Bluebubbles Healthcheck
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly purpose-aligned, but it can expose the BlueBubbles password in diagnostic output and can delete all BlueBubbles webhooks rather than only the OpenClaw one.
Install only if you are comfortable giving the skill your BlueBubbles API password and letting it modify webhook configuration. Before using auto-heal or reset-webhook.sh, review whether you have other BlueBubbles webhooks that would be deleted, and patch or avoid diagnose.sh until password masking is fixed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running diagnostics may reveal the BlueBubbles API password in the agent transcript, terminal output, or logs, allowing anyone who can see that output to use the BlueBubbles API.
The skill documents that registered webhook URLs contain the BlueBubbles password, but diagnose.sh prints the matching webhook URL directly without masking it.
MATCHING_URL=$(echo "$WEBHOOK_URLS" | grep "18789" | head -1) check_pass "webhook_registered" "$MATCHING_URL"
Mask password query parameters in diagnose.sh and JSON output before printing, and rotate the BlueBubbles password if it has already appeared in logs or chat transcripts.
A repair attempt can silently remove other BlueBubbles integrations that depend on webhooks, breaking unrelated automations or message delivery paths.
The reset script deletes every webhook returned by BlueBubbles, not just stale or OpenClaw-related webhooks.
# Step 2: Delete all existing webhooks
...
for w in d.get('data', []):
print(w['id'])
...
curl -s -X DELETE --max-time 10 -H "Authorization: Bearer ${BB_PASSWORD}" "${BB_URL}/api/v1/webhook/${id}"Filter deletion to only OpenClaw/port-18789 webhooks, show the list before deleting, and require explicit confirmation unless the user selected a dry run or a clearly scoped reset.
This is expected for the integration, but it means BlueBubbles event data will be sent to the configured OpenClaw endpoint, so the endpoint must be local or otherwise trusted.
The skill registers a BlueBubbles webhook for all events to the configured OpenClaw webhook URL.
-d "{\"url\": \"${ESCAPED_URL}\", \"events\": [\"*\"]}"Use the default localhost webhook endpoint where possible, avoid remote webhook URLs unless you fully trust them, and consider narrowing subscribed events if the integration supports it.