Skillv0.1.0

ClawScan security

OpenClaw Zulip Channel Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 7:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and runtime instructions match a Zulip channel adapter, but there are metadata and packaging inconsistencies (missing declared env requirements, large lockfile with unexpected dependencies, and a local DB file write) that warrant review before installing.
Guidance: What to check before installing: - Confirm the source repository (https://github.com/kagura-agent/openclaw-zulip) is the expected upstream and review recent commits/maintainer identity. The SKILL.md and package manifest point to that repo. - Verify and supply only a Zulip bot account with limited permissions. The plugin needs the bot email and API key — prefer a bot with narrowly scoped permissions and rotate the key if possible. - The plugin stores metadata in ~/.openclaw/data/zulip-metadata.sqlite. If you prefer isolation, run the gateway in a container or change the path in the code/config to a controlled location and ensure backups/permissions are appropriate. - Audit the package-lock.json dependency list before installing (npm install will pull these). The lockfile in the bundle contains a large set of transitive packages (including AWS/Anthropic-looking entries); confirm these are expected transitives from openclaw dependencies and not additional runtime components you don't want. Consider installing with production-only deps (npm ci --production) if you only need runtime. - Run tests and basic functional checks in a sandboxed environment first (e.g., a VM or container) and observe network activity to ensure only Zulip endpoints and the expected registries are contacted. - Because the registry metadata provided with the skill listing omitted required env vars, double-check your OpenClaw integration points (openclaw.plugin.json, SKILL.md, and secret contract files) to ensure the platform will surface prompts for the Zulip credentials and not any unexpected secrets. If you cannot perform these checks, treat the discrepancy between declared metadata and the code/manifest as a reason to be cautious.

Review Dimensions

Purpose & Capability: noteThe code, README, and SKILL.md all implement a Zulip channel plugin (topic threading, metadata DB, bot commands, event queue). That functionality aligns with the skill name/description. However the top-level registry metadata in the provided listing claims no required environment variables or credentials, while the bundle includes openclaw.plugin.json that declares channelEnvVars (ZULIP_REALM, ZULIP_EMAIL, ZULIP_API_KEY) and the SKILL.md and code expect a Zulip API key/realm/email. This mismatch between registry metadata and the package manifest is inconsistent and worth verifying.
Instruction Scope: noteSKILL.md gives straightforward install/config instructions (git clone, add plugin to openclaw.json, add Zulip account config, restart gateway, run tests). The runtime code operates within the expected scope: polling Zulip events, normalizing events, dispatching to OpenClaw runtime, handling /meta commands, and storing metadata in a local SQLite DB. Two items to be aware of: (1) the plugin writes a SQLite DB to the user's home (~/.openclaw/data/zulip-metadata.sqlite), which SKILL.md does not explicitly call out, and (2) the code will long-poll and run continuously for active accounts (expected for a gateway). There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints beyond the Zulip realm and the declared GitHub repo.
Install Mechanism: noteThere is no formal install spec in the skill bundle; SKILL.md describes cloning the GitHub repo and running npm install/test. The repository provided contains a full package-lock.json and many source files. The lockfile contains a large dependency graph (including many AWS-related and other packages) which increases install footprint — this may be explained by transitive deps from the openclaw dev dependency but should be verified. No downloads from obscure single-use URLs or extractor/install-from-arbitrary-archive behavior were observed. Overall install risk is moderate only because of the unexpectedly large dependency surface in package-lock; prefer to run npm install in a controlled environment and audit dependencies.
Credentials: noteThe plugin legitimately needs Zulip credentials (realm, bot email, apiKey). Those are declared in openclaw.plugin.json and used by the code and SKILL.md. The top-level 'Requirements' summary in the input (which said 'none') is inconsistent with these declarations. I did not find any requests for unrelated credentials or environment variables (no AWS keys or other cloud credentials are requested by the code). Be aware the runtime will accept secrets either via config or environment variables (and includes secret-contract hooks), so verify how your OpenClaw installation will store/provide the bot API key.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It will run as a normal channel plugin (can be started/stopped by OpenClaw) and writes a local SQLite file at ~/.openclaw/data/zulip-metadata.sqlite for metadata persistence — this is within scope for a metadata DB but is persistent filesystem access in the user's home directory and should be noted by operators.