Back to skill

Security audit

Openclaw Zulip Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a real Zulip bridge, but it exposes high-impact delete and administration actions that deserve manual review before installation.

Install only if you intend to let OpenClaw act as a Zulip bot with message monitoring and posting authority. Use a least-privilege bot, keep enableAdminActions disabled unless explicitly needed, avoid admin credentials for routine use, and review who can trigger the bot before enabling stream-wide or open DM access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file exposes administrative capabilities well beyond a typical messaging/monitoring bridge, including user deactivation/reactivation and realm-wide configuration changes. In an agent skill context, this is dangerous because a caller expecting a chat bridge may unknowingly grant or trigger high-privilege actions that can disrupt accounts or alter server policy.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
uploadZulipFile reads a local path and transmits its contents to a remote Zulip server, while the safety comment delegates trust to callers rather than enforcing it. In an agent environment, if filePath can be influenced by prompts or untrusted inputs, this becomes a local file exfiltration primitive for sensitive files such as tokens, configs, or keys.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation advertises message sending, real-time monitoring, presence checks, and administrative actions without warning that these functions can expose user data, modify server state, or trigger privacy-sensitive processing. In a communication-platform integration, omission of these risks increases the chance of unsafe deployment and misuse by users who do not realize the operational impact.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Channel deletion is a destructive administrative action, and this handler performs it immediately once invoked without any built-in confirmation, dry-run, or extra intent verification. In an agent setting, ambiguous prompts, prompt injection, or accidental tool selection could cause irreversible disruption to communication channels.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
User deactivation is a sensitive account lifecycle action with immediate operational impact, and the code executes it without an additional confirmation barrier beyond admin checks. In an autonomous or semi-autonomous agent workflow, this raises the risk of accidental lockout or malicious prompt steering against legitimate users.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
Organization settings changes can alter server-wide behavior, and this code applies updates directly without user-facing confirmation or staged review. Although the allowed settings are restricted to a safer subset, unintended changes can still disrupt notifications, branding, defaults, or retention behavior across the realm.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Message deletion is destructive and potentially irreversible, yet the handler deletes immediately without confirmation or safeguards. In agent-driven contexts, accidental invocation or prompt injection could remove records, evidence, or important communications with little friction.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code uploads local file contents over the network without any built-in disclosure, consent, or confirmation mechanism. In a skill used by an autonomous agent, silent transfer of local data materially increases the risk of unintended data leakage and makes exfiltration harder for operators to detect.

Missing User Warnings

High
Confidence
90% confidence
Finding
User deactivation is a high-impact administrative action that can lock users out of the service, and this client provides a straightforward callable path to perform it. In the context of a broadly described bridge skill, exposing such an operation without strong gating, disclosure, or separation of duties substantially raises the risk of accidental or prompt-induced administrative abuse.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/check-bootstrap.js:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/check-package.js:49

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/onboarding.ts:115

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/accounts.test.ts:74