Hubot is effectively a script runner connected to chat adapters. The highest risk is untrusted scripts with broad bot tokens and unrestricted command execution.
¶ 1) Restrict adapter tokens and bot scopes
- Use minimum required OAuth/bot scopes in Slack/Teams/XMPP adapters.
- Rotate adapter tokens regularly and immediately after staff changes.
- Keep
HUBOT_* secrets in root-only environment files.
- Restrict bot usage to approved channels/workspaces.
- Pin script package versions in
package-lock.json.
- Require review for all custom scripts under
scripts/.
- Remove unused adapters and community scripts.
- Run
npm audit and patch high/critical issues promptly.
¶ 3) Harden command and runtime boundaries
- Implement command allow-lists for sensitive operations.
- Disable shell/exec-style scripts unless absolutely required.
- Run Hubot under non-root user with read-only app directory where possible.
- Restrict outbound network destinations for webhook/API integrations.
¶ Verification commands
node --version && npm --version
npm audit --omit=dev
grep -R "HUBOT_\|TOKEN\|SECRET" /etc/systemd /opt/hubot 2>/dev/null | head
- Hubot docs: https://hubot.github.com/docs/
- Hubot source repository: https://github.com/github/hubot
- Node.js security best practices: https://nodejs.org/en/security/