registry  /  @alfe.ai/openclaw-chat  /  0.2.5

@alfe.ai/openclaw-chat@0.2.5

OpenClaw chat plugin for Alfe — web widget and mobile app channels

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an OpenClaw chat plugin that connects to an Alfe chat relay, registers A2A tools, stores local chat sessions, and downloads validated user attachments.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenClaw plugin activation/service start or inbound chat request
Impact
Expected chat delivery/session storage; no credential exfiltration or unconsented install/import-time behavior identified
Mechanism
chat relay integration with local session persistence and allowlisted attachment fetching
Rationale
Static source inspection shows expected OpenClaw/Alfe chat plugin behavior with no lifecycle execution, suspicious code execution primitives, credential harvesting, or unbounded exfiltration. Scanner findings map to package-aligned networking, environment-configured attachment allowlisting, and explicit SSRF protections rather than malicious behavior.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin.jsdist/index.jsdist/plugin2.jsREADME.md~/.alfe/sessions/chat/{sessionId}.json~/.alfe/attachments/{attachmentId}_{filename}
Network endpoints12
127.0.0.1:18193/__alfe/set-identitys3.amazonaws.comapi.twilio.comgraph.microsoft.commmg.whatsapp.net.s3.amazonaws.com.amazonaws.com.twiliocdn.com.cdn.discordapp.com.discordapp.net.telegram.org.alfe.ai

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; exports point to dist/plugin.js and dist/index.js.
    • dist/plugin2.js registers an OpenClaw channel/service and only starts relay on plugin service start, not install-time.
    • Network use is package-aligned: ChatServiceClient relay, a2a sendRequest/list-agents, attachment downloads with HTTPS allowlist and redirect revalidation.
    • Cloud metadata hint is mitigated: validateAttachmentUrl rejects IP literals, localhost, metadata, and metadata.google.internal before fetch.
    • Filesystem writes are bounded to ~/.alfe/sessions/chat and ~/.alfe/attachments for chat history/attachments; session cleanup only unlinks old session JSON files.
    • No child_process, eval/vm/Function, native binary loading, credential harvesting, persistence, or AI-agent control-surface file writes found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 6 file(s), 84.3 KB of source, external domains: 127.0.0.1

    Source & flagged code

    1 flagged · loading source
    dist/plugin2.jsView file
    253*/ L254: const SESSIONS_DIR = join(homedir(), ".alfe", "sessions", "chat"); L255: const MAX_SESSIONS = 1e3; ... L301: const data = await readFile(sessionPath(sessionId), "utf-8"); L302: return JSON.parse(data); L303: } catch { ... L529: * - `https:` only. L530: * - Userinfo (`https://u:p@host/...`) is rejected. L531: * - IP-literal hosts (v4 or bracketed v6) are rejected outright — only ... L535: * L536: * Operators running an agent in a private network that needs to dereference L537: * additional hosts can extend the list via the
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/plugin2.jsView on unpkg · L253

    Findings

    1 High2 Medium5 Low
    HighCloud Metadata Accessdist/plugin2.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License