OpenClaw Zulip
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Zulip bridge, but it needs Zulip bot credentials and can monitor, post, and administer Zulip content, so install it only with permissions you intend to grant.
Before installing, create a dedicated Zulip bot with the least privileges needed, keep admin actions disabled unless required, leave mention/allowlist policies restrictive, prefer the standard ClawHub install path, and avoid force-install workarounds unless you have reviewed the source and scanner warning.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
People who can message or mention the bot may influence what the agent sees and how it responds, depending on the configured policies.
External Zulip events can enter the agent's context and lead to responses, but the skill discloses mention gating and configurable chat modes.
When an event arrives from Zulip, the agent will automatically have context ... By default, the bot only responds to @mentions in streams unless `chatmode` is changed.
Keep default mention gating and restrictive DM/group policies unless you intentionally want broader access.
If enabled with a powerful bot account, the agent may be able to edit/delete messages or streams, invite users, or deactivate/reactivate users.
The plugin exposes high-impact Zulip mutation/admin capabilities, with an explicit configuration gate for admin actions.
deleteZulipMessage, deleteZulipStream, ... deactivateZulipUser, ... updateZulipRealm ... "Admin actions require enableAdminActions: true in Zulip config"
Use a dedicated low-privilege Zulip bot, keep `enableAdminActions` off unless needed, and require human review for destructive administrative tasks.
The installed plugin can act with the permissions of the configured Zulip bot account.
The plugin requires Zulip account credentials and correctly marks the API key as sensitive in its manifest.
"channelEnvVars": { "zulip": ["ZULIP_API_KEY", "ZULIP_EMAIL", "ZULIP_URL", "ZULIP_SITE", "ZULIP_REALM"] } ... "apiKey": { "label": "API Key", "sensitive": true }Create a dedicated bot, scope its Zulip permissions narrowly, prefer environment variables for secrets, and rotate the API key if the machine or config is exposed.
A user copying the fallback source-install commands might bypass a safety warning without fully reviewing the local source tree.
The optional source-install troubleshooting text could encourage users to override or work around scanner warnings, although the recommended path remains ClawHub installation.
security scanner blocks `--link` installs ... This is a false positive ... Remove scripts/ first ... openclaw plugins install ./ --force
Prefer the ClawHub install path; if installing from source, do not use `--force` unless you have reviewed the warning and the code.
The bot may continue receiving and processing Zulip events in the background while the channel is enabled.
The bridge is designed to keep monitoring Zulip and persist queue/deduplication metadata locally, which is expected for a channel plugin.
"Persistent Event Polling": Automatically resumes from where it left off using locally-persisted queue metadata. ... "Durable Deduplication"
Disable the Zulip channel or remove its credentials when you no longer want continuous monitoring.