registry  /  @chrysb/alphaclaw  /  0.9.31

@chrysb/alphaclaw@0.9.31

⚠ Under review

Setup UI, gateway manager, and onboarding wrapper for OpenClaw

Static Scan Results

scanned 9h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 370 file(s), 3.57 MB of source, external domains: accounts.google.com, aistudio.google.com, api.github.com, api.openai.com, api.slack.com, api.telegram.org, auth.openai.com, brave.com, console.anthropic.com, console.cloud.google.com, console.deepgram.com, console.developers.google.com, console.groq.com, console.mistral.ai, dash.voyageai.com, dashboard.render.com, discord.com, docs.cloud.google.com, docs.openclaw.ai, elevenlabs.io, esm.sh, github.com, oauth2.googleapis.com, openrouter.ai, platform.openai.com, railway.com, raw.githubusercontent.com, registry.npmjs.org, slack.com, t.me, www.chartjs.org, www.googleapis.com, www.w3.org

Source & flagged code

5 flagged · loading source
bin/alphaclaw.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @chrysb/alphaclaw@0.9.21 matchedIdentity = npm:QGNocnlzYi9hbHBoYWNsYXc:0.9.21 similarity = 0.783 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/alphaclaw.jsView on unpkg
6const path = require("path"); L7: const { execFileSync, execSync } = require("child_process"); L8: const {
High
Child Process

Package source references child process execution.

bin/alphaclaw.jsView on unpkg · L6
187// In environments where the container filesystem is ephemeral (Railway, etc.), L188: // the npm install from the update endpoint is lost on restart. This re-runs it L189: // from the fresh container using the persistent volume marker. ... L201: try { L202: execSync( L203: "npm install @chrysb/alphaclaw@latest --omit=dev --prefer-online",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/alphaclaw.jsView on unpkg · L187
3L4: const fs = require("fs"); L5: const os = require("os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/alphaclaw.jsView on unpkg · L3
lib/setup/hourly-git-sync.shView file
path = lib/setup/hourly-git-sync.sh kind = build_helper sizeBytes = 3183 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/setup/hourly-git-sync.shView on unpkg

Findings

1 Critical3 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/alphaclaw.js
HighChild Processbin/alphaclaw.js
HighShell
HighRuntime Package Installbin/alphaclaw.js
MediumDynamic Requirebin/alphaclaw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlib/setup/hourly-git-sync.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings