中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
zulip-bridge
High-performance Zulip bridge skill for OpenClaw
Legitimate Zulip messaging bridge plugin with no malicious behavior, proper credential handling, and strong security controls including SSRF protection, path traversal mitigation, and local file exfiltration prevention.
技能名称zulip-bridge
分析耗时53.8s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性 安全发现 位置
低危
Filesystem read access for config loading 敏感访问
The skill reads configuration from ~/.openclaw/openclaw.json. This is necessary for the core messaging functionality and documented in SKILL.md.
process.env.ZULIP_API_KEY?.trim()
→ No action needed. This is legitimate access for credential retrieval.
 src/zulip/accounts.ts:84
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 HTTP requests only to configured Zulip server
环境变量 READ READ ✓ 一致 Only reads ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL (legitimate)
文件系统 NONE READ ✓ 一致 Reads ~/.openclaw/openclaw.json; temp files for uploads (both documented and nec…
命令执行 NONE NONE No subprocess/exec calls found
技能调用 NONE NONE No skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
1 高危 15 项发现
🔑
高危 API 密钥 疑似硬编码凭证
apiKey: "other-config-api-key"
test/accounts.test.ts:74
🔗
中危 外部 URL 外部 URL
https://chat.example.com
docs/config.md:14
🔗
中危 外部 URL 外部 URL
https://staging.example.com
docs/config.md:142
🔗
中危 外部 URL 外部 URL
https://chat.example.com.
src/config-ui-hints.ts:18
🔗
中危 外部 URL 外部 URL
https://docs.openclaw.ai/channels/zulip
src/onboarding.ts:27
🔗
中危 外部 URL 外部 URL
https://env.zulipchat.com
test/accounts.test.ts:20
🔗
中危 外部 URL 外部 URL
https://config.zulipchat.com
test/accounts.test.ts:47
🔗
中危 外部 URL 外部 URL
https://other.zulipchat.com
test/accounts.test.ts:76
🔗
中危 外部 URL 外部 URL
https://zulip.example.com
test/client.test.ts:16
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/1/abc/test.png
test/path-traversal.test.ts:7
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/3/hash789/full.pdf
test/smoke.test.ts:14
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/1/abc-123/file.png
test/smoke.test.ts:20
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/2/xyz_456/another.jpg
test/smoke.test.ts:21
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/malformed/url
test/smoke.test.ts:23
🔗
中危 外部 URL 外部 URL
https://zulip.example.com/user_uploads/1/too-short
test/smoke.test.ts:24

