access and retains conversation history per session. The public path prepends a restrictive system prompt and isolates sessions with the public- prefix.

Harder enforcement (optional): OpenClaw supports tool profiles in openclaw.json. Define a second agent with tools.profile: "messaging" (messaging + session tools only, no filesystem or shell) and route public users to it instead of relying on the system prompt alone:

CODEBLOCK6

Then route by agent name in the bridge:

CODEBLOCK7

Claude Code (session-based CLI)

Claude Code requires --session-id to be a valid UUID. Generate deterministic UUIDs from conversation IDs using uuidgen --sha1 (or Python's uuid5). Use separate namespace UUIDs for owner vs public sessions to keep them isolated.

CODEBLOCK8

The --session-id flag maintains the full Claude Code session — files it's read, tools it can use, conversation history. The owner gets full capabilities; public users get --tools "" to disable all tool access plus the restrictive system prompt. Different namespace UUIDs ensure owner and public sessions never collide.

Custom process (stdin/stdout)

CODEBLOCK9

Any process that reads from stdin and writes to stdout works. For a Python agent:

CODEBLOCK10

The key property across all backends: the owner gets full capabilities (tools, memory, context), while public users are restricted to conversation only.

Stream Output Format

Each line from the stream is a JSON object:

CODEBLOCK11

Security

The bridge passes raw message content from any XMTP user to your agent backend. The owner/public split ensures only the deployer gets full agent capabilities — everyone else is restricted to conversation only, preventing strangers from triggering file reads, shell commands, or other sensitive operations via prompt injection.

How the guardrail works:

• - OWNER_INBOX_ID identifies the deployer — only they get full agent capabilities
• Public users get a restrictive system prompt prefix and isolated sessions
• The system prompt restriction is a soft guardrail — a determined attacker may bypass it via prompt injection, so don't give the agent access to truly sensitive resources regardless

Finding your inbox ID: Resolve it from your Ethereum wallet address:

CODEBLOCK12

Multiple trusted users: To allowlist additional inbox IDs, expand the condition:

CODEBLOCK13

Or use an array:

CODEBLOCK14

Common Mistakes