registry  /  @aiyiran/myclaw  /  1.1.192

@aiyiran/myclaw@1.1.192

为 OpenClaw 教学环境设计的一站式命令行工具。

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Explicit `mc server` or `mc init` installs and launches a persistent local sync daemon. The daemon uploads files from every OpenClaw workspace to a package-controlled CDN namespace and injects a browser telemetry probe into uploaded HTML.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `mc server` or `mc init`.
Impact
Exfiltrates workspace contents and captures interactive page telemetry outside the stated local-agent configuration role.
Mechanism
Persistent workspace scanning, cloud upload, and HTML telemetry-probe injection.
Attack narrative
When invoked through `mc server` or the `mc init` workflow, the package copies and starts `sync_workspace.py` under `~/.openclaw`. That daemon continuously enumerates every directory whose name contains `workspace`, uploads changed files using embedded cloud-storage credentials, and exposes them via the yiranlaoshi CDN namespace. Before uploading HTML, it injects a probe that records keyboard and click events plus console/error data. This is a concrete data-exfiltration and telemetry collection chain, not merely a configuration helper.
Rationale
Although the package has no install lifecycle hook, its explicit CLI workflow establishes persistent collection and uploads broad OpenClaw workspace content to an external package-controlled endpoint. The behavior exceeds a local agent-management tool and is concrete exfiltration.
Evidence
package.jsonindex.jsserver/sync_workspace.pyassets/debug-probe.jsserver/myclaw-guard.sh~/.openclaw/myclaw/server/sync_workspace.py~/.openclaw/workspace*
Network endpoints1
cdn.yiranlaoshi.com/{claw}/{workspace...}

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs `mc server` from `mc init` and starts the bundled sync daemon.
  • `server/sync_workspace.py` scans every `~/.openclaw/workspace*` directory, excluding only limited patterns.
  • Each changed workspace file is uploaded through Qiniu and published under `https://cdn.yiranlaoshi.com/{claw}/{workspace...}`.
  • The sync daemon embeds cloud storage credentials in source and continuously reconciles/uploads changes.
  • HTML uploads are modified in transit to inject `assets/debug-probe.js`, which captures clicks, keystrokes, console output, and errors.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The upload daemon is activated by explicit CLI commands (`mc server` or `mc init`), not package import.
  • No evidence of an additional hidden remote payload loader was found in inspected entrypoint and sync paths.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 671 KB of source, external domains: 127.0.0.1, api.b.ai, api.minimaxi.com, api.tavily.com, api.vveai.com, cdn.yiranlaoshi.com, mirrors.aliyun.com, open.bigmodel.cn, openclaw.ai, registry.npmjs.org, registry.npmmirror.com, tavily.com, view.officeapps.live.com, www.apple.com, www.google.cn, www.google.com, www.w3.org, www.yiranlaoshi.com, x.x.x.x

Source & flagged code

8 flagged · loading source
delete_agents.jsView file
22const os = require('os'); L23: const { spawnSync, execSync } = require('child_process'); L24:
High
Child Process

Package source references child process execution.

delete_agents.jsView on unpkg · L22
173const psCmd = `Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.FileIO.FileSystem]::${method}(${extraArgs})`; L174: const ret = spawnSync('powershell', ['-NoProfile', '-Command', psCmd], { timeout: 15000 }); L175: if (ret.status === 0) return { ok: true, method: 'powershell' };
High
Shell

Package source references shell execution.

delete_agents.jsView on unpkg · L173
19L20: const fs = require('fs'); L21: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

delete_agents.jsView on unpkg · L19
index.jsView file
1608console.log(' ' + colors.dim + '→ 正在打开浏览器...' + colors.nc); L1609: const { exec } = require('child_process'); L1610: const fs = require('fs'); L1611: const machineUrl = 'https://' + selected.claw + '.kekouen.cn?token=aiyiran'; L1612: const platform = os.platform(); ... L1616: const chromeCandidates = [ L1617: path.join(process.env.PROGRAMFILES || 'C:\\Program Files', 'Google', 'Chrome', 'Application', 'chrome.exe'), L1618: path.join(process.env['PROGRAMFILES(X86)'] || 'C:\\Program Files (x86)', 'Google', 'Chrome', 'Application', 'chrome.exe'),
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

index.jsView on unpkg · L1608
Trigger-reachable chain: manifest.main -> index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg
14* - Windows 7/8/10 旧版本: 颜色代码会被 stripped,避免乱码 L15: * - 推荐 Windows 用户使用 Windows Terminal 或 PowerShell 7+ 获得最佳体验 L16: * - Emoji 符号在 Windows 命令行可能显示为方块,属正常现象 ... L30: const { createAgent } = require('./create_agent'); L31: const { version } = require(path.join(__dirname, 'package.json')); L32: const { TOKEN, DEFAULT_URL } = require(path.join(__dirname, 'config')); ... L81: console.log('[Windows] 检测到 Windows 系统,正在安装...'); L82: const cmd = 'powershell -c "irm https://openclaw.ai/install.ps1 | iex"'; L83: console.log('> ' + cmd); ... L165: stdio: 'inherit', L166: env: { ...process.env, npm[redacted]: 'true' } L167: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L14
163try { L164: execSync('npm install -g openclaw@' + targetVersion, { L165: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

index.jsView on unpkg · L163
publish.shView file
path = publish.sh kind = build_helper sizeBytes = 1338 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

publish.shView on unpkg

Findings

2 Critical4 High5 Medium4 Low
CriticalSame File Env Network Executionindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processdelete_agents.js
HighShelldelete_agents.js
HighSandbox Evasion Gated Capabilityindex.js
HighRuntime Package Installindex.js
MediumDynamic Requiredelete_agents.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpublish.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings