registry  /  @alfe.ai/openclaw-chat  /  0.5.0

@alfe.ai/openclaw-chat@0.5.0

OpenClaw chat plugin for Alfe — web widget and mobile app channels

AI Security Review

scanned 10h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is an OpenClaw startup extension that connects a configured Alfe chat relay to the local OpenClaw agent runtime. It exposes agent-to-agent messaging tools and persists chat sessions/attachments under ~/.alfe, but no unconsented foreign agent control-surface mutation or malware behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenClaw loads the declared extension on startup and starts the registered alfe-chat-relay service.
Impact
Remote chat relay can submit chat/abort/session RPCs to the plugin when configured; agent activity may be forwarded to the relay as intended by the package.
Mechanism
platform chat extension with relay-connected agent tools and local session storage
Policy narrative
On OpenClaw activation, the plugin registers the Alfe channel, A2A tools, gateway methods, event listeners, and a service that connects to a configured chat WebSocket. Incoming relay requests are dispatched into OpenClaw, responses and activity are relayed back, and chat state is saved under ~/.alfe. This is a guarded platform extension risk, not confirmed malicious behavior.
Rationale
The package has meaningful agent-facing capability and startup activation, so warn-level handling is appropriate under the extension lifecycle policy. Source inspection did not show npm install-time execution, foreign AI-agent config writes, credential harvesting, unrestricted SSRF, shell execution, or persistence outside the declared platform behavior.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin2.jsdist/index.js~/.alfe/sessions/chat/{sessionId}.json~/.alfe/attachments/{attachmentId}_{filename}
Network endpoints6
127.0.0.1:18193/__alfe/set-identitys3.amazonaws.comapi.twilio.comgraph.microsoft.commmg.whatsapp.net.alfe.ai

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates the OpenClaw extension on startup.
  • dist/plugin2.js registers A2A tools that can list/message other agents via the chat relay.
  • dist/plugin2.js forwards assistant/thinking/tool activity and responses through ChatServiceClient when configured.
  • dist/plugin2.js downloads user-supplied attachments to ~/.alfe/attachments after URL allowlist validation.
Evidence against
  • package.json has no npm lifecycle hooks or bin entries.
  • Writes are limited to package-owned ~/.alfe sessions/attachments paths, not foreign agent configs.
  • Attachment fetch requires https, blocks IP literals/metadata hosts, and revalidates redirects.
  • No child_process, eval/vm/Function, native binary loading, or broad filesystem harvesting found.
  • Chat relay URL/API key come from plugin config via @alfe.ai/chat, not hardcoded attacker infrastructure.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 6 file(s), 143 KB of source, external domains: 127.0.0.1

Source & flagged code

1 flagged · loading source
dist/plugin2.jsView file
253*/ L254: const SESSIONS_DIR = join(homedir(), ".alfe", "sessions", "chat"); L255: const MAX_SESSIONS = 1e3; ... L301: const data = await readFile(sessionPath(sessionId), "utf-8"); L302: return JSON.parse(data); L303: } catch { ... L554: * - `https:` only. L555: * - Userinfo (`https://u:p@host/...`) is rejected. L556: * - IP-literal hosts (v4 or bracketed v6) are rejected outright — only ... L560: * L561: * Operators running an agent in a private network that needs to dereference L562: * additional hosts can extend the list via the
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/plugin2.jsView on unpkg · L253

Findings

1 High2 Medium5 Low
HighCloud Metadata Accessdist/plugin2.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License