@openclaw/bluebubbles — Greenflagged

OpenClaw BlueBubbles channel plugin

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

steipetevincentkoc

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Package publishes via GitHub Actions CI/CD with SLSA attestation; automated publisher is expected and stable.	ai	2026/05/09
maintainer-change	maintainer-added	AI (maintainer-change): Active development project; maintainer addition alongside CI/CD pipeline setup is a normal team expansion pattern.	ai	2026/05/09
semgrep	semgrep:etc-passwd-access	AI (semgrep): Appears in a test asserting the code rejects /etc/passwd paths — security validation, not credential harvesting.	ai	2026/05/01
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IPs are private/local addresses used as test fixtures in test files, not production network calls.	ai	2026/05/01

Versions (showing 23 of 23)

Version	Deps	Published
2026.5.7	0 / 2	2026-05-07
2026.5.6	0 / 2	2026-05-06
2026.5.5	0 / 2	2026-05-06
2026.5.4	0 / 2	2026-05-05
2026.5.3	0 / 2	2026-05-04
2026.5.2	0 / 2	2026-05-02
2026.3.13	1 / 0	2026-03-14
2026.3.12	1 / 0	2026-03-13
2026.3.11	1 / 0	2026-03-12
2026.3.10	1 / 0	2026-03-12
2026.3.7	1 / 0	2026-03-08
2026.3.2	0 / 0	2026-03-03
2026.3.1	0 / 0	2026-03-02
2026.2.25	0 / 0	2026-02-26
2026.2.24	0 / 0	2026-02-25
2026.2.23	0 / 1	2026-02-24
2026.2.22	0 / 1	2026-02-22
2026.2.21	0 / 1	2026-02-21
2026.2.19	0 / 1	2026-02-19
2026.2.17	0 / 1	2026-02-18
2026.2.15	0 / 1	2026-02-16
2026.2.14	0 / 1	2026-02-15
2026.2.13	0 / 1	2026-02-14

v2026.5.7

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-07) provenance

This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.6

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.5

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.4

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-05) provenance

This version was published by a different npm account than previous versions on 2026-05-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.3

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-04) provenance

This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.2

2 findings

HIGH Publisher changed: steipete → GitHub Actions (on 2026-05-02) provenance

This version was published by a different npm account than previous versions on 2026-05-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.3.13

2 findings

HIGH etc-passwd-access: src/media-send.test.ts:164 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 162 | cfg: createConfig(), 163 | to: "chat:123", > 164 | mediaPath: "/etc/passwd", 165 | }), 166 | ).rejects.toThrow(/mediaLocalRoots/i);