Back to plugin
Pluginv2026.4.13
ClawScan security
Zulip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 9:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package is a coherent Zulip channel plugin: its code, instructions, and runtime behavior match the stated purpose and request only Zulip credentials and local storage consistent with operating a chat bridge.
- Guidance
- This plugin appears to be what it claims: a Zulip channel bridge. Before installing, verify you are comfortable providing a Zulip bot API key/email/URL (or configuring them via the onboarding wizard). Note the plugin will persist a deduplication file and write temporary media files to the agent data dir or tmp; if that's a concern, run it with limited filesystem permissions or on a dedicated host. The registry metadata does not list required env vars even though SKILL.md and the code expect ZULIP_API_KEY / ZULIP_EMAIL / ZULIP_URL (and aliases); confirm you supply only a bot account with the minimal privileges you intend (avoid using an admin key unless admin actions are explicitly needed) and rotate keys if exposed. If you want extra assurance, review openclaw.plugin.json and test the plugin in a staging environment and restrict enableAdminActions in the config unless you need administrative operations.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included code all implement a Zulip channel plugin (account management, queue monitoring, send/edit/delete messages, uploads, onboarding). Required capabilities and assets (Zulip API access, local persistence for queues/media) align with the stated purpose; there are no unrelated cloud credentials or unexpected services requested.
- Instruction Scope
- noteSKILL.md's runtime instructions are scoped to installing and configuring a Zulip bot and point to setting ZULIP_API_KEY, ZULIP_EMAIL, and ZULIP_URL. The code performs network calls only to the Zulip server and reads/writes local files (persistent dedupe store, temporary media files) which is expected for a bridge but worth noting. There are no instructions to collect or transmit data to endpoints other than the Zulip API.
- Install Mechanism
- okNo external download/install spec is included; this is an instruction-only skill with compiled/dist JS present. All code is bundled into the package; there are no installers that fetch arbitrary third-party binaries or use unknown URLs.
- Credentials
- noteSKILL.md and the code rely on Zulip credentials (ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL) and also accept aliases (ZULIP_SITE, ZULIP_REALM). The registry metadata lists no required env vars — this is not dangerous but is an inconsistency to be aware of. The plugin reads/writes local files (dedupe store, temp media) which is proportionate to its function but means it will touch the agent's data directories.
- Persistence & Privilege
- okThe skill does persistent state for dedupe and media files and can update its own channel configuration via the plugin SDK; it does not request 'always: true' or attempt to modify other skills or system-wide agent settings. These privileges are appropriate for a channel plugin.