← 返回 Skills 市场
niyazmft

Openclaw Zulip Bridge

作者 niyazmft · GitHub ↗ · v2026.4.13 · MIT-0
cross-platform ⚠ suspicious
329
总下载
0
收藏
0
当前安装
16
版本数
在 OpenClaw 中安装
/install zulip-bridge
功能描述
💬 High-performance Zulip bridge skill. Enables messaging, stream monitoring, and administrative actions on Zulip servers.
安全使用建议
This package appears to be a genuine Zulip channel plugin, but the registry listing and the repo disagree about how it is delivered and what it requires. Before installing or supplying secrets: 1) Confirm the publisher identity and source (the 'Source' and 'Homepage' are listed as unknown/none). 2) Prefer using environment variables (ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL) rather than storing credentials in openclaw.json; the code explicitly warns about plaintext storage. 3) Verify how the plugin will be installed (ClawHub vs local link). If installing from this bundle, inspect the built artifacts (dist/) that will be installed — the package expects built files that are not shown in the top-level registry metadata. 4) If you need stronger assurance, ask the publisher for a canonical repo or release (e.g., GitHub release) and/or request a signed release or checksum. Because of the metadata vs source mismatch, treat this skill as suspicious until you confirm its provenance and how credentials will be handled.
功能分析
Type: OpenClaw Skill Name: zulip-bridge Version: 2026.4.13 The Zulip bridge skill is a well-engineered integration for the Zulip communication platform, demonstrating significant attention to security best practices. Key security controls include SSRF protection in `src/zulip/client.ts` by restricting protocols to HTTP/HTTPS, path traversal prevention in `src/zulip/uploads.ts` via basename sanitization, and explicit hardening against local file exfiltration in `src/zulip/send.ts` by rejecting non-HTTP media URLs. The codebase includes a robust test suite (e.g., `test/send-security.test.ts`, `test/path-traversal.test.ts`) specifically designed to verify these security boundaries. No evidence of malicious intent, data exfiltration, or unauthorized persistence was found.
能力标签
cryptorequires-sensitive-credentials
能力评估
Purpose & Capability
The SKILL.md and README describe a Zulip bridge (sending messages, monitoring streams, admin actions) which legitimately needs Zulip credentials. However the registry metadata at the top lists no required environment variables or install steps while the packaged openclaw.plugin.json and README explicitly reference ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL and providerAuthEnvVars. The skill is therefore mislabeled as 'instruction-only' in the registry view while the source contains a full channel plugin—this inconsistency raises questions about what the skill will actually request or attempt to install at runtime.
Instruction Scope
SKILL.md instructs the agent to use the Zulip plugin and to ensure credentials are configured in ~/.openclaw/openclaw.json or via environment variables; those instructions are consistent with a Zulip bridge. The SKILL.md does not instruct reading unrelated system files. It does recommend storing credentials in env vars (preferred) and warns about storing plaintext in config files, which is appropriate guidance.
Install Mechanism
Registry metadata claims 'no install spec / instruction-only', but the repo contains a full Node plugin (openclaw.plugin.json, package.json, build/test scripts, src/). There is no remote download URL; installs appear to be local or via ClawHub. The presence of build and packaging scripts (which call execSync) increases potential actions during build/install—this is expected for a plugin but contradicts the 'instruction-only' label in the registry.
Credentials
The plugin manifest and README declare only Zulip-related credentials (ZULIP_API_KEY, ZULIP_EMAIL, ZULIP_URL, plus aliases) and include securityExemptions for those env vars. Those credentials are proportionate to a Zulip bridge. The initial registry summary (which listed no required env vars) is inconsistent with the manifest and README; confirm which view is authoritative before supplying secrets.
Persistence & Privilege
The skill does not request always: true and is user-invocable with normal autonomous invocation allowed. It does not appear to modify other skills or require system-wide privileges. The manifest's securityExemptions allow reading the Zulip env vars (expected for a channel plugin).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install zulip-bridge
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /zulip-bridge 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2026.4.13
Consolidated release v2026.4.13. Includes security hardening (URL encoding for API injection prevention #152), performance optimization (batch disk I/O for event polling #151), and SKILL.md version sync.
v2026.4.12
Synced with performance and security release v2026.4.12.
v2026.4.11
Synced with clean release v2026.4.11.
v2026.4.10
Synced with clean release v2026.4.10.
v2026.4.9
Synced with architectural overhaul v2026.4.9.
v2026.4.8
Synced.
v2026.4.7
Synced with plugin v2026.4.7: setup wizard now handles API key/email/site URL flow correctly.
v2026.4.6
Synced with plugin v2026.4.6.
v2026.4.5
Synced with plugin v2026.4.5.
v2026.4.4
Synced.
v2026.4.3
Synced with plugin v2026.4.3.
v2026.4.2
Synced with plugin v2026.4.2.
v2026.4.1
Version parity with plugin v2026.4.1.
v2026.3.31
Finalized release with full branding sync.
v2026.3.30
- Updated the skill description emoji from 🦞 to 💬 for improved clarity. - No functional or documentation changes beyond the updated emoji.
v2026.3.29
zulip-bridge 2026.3.29 - Initial public release of the high-performance Zulip bridge skill. - Enables messaging to Zulip streams, topics, and direct messages. - Provides stream management (create, edit, list) and user invitation features. - Supports emoji reactions, presence checks, and real-time message monitoring with deduplication. - Requires the OpenClaw Zulip plugin and supports admin actions with proper configuration. - Includes streamlined usage guide and clear contextual workflows.
元数据
Slug zulip-bridge
版本 2026.4.13
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 16
常见问题

Openclaw Zulip Bridge 是什么?

💬 High-performance Zulip bridge skill. Enables messaging, stream monitoring, and administrative actions on Zulip servers. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 329 次。

如何安装 Openclaw Zulip Bridge?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zulip-bridge」即可一键安装,无需额外配置。

Openclaw Zulip Bridge 是免费的吗?

是的,Openclaw Zulip Bridge 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Openclaw Zulip Bridge 支持哪些平台?

Openclaw Zulip Bridge 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Openclaw Zulip Bridge?

由 niyazmft(@niyazmft)开发并维护,当前版本 v2026.4.13。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论