ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zulip

v1.0.2

Interact with Zulip chat platform via REST API and Python client. Use when you need to read messages from streams/topics, send messages to channels or users,...

0· 718·4 current·4 all-time
by@suky57
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included helper script and reference docs. The script uses the official zulip.Client and implements listing streams, reading/sending messages, and listing users — all aligned with the stated purpose.
Instruction Scope
SKILL.md confines runtime actions to installing the zulip Python package, creating the standard ~/.config/zulip/zuliprc config with a Zulip API key, and invoking the included script or the zulip client directly. It does not instruct reading unrelated files or exfiltrating data to external endpoints beyond the Zulip site configured by the user.
Install Mechanism
There is no formal install spec (instruction-only), and the README tells users to pip install zulip. The skill includes a Python script (which will be present on disk when the skill is installed). This is reasonable for a client helper, but users should ensure they install the official 'zulip' package from PyPI and inspect the included script before running.
Credentials
The registry metadata declares no required env vars or primary credential, but the instructions legitimately require a local zuliprc file containing an email, API key, and site URL. Requesting a Zulip API key is proportionate to the stated functionality; however, the skill will need access to that local config file (containing credentials).
Persistence & Privilege
The skill is not forced-always, does not request elevated agent privileges, and does not modify other skill/system configurations. Autonomous invocation is allowed (platform default) but not coupled with any additional privileged access in this package.
Assessment
This skill appears to do what it claims: it wraps the official Zulip Python client. Before installing or running: 1) confirm you obtained the 'zulip' PyPI package from the official source and verify its integrity; 2) inspect the included scripts (scripts/zulip_client.py) yourself — it is small and readable; 3) create the ~/.config/zulip/zuliprc file securely and limit its file permissions (it contains an API key); 4) only supply a bot account/API key with the minimal permissions needed; and 5) if you do not trust the skill publisher (no homepage/source listed), consider running it in a restricted environment or container and revoke the API key if you detect unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979brh72dak4e7qsk5p25f0a5819wbd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments