Errbot security focuses on plugin trust, backend credentials, and admin command controls. Plugins can execute Python code with bot process privileges.
¶ 1) Restrict plugin trust and installation
- Allow plugins only from reviewed repositories.
- Pin plugin versions and hash-check downloaded artifacts.
- Disable dynamic plugin install in production if possible.
- Review plugin permissions for command exposure and external calls.
¶ 2) Secure backend credentials and config
- Keep chat backend tokens/passwords in protected config files.
- Enforce TLS for XMPP/IRC/Slack backend connections.
- Restrict filesystem permissions for
config.py and plugin data paths.
- Rotate bot backend credentials on incident/staff changes.
¶ 3) Harden admin commands and bot runtime
- Restrict admin commands to explicit admin identities.
- Disable risky plugins that execute shell commands.
- Run Errbot under dedicated non-root account.
- Limit outbound network access to required APIs only.
¶ Verification commands
errbot --version
grep -R "BOT_ADMINS\|BOT_IDENTITY\|TOKEN\|PASSWORD" /etc/errbot /opt/errbot 2>/dev/null | head
pip list --format=columns | grep -i errbot
- Errbot docs: https://errbot.readthedocs.io/
- Errbot source and advisories: https://github.com/errbotio/errbot/security
- Errbot repository: https://github.com/errbotio/errbot