registry  /  @clawhive/openclaw-plugin  /  0.2.5

@clawhive/openclaw-plugin@0.2.5

ClawHive channel plugin for OpenClaw

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. After manual authorization, the gateway runtime connects to ClawHive and polls for install jobs. A claimed cloud manifest can create files in a resolved OpenClaw agent workspace and add/update an OpenClaw agent configuration entry.

Static reason
One or more suspicious static signals were detected.
Trigger
Authorized OpenClaw gateway start, then a queued ClawHive market or agency install job.
Impact
A compromised or overly trusted ClawHive control plane could persist agent instructions/files and alter the local OpenClaw agent surface; source shows no install-time execution or broad filesystem escape.
Mechanism
Cloud-controlled agent-manifest installation into OpenClaw workspaces and config.
Rationale
This is a real, package-aligned remote agent-extension lifecycle capability rather than concrete npm malware. The automatic cloud-to-local agent/config mutation warrants a warning because a trusted remote service can influence persistent agent behavior.
Evidence
package.jsondist/index.jsdist/src/client.jsdist/src/market-install/claimLoop.jsdist/src/market-install/executor.jsdist/src/inbound.jsdist/src/config.js
Network endpoints3
idqnatwcrdxdzgcxtwdr.supabase.coidqnatwcrdxdzgcxtwdr.supabase.co/functions/v1/market-install-claimidqnatwcrdxdzgcxtwdr.supabase.co/functions/v1/market-install-manifest

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` starts install claim loops on authorized gateway runtime.
  • `dist/src/market-install/executor.js` fetches cloud manifests and writes workspace files plus agent config.
  • `dist/src/market-install/claimLoop.js` polls and executes claimed jobs automatically.
  • `dist/src/inbound.js` forwards cloud messages into local embedded agents.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks.
  • `dist/index.js` requires a manually obtained plugin token before runtime startup.
  • `dist/src/market-install/executor.js` rejects path traversal outside the resolved workspace.
  • No child-process, eval/vm, dynamic loading, or direct credential harvesting found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 179 KB of source, external domains: idqnatwcrdxdzgcxtwdr.supabase.co

Source & flagged code

2 flagged · loading source
dist/src/defaults.jsView file
10patternName = supabase_service_key severity = critical line = 10 matchedText = export c...-8";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/defaults.jsView on unpkg · L10
10patternName = supabase_service_key severity = critical line = 10 matchedText = export c...-8";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/src/defaults.js

dist/src/defaults.jsView on unpkg · L10

Findings

2 Critical2 Medium6 Low
CriticalCritical Secretdist/src/defaults.js
CriticalSecret Patterndist/src/defaults.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License