registry  /  @aiyiran/myclaw  /  1.1.176

@aiyiran/myclaw@1.1.176

⚠ Under review

为 OpenClaw 教学环境设计的一站式命令行工具。

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 665 KB of source, external domains: 127.0.0.1, api.b.ai, api.minimaxi.com, api.tavily.com, api.vveai.com, cdn.yiranlaoshi.com, mirrors.aliyun.com, open.bigmodel.cn, openclaw.ai, registry.npmjs.org, registry.npmmirror.com, tavily.com, view.officeapps.live.com, www.apple.com, www.google.cn, www.google.com, www.w3.org, www.yiranlaoshi.com, x.x.x.x

Source & flagged code

8 flagged · loading source
delete_agents.jsView file
22const os = require('os'); L23: const { spawnSync, execSync } = require('child_process'); L24:
High
Child Process

Package source references child process execution.

delete_agents.jsView on unpkg · L22
171const psCmd = `Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.FileIO.FileSystem]::${method}(${extraArgs})`; L172: const ret = spawnSync('powershell', ['-NoProfile', '-Command', psCmd], { timeout: 15000 }); L173: if (ret.status === 0) return { ok: true, method: 'powershell' };
High
Shell

Package source references shell execution.

delete_agents.jsView on unpkg · L171
19L20: const fs = require('fs'); L21: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

delete_agents.jsView on unpkg · L19
index.jsView file
1601console.log(' ' + colors.dim + '→ 正在打开浏览器...' + colors.nc); L1602: const { exec } = require('child_process'); L1603: const fs = require('fs'); L1604: const machineUrl = 'https://' + selected.claw + '.kekouen.cn?token=aiyiran'; L1605: const platform = os.platform(); ... L1609: const chromeCandidates = [ L1610: path.join(process.env.PROGRAMFILES || 'C:\\Program Files', 'Google', 'Chrome', 'Application', 'chrome.exe'), L1611: path.join(process.env['PROGRAMFILES(X86)'] || 'C:\\Program Files (x86)', 'Google', 'Chrome', 'Application', 'chrome.exe'),
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

index.jsView on unpkg · L1601
Trigger-reachable chain: manifest.main -> index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg
14* - Windows 7/8/10 旧版本: 颜色代码会被 stripped,避免乱码 L15: * - 推荐 Windows 用户使用 Windows Terminal 或 PowerShell 7+ 获得最佳体验 L16: * - Emoji 符号在 Windows 命令行可能显示为方块,属正常现象 ... L30: const { createAgent } = require('./create_agent'); L31: const { version } = require(path.join(__dirname, 'package.json')); L32: const { TOKEN, DEFAULT_URL } = require(path.join(__dirname, 'config')); ... L81: console.log('[Windows] 检测到 Windows 系统,正在安装...'); L82: const cmd = 'powershell -c "irm https://openclaw.ai/install.ps1 | iex"'; L83: console.log('> ' + cmd); ... L165: stdio: 'inherit', L166: env: { ...process.env, npm[redacted]: 'true' } L167: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L14
163try { L164: execSync('npm install -g openclaw@' + targetVersion, { L165: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

index.jsView on unpkg · L163
publish.shView file
path = publish.sh kind = build_helper sizeBytes = 1338 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

publish.shView on unpkg

Findings

2 Critical4 High5 Medium4 Low
CriticalSame File Env Network Executionindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processdelete_agents.js
HighShelldelete_agents.js
HighSandbox Evasion Gated Capabilityindex.js
HighRuntime Package Installindex.js
MediumDynamic Requiredelete_agents.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpublish.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings