Openclaw Bluebubbles 2026.5.7.Tgz
Security checks across malware telemetry and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Install this only if you want OpenClaw to act as a BlueBubbles/iMessage channel. Before enabling it, protect the BlueBubbles password, restrict allowed senders and group policies, disable unneeded actions, and review catchup/private-network settings. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
VirusTotal
62/62 vendors flagged this plugin as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured and allowed by channel policy, the agent may edit or unsend messages, upload attachments, or change group chat membership through BlueBubbles.
The plugin exposes mutating messaging and group-management actions, and they default to enabled when the action config is omitted.
edit: z.boolean().default(true), unsend: z.boolean().default(true), ... addParticipant: z.boolean().default(true), removeParticipant: z.boolean().default(true), leaveGroup: z.boolean().default(true), sendAttachment: z.boolean().default(true)
Disable actions you do not need, especially group-management and unsend/edit actions, and restrict allowed senders/groups.
Enabling this option lets the plugin contact private-network addresses for the BlueBubbles server.
The plugin can be configured to reach private/internal network BlueBubbles servers, but the artifact labels this as an explicit dangerous opt-in.
Dangerous opt-in for same-host or trusted private/internal BlueBubbles deployments. dangerouslyAllowPrivateNetwork: z.boolean().optional()
Only enable private-network access for a trusted BlueBubbles server URL you control.
Whoever controls this configuration can let OpenClaw access the BlueBubbles bridge and act on the linked messaging account.
The plugin needs a BlueBubbles server password to authenticate to the messaging bridge.
serverUrl: z.string().optional(), password: buildSecretInputSchema().optional() ... "password is required when serverUrl is configured"
Store the password as a secret, use the least-exposed BlueBubbles server URL possible, and rotate the password if the configuration is shared.
Incoming message content from BlueBubbles can become agent context and may trigger replies or actions according to your channel policy.
Inbound BlueBubbles webhook messages are passed into the agent reply pipeline.
BlueBubbles posts JSON to the gateway HTTP server ... Route into core reply pipeline via the plugin runtime
Configure webhook authentication/path carefully and keep allow-from, DM, and group policies limited to trusted senders.
After a restart or outage, the agent may process recent missed messages rather than only new live messages.
Catchup processing is enabled by default and can replay queued BlueBubbles messages through the normal processing pipeline after downtime.
Replay messages delivered while the gateway was unreachable. Defaults to on.
Tune or disable catchup if you do not want queued messages processed after downtime.