npm - openclaw-quiubo - Versions diffs - 2.6.25 → 2.6.28 - Mend

openclaw-quiubo 2.6.25 → 2.6.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +17 -0
package/dist/index.js +37 -9
package/dist/index.js.map +2 -2
package/dist/src/realtime-gateway.d.ts +2 -0
package/dist/src/realtime-gateway.d.ts.map +1 -1
package/openclaw.plugin.json +1 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -323,6 +323,23 @@ src/
 | OpenClaw | `sendOpenclawResponse()` |
 | Webhooks | `configureWebhook()` |
+## Known Security Scanner Warnings
+When installing, OpenClaw's plugin scanner may flag two patterns. Both are false positives:
+- **"Shell command execution detected (child_process)"** — From `pusher-js`'s bundled XMLHttpRequest polyfill. This sync code path is never executed by the plugin.
+- **"Environment variable access combined with network send"** — The plugin reads `process.env.HOME` to locate `~/.openclaw/cron/` for persisting cursors and keys. No credentials flow through environment variables.
+To suppress the auto-load warning, add the plugin to your allowlist in `~/.openclaw/openclaw.json`:
+```json
+{
+  "plugins": {
+    "allow": ["openclaw-quiubo"]
+  }
+}
+```
 ## License
 MIT

package/dist/index.js CHANGED Viewed

@@ -12882,7 +12882,8 @@ var RealtimeGateway = class {
             senderIdentityId: data.senderId,
             senderUsername: data.senderUsername,
             plaintext: data.plaintext,
-            createdAt: data.createdAt
+            createdAt: data.createdAt,
+            ...data.attachments?.length ? { attachments: data.attachments } : {}
           })).catch((err) => {
             log.error?.(`Failed to route Pusher message ${data.messageId}: ${err}`);
           });
@@ -12912,7 +12913,8 @@ var RealtimeGateway = class {
                   senderIdentityId: data.senderId,
                   senderUsername: data.senderUsername,
                   plaintext,
-                  createdAt: data.createdAt
+                  createdAt: data.createdAt,
+                  ...data.attachments?.length ? { attachments: data.attachments } : {}
                 }));
               } catch (decErr) {
                 log.error?.(`[e2ee:pusher] Decryption failed for message ${data.messageId} in group ${data.groupId}: ${decErr}`);
@@ -12968,7 +12970,8 @@ var RealtimeGateway = class {
         groupId,
         senderIdentityId: msg.senderIdentityId,
         plaintext: msg.plaintext,
-        createdAt: msg.createdAt
+        createdAt: msg.createdAt,
+        ...msg.attachments?.length ? { attachments: msg.attachments } : {}
       });
     } catch (error) {
       this.log.error?.(`Failed to fetch message ${messageId}:`, error);
@@ -13156,7 +13159,8 @@ var RealtimeGateway = class {
             groupId,
             senderIdentityId: msg.senderIdentityId,
             plaintext,
-            createdAt: msg.createdAt
+            createdAt: msg.createdAt,
+            ...msg.attachments?.length ? { attachments: msg.attachments } : {}
           });
         } catch (error) {
           this.log.error?.(`Failed to handle message ${msg.id}:`, error);
@@ -14228,8 +14232,29 @@ async function routeInboundMessage(opts) {
   const imageAttachments = (msg.attachments ?? []).filter(
     (att) => att.storageUrl && att.mimeType?.startsWith("image/")
   );
-  const mediaUrls = imageAttachments.map((att) => att.storageUrl);
-  const mediaTypes = imageAttachments.map((att) => att.mimeType);
+  const mediaPaths = [];
+  const mediaTypes = [];
+  if (imageAttachments.length > 0) {
+    const mediaDir = join2(process.env.HOME ?? process.env.USERPROFILE ?? "", ".openclaw", "media", "inbound");
+    await mkdir2(mediaDir, { recursive: true });
+    for (const att of imageAttachments) {
+      try {
+        const resp = await fetch(att.storageUrl);
+        if (!resp.ok) {
+          log?.warn?.(`[${accountId}] Failed to download attachment ${att.filename}: ${resp.status}`);
+          continue;
+        }
+        const buffer = Buffer.from(await resp.arrayBuffer());
+        const ext = att.filename?.split(".").pop() || "png";
+        const localPath = join2(mediaDir, `${msg.messageId}-${mediaPaths.length}.${ext}`);
+        await writeFile2(localPath, buffer);
+        mediaPaths.push(localPath);
+        mediaTypes.push(att.mimeType);
+      } catch (err) {
+        log?.warn?.(`[${accountId}] Failed to download attachment ${att.filename}: ${err}`);
+      }
+    }
+  }
   if (msg.attachments?.length) {
     for (const att of msg.attachments) {
       if (att.storageUrl && att.mimeType?.startsWith("image/")) continue;
@@ -14239,7 +14264,7 @@ async function routeInboundMessage(opts) {
 [Attached: ${att.filename}${sizeKb ? `, ${sizeKb}` : ""}]`;
     }
   }
-  log?.info?.(`[${accountId}] Quiubo: inbound from ${senderId} in group ${groupId}: ${text?.slice(0, 100)}`);
+  log?.info?.(`[${accountId}] Quiubo: inbound from ${senderId} in group ${groupId}: ${text?.slice(0, 100)}${mediaPaths.length > 0 ? ` [${mediaPaths.length} image(s)]` : ""}`);
   const sendTyping = async () => {
     try {
       await client.sendTypingIndicator(groupId, botIdentityId);
@@ -14270,8 +14295,11 @@ async function routeInboundMessage(opts) {
     Surface: CHANNEL_ID,
     MessageSid: `quiubo-${msg.messageId}`,
     Timestamp: msg.createdAt ? new Date(msg.createdAt).getTime() : Date.now(),
-    ...mediaUrls.length > 0 && {
-      MediaUrls: mediaUrls,
+    ...mediaPaths.length > 0 && {
+      MediaPath: mediaPaths[0],
+      MediaUrl: mediaPaths[0],
+      MediaPaths: mediaPaths,
+      MediaUrls: mediaPaths,
       MediaTypes: mediaTypes
     }
   });