registry  /  @dashclaw/cli  /  0.6.2

@dashclaw/cli@0.6.2

DashClaw terminal client — approve agent actions and diagnose your instance

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `dashclaw install claude`, `dashclaw install codex`, `dashclaw up`, `dashclaw code ingest`, or `dashclaw code ingest-codex`.
Impact
Can modify Claude/Codex governance configuration and send selected local agent transcripts to a configured DashClaw endpoint when invoked.
Mechanism
explicit CLI provisioning, local transcript ingestion, configured API requests
Rationale
Static source inspection shows sensitive agent-control and transcript-ingest capabilities, but they are explicit DashClaw CLI features with no npm lifecycle trigger, stealth persistence, credential exfiltration, or unconsented broad AI-agent control mutation. Per policy this warrants a warning for explicit user-command agent config mutation rather than a publish block.
Evidence
package.jsonbin/dashclaw.jslib/claude/install.jslib/codex/install.jslib/code/ingest.jslib/code/ingest-codex.jslib/up/index.jslib/up/run.jslib/env.js~/.claude/settings.json~/.dashclaw/claude-hooks/.env~/.dashclaw/config.json~/.codex/config.toml~/.codex/hooks/dashclaw/<project>/AGENTS.md~/.dashclaw/codex-sessions/~/.dashclaw/instance.json
Network endpoints5
hosted.dashclaw.ioregistry.npmjs.org/dashclaw/latestapi.github.com/repos/ucsandman/DashClaw/releases/latestcodeload.github.com/ucsandman/DashClaw/tar.gz/refs/tags/v<version><configured DASHCLAW_BASE_URL>

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • lib/codex/install.js explicitly writes Codex config/hooks and project AGENTS.md when user runs `dashclaw install codex`.
  • lib/claude/install.js explicitly writes Claude Code hook settings and hook credentials when user runs `dashclaw install claude`.
  • lib/code/ingest.js and lib/code/ingest-codex.js can read local agent transcript JSONL files and POST/write them on explicit ingest commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/dashclaw.js only dispatches user-invoked CLI commands; no import-time install or config mutation seen.
  • Network calls are DashClaw-aligned: configured baseUrl, hosted.dashclaw.io trial, registry.npmjs.org, api.github.com, codeload.github.com.
  • lib/env.js fetches managed secrets from the configured DashClaw instance and injects them only into a user-supplied child process; comments and code avoid printing values.
  • Runtime `npm install` in lib/up/run.js is part of explicit `dashclaw up` local app provisioning, not install-time execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 224 KB of source, external domains: api.github.com, codeload.github.com, github.com, hosted.dashclaw.io, registry.npmjs.org, your-dashclaw.vercel.app, your.vercel.app

Source & flagged code

4 flagged · loading source
bin/dashclaw.jsView file
2L3: import { execFileSync } from 'child_process'; L4: import { readFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/dashclaw.jsView on unpkg · L2
296} else if (platform === 'win32') { L297: // Use PowerShell Start-Process instead of relying on cmd.exe parsing L298: execFileSync('powershell', ['-NoProfile', '-Command', 'Start-Process', url]);
High
Shell

Package source references shell execution.

bin/dashclaw.jsView on unpkg · L296
lib/up/run.jsView file
2// L3: // Build, start, health-wait, and open-browser primitives for `npx dashclaw up`. L4: L5: import { spawn, spawnSync } from 'node:child_process'; L6:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/up/run.jsView on unpkg · L2
lib/up/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dashclaw/cli@0.6.1 matchedIdentity = npm:QGRhc2hjbGF3L2NsaQ:0.6.1 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/up/index.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/up/index.js
HighChild Processbin/dashclaw.js
HighShellbin/dashclaw.js
HighRuntime Package Installlib/up/run.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings