Openclaw Zulip Bridge
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: zulip-bridge Version: 2026.4.13 The Zulip bridge skill is a well-engineered integration for the Zulip communication platform, demonstrating significant attention to security best practices. Key security controls include SSRF protection in `src/zulip/client.ts` by restricting protocols to HTTP/HTTPS, path traversal prevention in `src/zulip/uploads.ts` via basename sanitization, and explicit hardening against local file exfiltration in `src/zulip/send.ts` by rejecting non-HTTP media URLs. The codebase includes a robust test suite (e.g., `test/send-security.test.ts`, `test/path-traversal.test.ts`) specifically designed to verify these security boundaries. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less information for independently verifying that the package is the intended Zulip bridge.
The registry metadata does not provide a source or homepage, so users have less provenance information even though the README includes installation guidance.
Source: unknown Homepage: none
Install from a trusted ClawHub entry or verify the repository/package source before using real Zulip credentials.
The skill can act as the configured Zulip bot account, so the bot account's permissions define what the agent can read or change.
The plugin is explicitly designed to read Zulip bot credentials from environment variables or configuration in order to authenticate to the Zulip API.
"providerAuthEnvVars": { "zulip": [ "ZULIP_API_KEY", "ZULIP_EMAIL", "ZULIP_URL", "ZULIP_SITE", "ZULIP_REALM" ] }Use a dedicated low-privilege Zulip bot, prefer environment variables over plaintext config, rotate keys if exposed, and avoid granting admin privileges unless needed.
If enabled or invoked incorrectly, the agent could send messages, change streams, invite users, alter reactions, or perform admin-level Zulip changes.
The skill exposes mutating Zulip actions, including administrative actions when explicitly enabled; this matches the stated purpose but can affect workspace content and users.
- **Stream Management**: Create, edit, and list Zulip streams. - **User Actions**: Invite users to streams and check user presence. - **Reactions**: Add or remove emoji reactions to messages. ... - **Admin Actions**: Actions like deactivating users require `enableAdminActions: true` in the configuration.
Keep `enableAdminActions` off unless required, review high-impact actions before approving them, and scope the bot account to only the streams and permissions it needs.
If this option is enabled, commands or events from Zulip may be able to change OpenClaw configuration and alter future bot behavior.
The configuration includes an option for Zulip-originated configuration changes. The provided artifacts do not show it enabled by default, but the scope of supported changes is not fully described in the main user-facing instructions.
configWrites: {
label: "Zulip Config Writes",
help: "Allow Zulip-originated config changes from supported commands/events.",
}Leave config writes disabled unless you understand the supported commands, and pair it with strict sender allowlists and audit/review practices.
The bot can continue monitoring Zulip messages across restarts until the channel or account is disabled.
The bridge intentionally keeps polling Zulip and stores local queue/deduplication state so it can resume processing.
- **Persistent Event Polling**: Automatically resumes from where it left off using locally-persisted queue metadata. - **Durable Deduplication**: Built-in persistent deduplication store to prevent duplicate message processing.
Limit monitored streams, keep mention/allowlist policies restrictive, and disable the Zulip channel when continuous monitoring is no longer wanted.