Community code plugin. Review compatibility and verification before install.
Latest release: v0.2.4Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill creates, stores, lists, and resolves bulletins, posts bulletin content to configured Discord channels, and wakes subscribed OpenClaw agents; these are explicitly described in SKILL.md and README.md as core coordination behavior.
Instruction Scope
Agent wake prompts include bulletin text and prior responses so subscribers can respond or critique; this is expected for the deliberation workflow, but users should treat bulletin text as untrusted operational content.
Install Mechanism
The package is a normal npm-style OpenClaw tools plugin with no install-time execution beyond the better-sqlite3 dependency and CLI bins; however the compact plugin manifest lists only tools while the fuller docs disclose the HTTP wake route, Discord egress, and credentials.
Credentials
Access to DISCORD_BOT_TOKEN, RELAY_BOT_TOKEN, GATEWAY_AUTH_TOKEN, OpenClaw config, local SQLite storage, localhost gateway calls, and Discord network calls is proportionate to the advertised bulletin, notification, and agent-wake features.
Persistence & Privilege
The skill persists bulletins and audit logs under $OPENCLAW_HOME/mailroom/bulletins and schedules configured bulletin timeouts; this persistence is documented and scoped to the plugin's mailroom paths.
Scan Findings in Context
[SDI-1] expected: Discord posting, escalation messages, and subscriber wake behavior are real, but the artifact documents them as part of the bulletin coordination workflow rather than hiding them.
[SDI-2] expected: The /bulletin/wake HTTP route and localhost fallback are authenticated through the gateway and validate that the target agent is subscribed before waking it.
[SQP-2] expected: Credential use for Discord and the OpenClaw gateway is disclosed in SKILL.md, README.md, the example config, and the doctor command; static credential-access findings match expected integration behavior.
[SSD-3] expected: Forwarding bulletin bodies and response excerpts to Discord and subscribed agents is inherent to the deliberation feature, though it increases exposure if users place sensitive data in bulletins.
[suspicious.env_credential_access] expected: The static scan finding is supported by code, but the tokens are used for documented Discord notification and gateway wake operations, not for unrelated exfiltration.
Assessment
Install only if you want bulletin content, responses, critiques, and closure summaries stored locally and sent to the Discord channels you configure, and if you are comfortable with subscribed agents being woken automatically. Keep agent groups narrow, use least-privilege Discord and Gateway tokens, restrict channel permissions, and do not put secrets or sensitive customer, HR, legal, or finance data in bulletins unless those systems are approved for it.dist/bin/bulletin-post.js:93
Environment variable access combined with network send.
dist/index.js:31
Environment variable access combined with network send.
index.ts:72
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Verification
Tags
bulletin-tools
OpenClaw plugin for structured multi-agent deliberation. Agents and operators can post bulletins, subscribe other agents, collect align / partial / oppose responses, run critique rounds, and close decisions with an audit trail.
Published on ClawHub as the OpenClaw plugin package bulletin-tools-plugin.
Install
Requires Node.js 22.18.0 or newer.
openclaw plugins install clawhub:bulletin-tools-plugin
For local development:
git clone https://github.com/rendrag-git/bulletin-tools
cd bulletin-tools
npm install
npm run build
npm test
openclaw plugins install --link .
Configure
Runtime files live under $OPENCLAW_HOME/mailroom/ (~/.openclaw/mailroom/ by default).
