registry  /  @dashclaw/cli  /  0.7.0

@dashclaw/cli@0.7.0

DashClaw terminal client — approve agent actions and diagnose your instance

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs dashclaw install codex, dashclaw install claude, dashclaw up, code ingest/apply, or env subcommands.
Impact
Can install governance hooks into AI-agent configs, send local transcript data to configured DashClaw endpoints, and run user-specified commands with fetched managed secrets.
Mechanism
User-invoked CLI provisioning, fetch, local file writes, and child process spawning
Rationale
Static source inspection supports a warning for explicit AI-agent control-surface mutation, but not a block: the behavior is user-invoked, package-aligned, and absent from npm lifecycle hooks. No concrete malicious chain such as unconsented install-time hijack, stealth credential theft, destructive action, or obfuscated payload was found.
Evidence
package.jsonbin/dashclaw.jslib/codex/install.jslib/claude/install.jslib/env.jslib/code/ingest.jslib/code/ingest-codex.jslib/code/apply.jslib/up/fetch-app.jslib/up/run.js~/.codex/config.toml~/.codex/hooks/dashclaw/<project>/AGENTS.md~/.claude/settings.json~/.dashclaw/claude-hooks/.env~/.dashclaw/config.json~/.dashclaw/codex-sessions/<dest> from dashclaw code apply
Network endpoints5
hosted.dashclaw.ioregistry.npmjs.org/dashclaw/latestapi.github.com/repos/ucsandman/DashClaw/releases/latestcodeload.github.com/ucsandman/DashClaw/tar.gz/refs/tags/v<version><configured DASHCLAW_BASE_URL>/api/*

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • lib/codex/install.js writes managed blocks into ~/.codex/config.toml and <project>/AGENTS.md and copies hooks to ~/.codex/hooks/dashclaw/.
  • lib/claude/install.js writes ~/.claude/settings.json hook entries and ~/.dashclaw/claude-hooks/.env after user runs install claude.
  • lib/claude/install.js can download hook bundle from configured endpoint /downloads/dashclaw-claude-code-hooks.zip.
  • lib/code/ingest.js and lib/code/ingest-codex.js can read local Claude/Codex transcripts and send/write them on explicit code ingest commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; only bin dashclaw is exposed.
  • bin/dashclaw.js dispatches risky behavior behind explicit subcommands such as install, up, code ingest, env, and apply.
  • Network calls are package-aligned: configured DashClaw baseUrl, hosted.dashclaw.io trial, npm registry, GitHub codeload/API.
  • lib/env.js refuses --print and only injects fetched secrets into a user-specified child process environment.
  • lib/code/apply.js guards destination paths with _ensureInsideProject and scans/redacts secret patterns before writes.
  • No eval/vm/Function, obfuscated payload, credential harvesting loop, stealth persistence, or install-time mutation found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 226 KB of source, external domains: api.github.com, codeload.github.com, github.com, hosted.dashclaw.io, registry.npmjs.org, your-dashclaw.vercel.app, your.vercel.app

Source & flagged code

5 flagged · loading source
bin/dashclaw.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dashclaw/cli@0.6.2 matchedIdentity = npm:QGRhc2hjbGF3L2NsaQ:0.6.2 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/dashclaw.jsView on unpkg
2L3: import { execFileSync } from 'child_process'; L4: import { readFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/dashclaw.jsView on unpkg · L2
298} else if (platform === 'win32') { L299: // Use PowerShell Start-Process instead of relying on cmd.exe parsing L300: execFileSync('powershell', ['-NoProfile', '-Command', 'Start-Process', url]);
High
Shell

Package source references shell execution.

bin/dashclaw.jsView on unpkg · L298
576*/ L577: async function cmdImport() { L578: const file = args[1];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/dashclaw.jsView on unpkg · L576
lib/up/run.jsView file
2// L3: // Build, start, health-wait, and open-browser primitives for `npx dashclaw up`. L4: L5: import { spawn, spawnSync } from 'node:child_process'; L6:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/up/run.jsView on unpkg · L2

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/dashclaw.js
HighChild Processbin/dashclaw.js
HighShellbin/dashclaw.js
HighRuntime Package Installlib/up/run.js
MediumDynamic Requirebin/dashclaw.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings