AI Security Review
scanned 10h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. This is an OpenClaw startup extension that connects a configured Alfe chat relay to the local OpenClaw agent runtime. It exposes agent-to-agent messaging tools and persists chat sessions/attachments under ~/.alfe, but no unconsented foreign agent control-surface mutation or malware behavior was found.
Static reason
One or more suspicious static signals were detected.
Trigger
OpenClaw loads the declared extension on startup and starts the registered alfe-chat-relay service.
Impact
Remote chat relay can submit chat/abort/session RPCs to the plugin when configured; agent activity may be forwarded to the relay as intended by the package.
Mechanism
platform chat extension with relay-connected agent tools and local session storage
Policy narrative
On OpenClaw activation, the plugin registers the Alfe channel, A2A tools, gateway methods, event listeners, and a service that connects to a configured chat WebSocket. Incoming relay requests are dispatched into OpenClaw, responses and activity are relayed back, and chat state is saved under ~/.alfe. This is a guarded platform extension risk, not confirmed malicious behavior.
Rationale
The package has meaningful agent-facing capability and startup activation, so warn-level handling is appropriate under the extension lifecycle policy. Source inspection did not show npm install-time execution, foreign AI-agent config writes, credential harvesting, unrestricted SSRF, shell execution, or persistence outside the declared platform behavior.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin2.jsdist/index.js~/.alfe/sessions/chat/{sessionId}.json~/.alfe/attachments/{attachmentId}_{filename}
Network endpoints6
127.0.0.1:18193/__alfe/set-identitys3.amazonaws.comapi.twilio.comgraph.microsoft.commmg.whatsapp.net.alfe.ai
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- openclaw.plugin.json activates the OpenClaw extension on startup.
- dist/plugin2.js registers A2A tools that can list/message other agents via the chat relay.
- dist/plugin2.js forwards assistant/thinking/tool activity and responses through ChatServiceClient when configured.
- dist/plugin2.js downloads user-supplied attachments to ~/.alfe/attachments after URL allowlist validation.
Evidence against
- package.json has no npm lifecycle hooks or bin entries.
- Writes are limited to package-owned ~/.alfe sessions/attachments paths, not foreign agent configs.
- Attachment fetch requires https, blocks IP literals/metadata hosts, and revalidates redirects.
- No child_process, eval/vm/Function, native binary loading, or broad filesystem harvesting found.
- Chat relay URL/API key come from plugin config via @alfe.ai/chat, not hardcoded attacker infrastructure.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/plugin2.jsView file
253*/
L254: const SESSIONS_DIR = join(homedir(), ".alfe", "sessions", "chat");
L255: const MAX_SESSIONS = 1e3;
...
L301: const data = await readFile(sessionPath(sessionId), "utf-8");
L302: return JSON.parse(data);
L303: } catch {
...
L554: * - `https:` only.
L555: * - Userinfo (`https://u:p@host/...`) is rejected.
L556: * - IP-literal hosts (v4 or bracketed v6) are rejected outright — only
...
L560: *
L561: * Operators running an agent in a private network that needs to dereference
L562: * additional hosts can extend the list via the
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/plugin2.jsView on unpkg · L253Findings
1 High2 Medium5 Low
HighCloud Metadata Accessdist/plugin2.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License