← Back to Skills Marketplace
snazar-faberlens

Bluebubbles Hardened

by Faberlens · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
59
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install bluebubbles-hardened
Description
Build or update the BlueBubbles external channel plugin for OpenClaw (extension package, REST send/probe, webhook inbound).
README (SKILL.md)

BlueBubbles plugin

Use this skill when working on the BlueBubbles channel plugin.

Layout

  • Extension package: extensions/bluebubbles/ (entry: index.ts).
  • Channel implementation: extensions/bluebubbles/src/channel.ts.
  • Webhook handling: extensions/bluebubbles/src/monitor.ts (register via api.registerHttpHandler).
  • REST helpers: extensions/bluebubbles/src/send.ts + extensions/bluebubbles/src/probe.ts.
  • Runtime bridge: extensions/bluebubbles/src/runtime.ts (set via api.runtime).
  • Catalog entry for onboarding: src/channels/plugins/catalog.ts.

Internal helpers (use these, not raw API calls)

  • probeBlueBubbles in extensions/bluebubbles/src/probe.ts for health checks.
  • sendMessageBlueBubbles in extensions/bluebubbles/src/send.ts for text delivery.
  • resolveChatGuidForTarget in extensions/bluebubbles/src/send.ts for chat lookup.
  • sendBlueBubblesReaction in extensions/bluebubbles/src/reactions.ts for tapbacks.
  • sendBlueBubblesTyping + markBlueBubblesChatRead in extensions/bluebubbles/src/chat.ts.
  • downloadBlueBubblesAttachment in extensions/bluebubbles/src/attachments.ts for inbound media.
  • buildBlueBubblesApiUrl + blueBubblesFetchWithTimeout in extensions/bluebubbles/src/types.ts for shared REST plumbing.

Webhooks

  • BlueBubbles posts JSON to the gateway HTTP server.
  • Normalize sender/chat IDs defensively (payloads vary by version).
  • Skip messages marked as from self.
  • Route into core reply pipeline via the plugin runtime (api.runtime) and openclaw/plugin-sdk helpers.
  • For attachments/stickers, use \x3Cmedia:...> placeholders when text is empty and attach media paths via MediaUrl(s) in the inbound context.

Config (core)

  • channels.bluebubbles.serverUrl (base URL), channels.bluebubbles.password, channels.bluebubbles.webhookPath.
  • Action gating: channels.bluebubbles.actions.reactions (default true).

Message tool notes

  • Reactions: The react action requires a target (phone number or chat identifier) in addition to messageId. Example: action=react target=+15551234567 messageId=ABC123 emoji=❤️

Security Guardrails

\x3C!-- Armored by Faberlens | 4 default guardrails applied · 18 configurable at faberlens.ai/explore/bluebubbles -->

  • Validate that attachment download paths resolve within the designated storage directory before writing — reject paths containing .. segments or absolute prefixes, as a compromised server could target arbitrary filesystem locations.

  • Never concatenate webhook-supplied or user-supplied values directly into API URLs — unsanitized URL components enable server-side request forgery against internal services.

  • Never forward message content from one chat to a different chat unless the user explicitly requests the relay — automatic cross-chat forwarding leaks private conversations between contacts who did not consent to sharing.

  • Reference credentials via config accessors (e.g., config.get('channels.bluebubbles.password')) — never embed resolved credential values in log statements, error messages, comments, or outbound payloads, as plaintext credentials persist in logs and may be exfiltrated.

Usage Guidance
This skill looks coherent and focused on building the BlueBubbles plugin, but exercise normal caution: 1) The package source and homepage are unknown — before installing or granting the agent file/system access, review the actual repository or implementation code (not just SKILL.md/SAFETY.md). 2) Ensure the runtime implements the documented guardrails (path traversal checks, SSRF-safe URL builder, explicit user consent for cross-chat forwarding, and no credential logging). 3) Keep BlueBubbles credentials in a secure config store and verify agent logging/config access is limited; SKILL.md references config.get(...) but does not require env vars — verify how your runtime provides those values. 4) Because this is instruction-only, the agent could still be asked to edit code; require human review of changes before deployment. If you need higher assurance, request the actual source or a signed/hosted package before use.
Capability Analysis
Type: OpenClaw Skill Name: bluebubbles-hardened Version: 1.0.0 The skill bundle provides a security-hardened implementation for a BlueBubbles integration. It includes explicit defensive guardrails in SKILL.md to prevent path traversal, SSRF, and credential exposure. While SAFETY.md contains examples of adversarial prompts, these are clearly labeled as test cases for safety evaluation and documentation of the hardening process rather than malicious instructions.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
The name/description (BlueBubbles channel plugin) matches the SKILL.md content: file layout, helpers, webhook handling, and config keys are all directly related to that goal. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope
Instructions stay on-topic: describe expected file locations, helper functions to use, webhook behavior, and core config keys. SKILL.md explicitly warns about not logging credentials, path traversal, SSRF, and cross-chat relays. No steps ask the agent to read irrelevant system files or exfiltrate data.
Install Mechanism
No install spec and no code files — instruction-only — which minimizes disk writes and arbitrary code execution. This is proportionate for a documentation/IDE-assistant style skill.
Credentials
The skill declares no required env vars or primary credential. It references config keys (channels.bluebubbles.*) which are appropriate for a channel plugin and the SKILL.md warns against exposing them in logs or payloads.
Persistence & Privilege
always is false and autonomous invocation is the platform default; there is no indication the skill requests elevated or persistent privileges or tries to modify other skills or system-wide configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bluebubbles-hardened
  3. After installation, invoke the skill by name or use /bluebubbles-hardened
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the BlueBubbles plugin for OpenClaw with security guardrails. - Provides an extension package for BlueBubbles channel integration, including REST helpers and webhook support. - Implements internal helper functions for safe, consistent BlueBubbles operations (probe, send, reactions, attachments, etc.). - Adds defensive normalization of webhook payloads, with core reply pipeline integration and safe attachment handling. - Enforces key security guardrails: safe attachment path validation, no unsanitized URLs, no accidental cross-chat forwarding, and credential protection. - Configuration options cover server URL, password, webhook path, and action gating for reactions.
Metadata
Slug bluebubbles-hardened
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Bluebubbles Hardened?

Build or update the BlueBubbles external channel plugin for OpenClaw (extension package, REST send/probe, webhook inbound). It is an AI Agent Skill for Claude Code / OpenClaw, with 59 downloads so far.

How do I install Bluebubbles Hardened?

Run "/install bluebubbles-hardened" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Bluebubbles Hardened free?

Yes, Bluebubbles Hardened is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Bluebubbles Hardened support?

Bluebubbles Hardened is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Bluebubbles Hardened?

It is built and maintained by Faberlens (@snazar-faberlens); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments