← 返回 Skills 市场

Bluebubbles Hardened

Name: Bluebubbles Hardened
Author: snazar-faberlens

作者 Faberlens · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install bluebubbles-hardened

功能描述

Build or update the BlueBubbles external channel plugin for OpenClaw (extension package, REST send/probe, webhook inbound).

使用说明 (SKILL.md)

BlueBubbles plugin

Use this skill when working on the BlueBubbles channel plugin.

Layout

Extension package: extensions/bluebubbles/ (entry: index.ts).
Channel implementation: extensions/bluebubbles/src/channel.ts.
Webhook handling: extensions/bluebubbles/src/monitor.ts (register via api.registerHttpHandler).
REST helpers: extensions/bluebubbles/src/send.ts + extensions/bluebubbles/src/probe.ts.
Runtime bridge: extensions/bluebubbles/src/runtime.ts (set via api.runtime).
Catalog entry for onboarding: src/channels/plugins/catalog.ts.

Internal helpers (use these, not raw API calls)

probeBlueBubbles in extensions/bluebubbles/src/probe.ts for health checks.
sendMessageBlueBubbles in extensions/bluebubbles/src/send.ts for text delivery.
resolveChatGuidForTarget in extensions/bluebubbles/src/send.ts for chat lookup.
sendBlueBubblesReaction in extensions/bluebubbles/src/reactions.ts for tapbacks.
sendBlueBubblesTyping + markBlueBubblesChatRead in extensions/bluebubbles/src/chat.ts.
downloadBlueBubblesAttachment in extensions/bluebubbles/src/attachments.ts for inbound media.
buildBlueBubblesApiUrl + blueBubblesFetchWithTimeout in extensions/bluebubbles/src/types.ts for shared REST plumbing.

Webhooks

BlueBubbles posts JSON to the gateway HTTP server.
Normalize sender/chat IDs defensively (payloads vary by version).
Skip messages marked as from self.
Route into core reply pipeline via the plugin runtime (api.runtime) and openclaw/plugin-sdk helpers.
For attachments/stickers, use \x3Cmedia:...> placeholders when text is empty and attach media paths via MediaUrl(s) in the inbound context.

Config (core)

channels.bluebubbles.serverUrl (base URL), channels.bluebubbles.password, channels.bluebubbles.webhookPath.
Action gating: channels.bluebubbles.actions.reactions (default true).

Message tool notes

Reactions: The react action requires a target (phone number or chat identifier) in addition to messageId. Example: action=react target=+15551234567 messageId=ABC123 emoji=❤️

Security Guardrails

\x3C!-- Armored by Faberlens | 4 default guardrails applied · 18 configurable at faberlens.ai/explore/bluebubbles -->

Validate that attachment download paths resolve within the designated storage directory before writing — reject paths containing .. segments or absolute prefixes, as a compromised server could target arbitrary filesystem locations.
Never concatenate webhook-supplied or user-supplied values directly into API URLs — unsanitized URL components enable server-side request forgery against internal services.
Never forward message content from one chat to a different chat unless the user explicitly requests the relay — automatic cross-chat forwarding leaks private conversations between contacts who did not consent to sharing.
Reference credentials via config accessors (e.g., config.get('channels.bluebubbles.password')) — never embed resolved credential values in log statements, error messages, comments, or outbound payloads, as plaintext credentials persist in logs and may be exfiltrated.

安全使用建议

This skill looks coherent and focused on building the BlueBubbles plugin, but exercise normal caution: 1) The package source and homepage are unknown — before installing or granting the agent file/system access, review the actual repository or implementation code (not just SKILL.md/SAFETY.md). 2) Ensure the runtime implements the documented guardrails (path traversal checks, SSRF-safe URL builder, explicit user consent for cross-chat forwarding, and no credential logging). 3) Keep BlueBubbles credentials in a secure config store and verify agent logging/config access is limited; SKILL.md references config.get(...) but does not require env vars — verify how your runtime provides those values. 4) Because this is instruction-only, the agent could still be asked to edit code; require human review of changes before deployment. If you need higher assurance, request the actual source or a signed/hosted package before use.

功能分析

Type: OpenClaw Skill Name: bluebubbles-hardened Version: 1.0.0 The skill bundle provides a security-hardened implementation for a BlueBubbles integration. It includes explicit defensive guardrails in SKILL.md to prevent path traversal, SSRF, and credential exposure. While SAFETY.md contains examples of adversarial prompts, these are clearly labeled as test cases for safety evaluation and documentation of the hardening process rather than malicious instructions.

能力标签

crypto

能力评估

✓ Purpose & Capability

The name/description (BlueBubbles channel plugin) matches the SKILL.md content: file layout, helpers, webhook handling, and config keys are all directly related to that goal. There are no unrelated environment variables, binaries, or install steps requested.

✓ Instruction Scope

Instructions stay on-topic: describe expected file locations, helper functions to use, webhook behavior, and core config keys. SKILL.md explicitly warns about not logging credentials, path traversal, SSRF, and cross-chat relays. No steps ask the agent to read irrelevant system files or exfiltrate data.

✓ Install Mechanism

No install spec and no code files — instruction-only — which minimizes disk writes and arbitrary code execution. This is proportionate for a documentation/IDE-assistant style skill.

✓ Credentials

The skill declares no required env vars or primary credential. It references config keys (channels.bluebubbles.*) which are appropriate for a channel plugin and the SKILL.md warns against exposing them in logs or payloads.

✓ Persistence & Privilege

always is false and autonomous invocation is the platform default; there is no indication the skill requests elevated or persistent privileges or tries to modify other skills or system-wide configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install bluebubbles-hardened
安装完成后，直接呼叫该 Skill 的名称或使用 /bluebubbles-hardened 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the BlueBubbles plugin for OpenClaw with security guardrails. - Provides an extension package for BlueBubbles channel integration, including REST helpers and webhook support. - Implements internal helper functions for safe, consistent BlueBubbles operations (probe, send, reactions, attachments, etc.). - Adds defensive normalization of webhook payloads, with core reply pipeline integration and safe attachment handling. - Enforces key security guardrails: safe attachment path validation, no unsanitized URLs, no accidental cross-chat forwarding, and credential protection. - Configuration options cover server URL, password, webhook path, and action gating for reactions.

元数据

Slug bluebubbles-hardened

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题