AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. After manual authorization, the gateway runtime connects to ClawHive and polls for install jobs. A claimed cloud manifest can create files in a resolved OpenClaw agent workspace and add/update an OpenClaw agent configuration entry.
Static reason
One or more suspicious static signals were detected.
Trigger
Authorized OpenClaw gateway start, then a queued ClawHive market or agency install job.
Impact
A compromised or overly trusted ClawHive control plane could persist agent instructions/files and alter the local OpenClaw agent surface; source shows no install-time execution or broad filesystem escape.
Mechanism
Cloud-controlled agent-manifest installation into OpenClaw workspaces and config.
Rationale
This is a real, package-aligned remote agent-extension lifecycle capability rather than concrete npm malware. The automatic cloud-to-local agent/config mutation warrants a warning because a trusted remote service can influence persistent agent behavior.
Evidence
package.jsondist/index.jsdist/src/client.jsdist/src/market-install/claimLoop.jsdist/src/market-install/executor.jsdist/src/inbound.jsdist/src/config.js
Network endpoints3
idqnatwcrdxdzgcxtwdr.supabase.coidqnatwcrdxdzgcxtwdr.supabase.co/functions/v1/market-install-claimidqnatwcrdxdzgcxtwdr.supabase.co/functions/v1/market-install-manifest
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` starts install claim loops on authorized gateway runtime.
- `dist/src/market-install/executor.js` fetches cloud manifests and writes workspace files plus agent config.
- `dist/src/market-install/claimLoop.js` polls and executes claimed jobs automatically.
- `dist/src/inbound.js` forwards cloud messages into local embedded agents.
Evidence against
- `package.json` has no preinstall/install/postinstall hooks.
- `dist/index.js` requires a manually obtained plugin token before runtime startup.
- `dist/src/market-install/executor.js` rejects path traversal outside the resolved workspace.
- No child-process, eval/vm, dynamic loading, or direct credential harvesting found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/src/defaults.jsView file
10patternName = supabase_service_key
severity = critical
line = 10
matchedText = export c...-8";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/src/defaults.jsView on unpkg · L1010patternName = supabase_service_key
severity = critical
line = 10
matchedText = export c...-8";
Critical
Secret Pattern
Supabase service role key (JWT) in dist/src/defaults.js
dist/src/defaults.jsView on unpkg · L10Findings
2 Critical2 Medium6 Low
CriticalCritical Secretdist/src/defaults.js
CriticalSecret Patterndist/src/defaults.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License