Scan Report
5 /100
zulip-bridge
High-performance Zulip bridge skill for OpenClaw
Legitimate Zulip messaging bridge plugin with no malicious behavior, proper credential handling, and strong security controls including SSRF protection, path traversal mitigation, and local file exfiltration prevention.
Safe to install
This skill is safe to use. No security concerns identified.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Filesystem read access for config loading Sensitive Access | src/zulip/accounts.ts:84 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | HTTP requests only to configured Zulip server |
| Environment | READ | READ | ✓ Aligned | Only reads ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL (legitimate) |
| Filesystem | NONE | READ | ✓ Aligned | Reads ~/.openclaw/openclaw.json; temp files for uploads (both documented and nec… |
| Shell | NONE | NONE | — | No subprocess/exec calls found |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
1 High 15 findings
High API Key 疑似硬编码凭证
apiKey: "other-config-api-key" test/accounts.test.ts:74 Medium External URL 外部 URL
https://chat.example.com docs/config.md:14 Medium External URL 外部 URL
https://staging.example.com docs/config.md:142 Medium External URL 外部 URL
https://chat.example.com. src/config-ui-hints.ts:18 Medium External URL 外部 URL
https://docs.openclaw.ai/channels/zulip src/onboarding.ts:27 Medium External URL 外部 URL
https://env.zulipchat.com test/accounts.test.ts:20 Medium External URL 外部 URL
https://config.zulipchat.com test/accounts.test.ts:47 Medium External URL 外部 URL
https://other.zulipchat.com test/accounts.test.ts:76 Medium External URL 外部 URL
https://zulip.example.com test/client.test.ts:16 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/1/abc/test.png test/path-traversal.test.ts:7 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/3/hash789/full.pdf test/smoke.test.ts:14 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/1/abc-123/file.png test/smoke.test.ts:20 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/2/xyz_456/another.jpg test/smoke.test.ts:21 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/malformed/url test/smoke.test.ts:23 Medium External URL 外部 URL
https://zulip.example.com/user_uploads/1/too-short test/smoke.test.ts:24 File Tree
46 files · 223.1 KB · 6956 lines TypeScript 34f · 6178L
Markdown 7f · 602L
JSON 4f · 158L
JavaScript 1f · 18L
├─
▾
docs
│ ├─
▾
archive
│ │ ├─
zulip-bridge-audit.md
Markdown
│ │ └─
zulip-bridge-fix-plan.md
Markdown
│ ├─
config.md
Markdown
│ ├─
observability.md
Markdown
│ └─
smoke-test.md
Markdown
├─
▾
src
│ ├─
▾
zulip
│ │ ├─
accounts.ts
TypeScript
│ │ ├─
client.ts
TypeScript
│ │ ├─
dedupe-store.ts
TypeScript
│ │ ├─
monitor-helpers.ts
TypeScript
│ │ ├─
monitor.ts
TypeScript
│ │ ├─
policy.ts
TypeScript
│ │ ├─
probe.ts
TypeScript
│ │ ├─
queue-manager.ts
TypeScript
│ │ ├─
send.ts
TypeScript
│ │ └─
uploads.ts
TypeScript
│ ├─
actions.ts
TypeScript
│ ├─
channel.ts
TypeScript
│ ├─
config-schema.ts
TypeScript
│ ├─
config-ui-hints.ts
TypeScript
│ ├─
group-mentions.ts
TypeScript
│ ├─
normalize.ts
TypeScript
│ ├─
onboarding-helpers.ts
TypeScript
│ ├─
onboarding.ts
TypeScript
│ ├─
runtime.ts
TypeScript
│ ├─
setup-core.ts
TypeScript
│ ├─
setup-surface.ts
TypeScript
│ └─
types.ts
TypeScript
├─
▾
test
│ ├─
accounts.test.ts
TypeScript
│ ├─
client.test.ts
TypeScript
│ ├─
dedupe-store.test.ts
TypeScript
│ ├─
monitor-regression.test.ts
TypeScript
│ ├─
path-traversal.test.ts
TypeScript
│ ├─
policy.test.ts
TypeScript
│ ├─
queue-manager.test.ts
TypeScript
│ ├─
send-security.test.ts
TypeScript
│ └─
smoke.test.ts
TypeScript
├─
▾
types
│ └─
openclaw-plugin-sdk.d.ts
TypeScript
├─
index.ts
TypeScript
├─
openclaw.plugin.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
├─
setup-entry.ts
TypeScript
├─
SKILL.md
Markdown
├─
test-loader.js
JavaScript
├─
tsconfig.build.json
JSON
└─
tsconfig.json
JSON
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
openclaw | >=2026.3.23 <2027 | peerDependency | No | Peer dependency, platform-provided |
zod | indirect via overrides | npm | No | Override to prevent unused dependency bloat |
Security Positives
✓ SSRF protection: upload downloads restricted to configured Zulip server origin (src/zulip/uploads.ts:100-101)
✓ Path traversal sanitization: Content-Disposition filenames sanitized with path.basename() (src/zulip/uploads.ts:70)
✓ Local file exfiltration prevention: mediaUrl rejects non-HTTP protocols with security warning logging (src/zulip/send.ts:146-150)
✓ Realm setting allowlist: Only safe settings like 'name', 'description' can be updated (src/actions.ts:36)
✓ String length validation: All user inputs capped at 10000 chars to prevent DoS
✓ No external network calls outside of the configured Zulip server
✓ No obfuscation, no base64-encoded payloads, no eval() calls
✓ Comprehensive security test suite including path-traversal and send-security tests
✓ Credential access limited to ZULIP_* prefixed env vars only for the default account
✓ Minimal dependencies with no untrusted external packages