Bluebubbles
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for developing a BlueBubbles messaging plugin, with disclosed but sensitive messaging credentials, webhooks, and media handling that users should configure carefully.
This appears suitable as a development aid for a BlueBubbles channel plugin. Before using the resulting plugin, make sure the BlueBubbles password is protected, the webhook endpoint is not exposed more broadly than intended, and message/reaction/media behavior is reviewed for your deployment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the plugin can use BlueBubbles account access to send or manage message-related actions.
The plugin configuration includes a BlueBubbles password and server endpoint, which is expected for this messaging integration but grants access to a messaging bridge.
`channels.bluebubbles.serverUrl` (base URL), `channels.bluebubbles.password`, `channels.bluebubbles.webhookPath`.
Store the BlueBubbles password securely, limit access to the configuration, and review the plugin's outgoing message and reaction behavior before enabling it.
Incoming messages and attachments from BlueBubbles may be processed by Clawdbot, so private chat content could enter the bot workflow.
The skill describes an external webhook flow where message payloads and media references enter the bot's reply pipeline, which is purpose-aligned but involves private message data crossing a service boundary.
BlueBubbles posts JSON to the gateway HTTP server. ... Route into core reply pipeline ... attach media paths via `MediaUrl(s)` in the inbound context.
Protect the webhook path, validate inbound payloads, keep sender/chat normalization defensive, and ensure media handling is limited to the intended channel context.