📦 OpenClaw
v0.1.0OpenClaw 的 Zulip channel 插件,支持话题线程、元数据数据库、机器人命令和事件队列处理。需连接 O… 时请从源码安装。
0· 0·0 当前·0 累计
by 下载技能包
最后更新
2026/4/26
安全扫描
OpenClaw
可疑
medium confidence插件的代码和运行时指令与 Zulip channel adapter 一致,但元数据和打包存在不一致(缺少声明的环境依赖、包含意外依赖的庞大 lockfile、以及本地数据库文件写入),安装前需审查。
评估建议
What to check before installing:
- Confirm the source repository (https://github.com/kagura-agent/openclaw-zulip) is the expected upstream and review recent commits/maintainer identity. The SKILL.md and package manifest point to that repo.
- Verify and supply only a Zulip bot account with limited permissions. The plugin needs the bot email and API key — prefer a bot with narrowly scoped permissions and rotate the key if possible.
- The plugin stores metadata in ~/.openclaw/data/zulip-metadata.sq...详细分析 ▾
ℹ 用途与能力
The code, README, and SKILL.md all implement a Zulip channel plugin (topic threading, metadata DB, bot commands, event queue). That functionality aligns with the skill name/description. However the top-level registry metadata in the provided listing claims no required environment variables or credentials, while the bundle includes openclaw.plugin.json that declares channelEnvVars (ZULIP_REALM, ZULIP_EMAIL, ZULIP_API_KEY) and the SKILL.md and code expect a Zulip API key/realm/email. This mismatch between registry metadata and the package manifest is inconsistent and worth verifying.
ℹ 指令范围
SKILL.md gives straightforward install/config instructions (git clone, add plugin to openclaw.json, add Zulip account config, restart gateway, run tests). The runtime code operates within the expected scope: polling Zulip events, normalizing events, dispatching to OpenClaw runtime, handling /meta commands, and storing metadata in a local SQLite DB. Two items to be aware of: (1) the plugin writes a SQLite DB to the user's home (~/.openclaw/data/zulip-metadata.sqlite), which SKILL.md does not explicitly call out, and (2) the code will long-poll and run continuously for active accounts (expected for a gateway). There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints beyond the Zulip realm and the declared GitHub repo.
ℹ 安装机制
There is no formal install spec in the skill bundle; SKILL.md describes cloning the GitHub repo and running npm install/test. The repository provided contains a full package-lock.json and many source files. The lockfile contains a large dependency graph (including many AWS-related and other packages) which increases install footprint — this may be explained by transitive deps from the openclaw dev dependency but should be verified. No downloads from obscure single-use URLs or extractor/install-from-arbitrary-archive behavior were observed. Overall install risk is moderate only because of the unexpectedly large dependency surface in package-lock; prefer to run npm install in a controlled environment and audit dependencies.
ℹ 凭证需求
The plugin legitimately needs Zulip credentials (realm, bot email, apiKey). Those are declared in openclaw.plugin.json and used by the code and SKILL.md. The top-level 'Requirements' summary in the input (which said 'none') is inconsistent with these declarations. I did not find any requests for unrelated credentials or environment variables (no AWS keys or other cloud credentials are requested by the code). Be aware the runtime will accept secrets either via config or environment variables (and includes secret-contract hooks), so verify how your OpenClaw installation will store/provide the bot API key.
✓ 持久化与权限
The skill does not request always:true or other elevated platform privileges. It will run as a normal channel plugin (can be started/stopped by OpenClaw) and writes a local SQLite file at ~/.openclaw/data/zulip-metadata.sqlite for metadata persistence — this is within scope for a metadata DB but is persistent filesystem access in the user's home directory and should be noted by operators.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/26
首次发布
● 无害
安装命令
点击复制官方npx clawhub@latest install openclaw-zulip
镜像加速npx clawhub@latest install openclaw-zulip --registry https://cn.longxiaskill.com镜像同步中