export OPENCLAW_HOME="${OPENCLAW_HOME:-$HOME/.openclaw}"
mkdir -p "$OPENCLAW_HOME/mailroom"
cp examples/bulletin-config.example.json "$OPENCLAW_HOME/mailroom/bulletin-config.json"
cp examples/agent-groups.example.json "$OPENCLAW_HOME/mailroom/agent-groups.json"
bulletin-doctor
Edit bulletin-config.json:
{
"platform": "discord",
"bulletinBoardChannel": "YOUR_CHANNEL_ID",
"escalationChannel": "YOUR_CHANNEL_ID",
"botToken": "${DISCORD_BOT_TOKEN}",
"gatewayToken": "${GATEWAY_AUTH_TOKEN}",
"dissentThreshold": 2,
"consensusPartialThreshold": 0.3,
"serverId": "YOUR_DISCORD_SERVER_ID"
}
Key fields:
| Field | Description |
|---|---|
platform | Must be "discord". Discord is the only implemented notification platform. |
bulletinBoardChannel | Discord channel where bulletins are posted as threads. |
escalationChannel | Discord channel for dissent, failed consensus, and majority closure alerts. |
botToken | Discord bot token. Supports ${ENV_VAR} from env, secrets.json, or .env. |
gatewayToken | OpenClaw Gateway token used by CLI wake fallback. |
serverId | Optional Discord guild ID used for clickable thread URLs. |
Edit agent-groups.json:
{
"engineering": ["dev", "db", "aws"],
"leadership": ["pm", "product", "finance"],
"all": ["dev", "db", "aws", "pm", "product", "finance", "legal", "compliance"]
}
Group names are subscriber shortcuts. A bulletin posted to engineering resolves to the listed agent IDs.
Post bulletins
From the CLI:
bulletin-post \
--topic "Should we use WebSockets or SSE for agent status?" \
--body "Context, options, constraints, and the input needed from subscribers." \
--subscribers "engineering" \
--protocol advisory \
--closed-notify "channel:1234567890"
From an agent, use the bulletin_post tool with:
| Field | Description |
|---|---|
topic | Short decision or question. |
body | Context, options, constraints, and requested input. |
subscribers | Known agent IDs or group names from agent-groups.json. |
protocol | Optional: advisory, fyi, consensus, or majority. |
urgent | Optional marker. Subscribers are woken immediately either way. |
parentId | Optional parent bulletin ID. |
timeoutMinutes | Optional auto-close timeout. |
closedNotify | Optional closure route such as channel:1234567890. |
Agent-created bulletins reject unknown subscribers and self-only bulletins by default.
Protocols
| Protocol | Use when | Behavior |
|---|---|---|
advisory | You want input, but the decision is not binding. | All respond, critique round opens, closes with summary. |
consensus | The decision requires alignment. | Same as advisory, but closes only if all critiques align. |
majority | Speed matters more than unanimity. | Closes as soon as more than 50% align. |
fyi | Informational only. | No auto-close and no rounds. |
Agents respond with align, partial, or oppose. partial requires reservations.
Security and data handling
Bulletin content is operational data. Topics, bodies, responses, critiques, escalation summaries, and closure summaries may be stored locally and sent to configured Discord channels.
- Local retention: records persist under
$OPENCLAW_HOME/mailroom/bulletins/until you delete or archive them. - External transmission: Discord notifications send bulletin content using your configured bot token and channel IDs.
- Automatic execution: creating a bulletin can wake every resolved subscriber agent. Keep
agent-groups.jsonnarrow. - Credentials: treat
DISCORD_BOT_TOKEN,RELAY_BOT_TOKEN,GATEWAY_AUTH_TOKEN, and$OPENCLAW_HOME/secrets.jsonas sensitive. - Sensitive content: avoid secrets, customer data, credentials, and private legal/HR/finance details unless your OpenClaw home and Discord channels are approved for that data.
- Visibility:
bulletin_listonly returns bulletins where the caller is the creator or a resolved subscriber. Discord channel visibility is still controlled by Discord permissions. - Wake route:
/bulletin/wakeaccepts bulletin IDs, not arbitrary task text. The plugin verifies the target agent is subscribed before building the wake prompt.
Data paths
- SQLite database:
$OPENCLAW_HOME/mailroom/bulletins/bulletins.db - Audit log:
$OPENCLAW_HOME/mailroom/bulletins/audit.log - Config:
$OPENCLAW_HOME/mailroom/bulletin-config.json - Agent groups:
$OPENCLAW_HOME/mailroom/agent-groups.json
Troubleshooting
Run:
bulletin-doctor
If better-sqlite3 installed without its native binding:
npm rebuild better-sqlite3 --ignore-scripts=false
More
License
MIT-0