AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a ClawHive/OpenClaw channel plugin that connects to Supabase after user authorization, syncs agent metadata, handles user messages, and can apply approved market install manifests into agent workspaces.
Static reason
One or more suspicious static signals were detected.
Trigger
OpenClaw gateway_start or explicit openclaw clawhive CLI commands after plugin installation/configuration.
Impact
Authorized ClawHive users can route messages to local OpenClaw agents and install approved agent workspace files; no hidden install-time execution or unconsented persistence was found.
Mechanism
package-aligned cloud channel, authorization, realtime messaging, and approved agent install workflow
Rationale
The suspicious primitives are consistent with the declared OpenClaw cloud-channel plugin: network access is Supabase API traffic, config writes store authorization/registration state, and agent workspace writes occur only in an approved install-job path with path containment checks. The embedded JWT is a Supabase anon key, not a private credential, and there is no install-time execution or unrelated data harvesting.
Evidence
package.jsondist/index.jsdist/src/defaults.jsdist/src/config.jsdist/src/authorization.jsdist/src/client.jsdist/src/inbound.jsdist/src/agents.jsdist/src/market-install/executor.jsopenclaw.plugin.jsonOpenClaw config via api.runtime.config.writeConfigFileagent workspace files from approved manifest via api.runtime.agent.resolveAgentWorkspaceDir
Network endpoints9
idqnatwcrdxdzgcxtwdr.supabase.co/functions/v1/plugin-device-code-start/functions/v1/plugin-device-code-exchange/functions/v1/plugin-register/functions/v1/plugin-heartbeat/functions/v1/plugin-message-write/functions/v1/plugin-agents-sync/functions/v1/market-install-claim/functions/v1/market-install-manifest
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/src/market-install/executor.js writes approved manifest workspaceFiles into local agent workspaces after a claimed install job.
- dist/src/inbound.js dispatches cloud user messages into local OpenClaw agents via runEmbeddedPiAgent.
- dist/src/defaults.js embeds a Supabase anon JWT, but it is used as a public anon key.
Evidence against
- package.json has no install/postinstall lifecycle hook; prepack/prepublishOnly are publish-time build/check scripts.
- dist/index.js starts only as an OpenClaw gateway plugin and skips runtime when no pluginToken is configured.
- dist/src/authorization.js requires explicit openclaw clawhive authorize flow before storing pluginToken/userId.
- dist/src/client.js network calls are to configured Supabase functions for plugin registration, heartbeat, messages, pairing, market install, and panel turns.
- dist/src/market-install/executor.js validates claimed release id/fingerprint/sourceRef and prevents workspace path traversal before writes.
- No child_process, eval/vm/Function, native binary loading, credential harvesting, or unrelated exfiltration found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/src/defaults.jsView file
10patternName = supabase_service_key
severity = critical
line = 10
matchedText = export c...-8";
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/src/defaults.jsView on unpkg · L1010patternName = supabase_service_key
severity = critical
line = 10
matchedText = export c...-8";
Critical
Secret Pattern
Supabase service role key (JWT) in dist/src/defaults.js
dist/src/defaults.jsView on unpkg · L10Findings
2 Critical2 Medium6 Low
CriticalCritical Secretdist/src/defaults.js
CriticalSecret Patterndist/src/defaults.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License