目录结构

46 文件 · 223.1 KB · 6956 行
TypeScript 34f · 6178L Markdown 7f · 602L JSON 4f · 158L JavaScript 1f · 18L
├─ 📁 docs
│ ├─ 📁 archive
│ │ ├─ 📝 zulip-bridge-audit.md Markdown 39L · 1.5 KB
│ │ └─ 📝 zulip-bridge-fix-plan.md Markdown 65L · 1.9 KB
│ ├─ 📝 config.md Markdown 154L · 6.4 KB
│ ├─ 📝 observability.md Markdown 62L · 3.2 KB
│ └─ 📝 smoke-test.md Markdown 83L · 3.8 KB
├─ 📁 src
│ ├─ 📁 zulip
│ │ ├─ 📜 accounts.ts TypeScript 170L · 5.6 KB
│ │ ├─ 📜 client.ts TypeScript 922L · 27.5 KB
│ │ ├─ 📜 dedupe-store.ts TypeScript 121L · 3.3 KB
│ │ ├─ 📜 monitor-helpers.ts TypeScript 224L · 6.2 KB
│ │ ├─ 📜 monitor.ts TypeScript 967L · 29.6 KB
│ │ ├─ 📜 policy.ts TypeScript 73L · 2.2 KB
│ │ ├─ 📜 probe.ts TypeScript 66L · 1.8 KB
│ │ ├─ 📜 queue-manager.ts TypeScript 191L · 5.6 KB
│ │ ├─ 📜 send.ts TypeScript 264L · 8.0 KB
│ │ └─ 📜 uploads.ts TypeScript 105L · 3.0 KB
│ ├─ 📜 actions.ts TypeScript 866L · 28.4 KB
│ ├─ 📜 channel.ts TypeScript 283L · 9.8 KB
│ ├─ 📜 config-schema.ts TypeScript 64L · 2.2 KB
│ ├─ 📜 config-ui-hints.ts TypeScript 68L · 2.4 KB
│ ├─ 📜 group-mentions.ts TypeScript 10L · 359 B
│ ├─ 📜 normalize.ts TypeScript 45L · 1.3 KB
│ ├─ 📜 onboarding-helpers.ts TypeScript 44L · 1.4 KB
│ ├─ 📜 onboarding.ts TypeScript 377L · 13.1 KB
│ ├─ 📜 runtime.ts TypeScript 14L · 325 B
│ ├─ 📜 setup-core.ts TypeScript 65L · 2.5 KB
│ ├─ 📜 setup-surface.ts TypeScript 155L · 5.5 KB
│ └─ 📜 types.ts TypeScript 72L · 2.8 KB
├─ 📁 test
│ ├─ 📜 accounts.test.ts TypeScript 88L · 2.8 KB
│ ├─ 📜 client.test.ts TypeScript 41L · 1.3 KB
│ ├─ 📜 dedupe-store.test.ts TypeScript 127L · 3.8 KB
│ ├─ 📜 monitor-regression.test.ts TypeScript 12L · 513 B
│ ├─ 📜 path-traversal.test.ts TypeScript 58L · 2.1 KB
│ ├─ 📜 policy.test.ts TypeScript 293L · 8.4 KB
│ ├─ 📜 queue-manager.test.ts TypeScript 134L · 3.3 KB
│ ├─ 📜 send-security.test.ts TypeScript 69L · 1.8 KB
│ └─ 📜 smoke.test.ts TypeScript 89L · 3.1 KB
├─ 📁 types
│ └─ 📜 openclaw-plugin-sdk.d.ts TypeScript 80L · 2.9 KB
├─ 📜 index.ts TypeScript 17L · 549 B
├─ 📋 openclaw.plugin.json JSON 64L · 1.6 KB
├─ 📋 package.json JSON 52L · 1.3 KB
├─ 📝 README.md Markdown 160L · 6.8 KB
├─ 📜 setup-entry.ts TypeScript 4L · 168 B
├─ 📝 SKILL.md Markdown 39L · 1.7 KB
├─ 📜 test-loader.js JavaScript 18L · 688 B
├─ 📋 tsconfig.build.json JSON 15L · 272 B
└─ 📋 tsconfig.json JSON 27L · 520 B

依赖分析 2 项

包名版本来源已知漏洞备注
openclaw >=2026.3.23 <2027 peerDependency Peer dependency, platform-provided
zod indirect via overrides npm Override to prevent unused dependency bloat

安全亮点

✓ SSRF protection: upload downloads restricted to configured Zulip server origin (src/zulip/uploads.ts:100-101)
✓ Path traversal sanitization: Content-Disposition filenames sanitized with path.basename() (src/zulip/uploads.ts:70)
✓ Local file exfiltration prevention: mediaUrl rejects non-HTTP protocols with security warning logging (src/zulip/send.ts:146-150)
✓ Realm setting allowlist: Only safe settings like 'name', 'description' can be updated (src/actions.ts:36)
✓ String length validation: All user inputs capped at 10000 chars to prevent DoS
✓ No external network calls outside of the configured Zulip server
✓ No obfuscation, no base64-encoded payloads, no eval() calls
✓ Comprehensive security test suite including path-traversal and send-security tests
✓ Credential access limited to ZULIP_* prefixed env vars only for the default account
✓ Minimal dependencies with no untrusted external packages