registry  /  @alfe.ai/openclaw-chat  /  0.3.1

@alfe.ai/openclaw-chat@0.3.1

OpenClaw chat plugin for Alfe — web widget and mobile app channels

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 6 file(s), 112 KB of source, external domains: 127.0.0.1

Source & flagged code

1 flagged · loading source
dist/plugin2.jsView file
253*/ L254: const SESSIONS_DIR = join(homedir(), ".alfe", "sessions", "chat"); L255: const MAX_SESSIONS = 1e3; ... L301: const data = await readFile(sessionPath(sessionId), "utf-8"); L302: return JSON.parse(data); L303: } catch { ... L529: * - `https:` only. L530: * - Userinfo (`https://u:p@host/...`) is rejected. L531: * - IP-literal hosts (v4 or bracketed v6) are rejected outright — only ... L535: * L536: * Operators running an agent in a private network that needs to dereference L537: * additional hosts can extend the list via the
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/plugin2.jsView on unpkg · L253

Findings

1 High2 Medium5 Low
HighCloud Metadata Accessdist/plugin2.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License