← Back to Skills Marketplace

Openclaw Zulip Bridge

Name: Openclaw Zulip Bridge
Author: niyazmft

by niyazmft · GitHub ↗ · v2026.4.13 · MIT-0

cross-platform ⚠ suspicious

329

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install zulip-bridge

Description

💬 High-performance Zulip bridge skill. Enables messaging, stream monitoring, and administrative actions on Zulip servers.

Usage Guidance

This package appears to be a genuine Zulip channel plugin, but the registry listing and the repo disagree about how it is delivered and what it requires. Before installing or supplying secrets: 1) Confirm the publisher identity and source (the 'Source' and 'Homepage' are listed as unknown/none). 2) Prefer using environment variables (ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL) rather than storing credentials in openclaw.json; the code explicitly warns about plaintext storage. 3) Verify how the plugin will be installed (ClawHub vs local link). If installing from this bundle, inspect the built artifacts (dist/) that will be installed — the package expects built files that are not shown in the top-level registry metadata. 4) If you need stronger assurance, ask the publisher for a canonical repo or release (e.g., GitHub release) and/or request a signed release or checksum. Because of the metadata vs source mismatch, treat this skill as suspicious until you confirm its provenance and how credentials will be handled.

Capability Analysis

Type: OpenClaw Skill Name: zulip-bridge Version: 2026.4.13 The Zulip bridge skill is a well-engineered integration for the Zulip communication platform, demonstrating significant attention to security best practices. Key security controls include SSRF protection in `src/zulip/client.ts` by restricting protocols to HTTP/HTTPS, path traversal prevention in `src/zulip/uploads.ts` via basename sanitization, and explicit hardening against local file exfiltration in `src/zulip/send.ts` by rejecting non-HTTP media URLs. The codebase includes a robust test suite (e.g., `test/send-security.test.ts`, `test/path-traversal.test.ts`) specifically designed to verify these security boundaries. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.

Capability Tags

cryptorequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The SKILL.md and README describe a Zulip bridge (sending messages, monitoring streams, admin actions) which legitimately needs Zulip credentials. However the registry metadata at the top lists no required environment variables or install steps while the packaged openclaw.plugin.json and README explicitly reference ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL and providerAuthEnvVars. The skill is therefore mislabeled as 'instruction-only' in the registry view while the source contains a full channel plugin—this inconsistency raises questions about what the skill will actually request or attempt to install at runtime.

ℹ Instruction Scope

SKILL.md instructs the agent to use the Zulip plugin and to ensure credentials are configured in ~/.openclaw/openclaw.json or via environment variables; those instructions are consistent with a Zulip bridge. The SKILL.md does not instruct reading unrelated system files. It does recommend storing credentials in env vars (preferred) and warns about storing plaintext in config files, which is appropriate guidance.

⚠ Install Mechanism

Registry metadata claims 'no install spec / instruction-only', but the repo contains a full Node plugin (openclaw.plugin.json, package.json, build/test scripts, src/). There is no remote download URL; installs appear to be local or via ClawHub. The presence of build and packaging scripts (which call execSync) increases potential actions during build/install—this is expected for a plugin but contradicts the 'instruction-only' label in the registry.

ℹ Credentials

The plugin manifest and README declare only Zulip-related credentials (ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL, plus aliases) and include securityExemptions for those env vars. Those credentials are proportionate to a Zulip bridge. The initial registry summary (which listed no required env vars) is inconsistent with the manifest and README; confirm which view is authoritative before supplying secrets.

✓ Persistence & Privilege

The skill does not request always: true and is user-invocable with normal autonomous invocation allowed. It does not appear to modify other skills or require system-wide privileges. The manifest's securityExemptions allow reading the Zulip env vars (expected for a channel plugin).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install zulip-bridge
After installation, invoke the skill by name or use /zulip-bridge
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2026.4.13

Consolidated release v2026.4.13. Includes security hardening (URL encoding for API injection prevention #152), performance optimization (batch disk I/O for event polling #151), and SKILL.md version sync.

v2026.4.12

Synced with performance and security release v2026.4.12.

v2026.4.11

Synced with clean release v2026.4.11.

v2026.4.10

Synced with clean release v2026.4.10.

v2026.4.9

Synced with architectural overhaul v2026.4.9.

v2026.4.8

Synced.

v2026.4.7

Synced with plugin v2026.4.7: setup wizard now handles API key/email/site URL flow correctly.

v2026.4.6

Synced with plugin v2026.4.6.

v2026.4.5

Synced with plugin v2026.4.5.

v2026.4.4

Synced.

v2026.4.3

Synced with plugin v2026.4.3.

v2026.4.2

Synced with plugin v2026.4.2.

v2026.4.1

Version parity with plugin v2026.4.1.

v2026.3.31

Finalized release with full branding sync.

v2026.3.30

- Updated the skill description emoji from 🦞 to 💬 for improved clarity. - No functional or documentation changes beyond the updated emoji.

v2026.3.29

zulip-bridge 2026.3.29 - Initial public release of the high-performance Zulip bridge skill. - Enables messaging to Zulip streams, topics, and direct messages. - Provides stream management (create, edit, list) and user invitation features. - Supports emoji reactions, presence checks, and real-time message monitoring with deduplication. - Requires the OpenClaw Zulip plugin and supports admin actions with proper configuration. - Includes streamlined usage guide and clear contextual workflows.

Metadata

Slug zulip-bridge

Version 2026.4.13

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 16

Frequently Asked Questions

What is Openclaw Zulip Bridge?

💬 High-performance Zulip bridge skill. Enables messaging, stream monitoring, and administrative actions on Zulip servers. It is an AI Agent Skill for Claude Code / OpenClaw, with 329 downloads so far.

How do I install Openclaw Zulip Bridge?

Run "/install zulip-bridge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Openclaw Zulip Bridge free?

Yes, Openclaw Zulip Bridge is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Openclaw Zulip Bridge support?

Openclaw Zulip Bridge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Openclaw Zulip Bridge?

It is built and maintained by niyazmft (@niyazmft); the current version is v2026.4.13.

More Skills