registry  /  @goplausible/ac2-plugin-openclaw  /  0.0.101

@goplausible/ac2-plugin-openclaw@0.0.101

OpenClaw Channel Plugin — connects OpenClaw gateway to AC2 peers over WebRTC

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User installs/enables the plugin, runs `openclaw ac2 setup`, starts OpenClaw gateway, or invokes AC2/x402 tools.
Impact
Can enable AC2 tools in OpenClaw and let an authorized paired wallet/user approve signatures or x402 payments; no unconsented install-time hijack or exfiltration observed.
Mechanism
explicit agent-extension setup plus user-invoked WebRTC, signing, and HTTP tools
Rationale
Static inspection shows a first-party OpenClaw AC2 plugin with explicit user-command setup and user-invoked network/signing tools, but no automatic install-time mutation, stealth persistence, credential harvesting, remote payload execution, or exfiltration. Because it mutates an AI-agent control surface when explicitly commanded, warn rather than block.
Evidence
package.jsonopenclaw.plugin.jsondist/index.jsdist/src/commands.jsdist/src/x402-core.jsdist/src/x402-tools.jsdist/src/agent-identity.jsdist/src/persistence.js~/.openclaw/openclaw.json~/.openclaw/plugins/ac2-plugin-openclaw/agent-key.json~/.openclaw/plugins/ac2-plugin-openclaw/peer.json~/.openclaw/plugins/ac2-plugin-openclaw/pending-invitation.json~/.openclaw/plugins/ac2-plugin-openclaw/active-session.json
Network endpoints5
liquidauth.goplausible.xyzfacilitator.goplausible.xyzmainnet-api.4160.nodely.devtestnet-api.4160.nodely.devlocalhost:4001

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/commands.js cmdSetup explicitly writes OpenClaw config: plugins.allow, plugins.entries.*.enabled, bindings, tools.alsoAllow.
  • dist/index.js register() registers AC2 tools/commands and starts runtime side effects outside CLI mode, including Liquid Auth/WebRTC resume listeners.
  • dist/src/x402-core.js exposes agent tools that fetch caller-supplied baseURL/path and can make paid x402 requests after wallet signing.
  • dist/src/agent-identity.js creates and stores a plugin agent private key under ~/.openclaw/plugins/ac2-plugin-openclaw/agent-key.json.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script.
  • Config mutation is shell CLI-only via `openclaw ac2 setup`, not automatic at npm install/import time.
  • Network endpoints are package-aligned defaults or user/tool supplied: liquidauth.goplausible.xyz, facilitator.goplausible.xyz, Nodely algod, and explicit baseURL.
  • Wallet payment/signing flow uses connected AC2 wallet approval; no local wallet secret harvesting was found.
  • No child_process, eval/vm/Function, remote code loading, destructive filesystem behavior, or credential exfiltration found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 242 KB of source, external domains: ac2.io, example.x402.goplausible.xyz, facilitator.goplausible.xyz, liquidauth.goplausible.xyz, mainnet-api.4160.nodely.dev, testnet-api.4160.nodely.dev

Source & flagged code

4 flagged · loading source
dist/src/commands.jsView file
Published source reference
Medium
Ai Review Evidence

dist/src/commands.js cmdSetup explicitly writes OpenClaw config: plugins.allow, plugins.entries.*.enabled, bindings, tools.alsoAllow.

dist/src/commands.jsView on unpkg
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

dist/index.js register() registers AC2 tools/commands and starts runtime side effects outside CLI mode, including Liquid Auth/WebRTC resume listeners.

dist/index.jsView on unpkg
dist/src/x402-core.jsView file
Published source reference
Medium
Ai Review Evidence

dist/src/x402-core.js exposes agent tools that fetch caller-supplied baseURL/path and can make paid x402 requests after wallet signing.

dist/src/x402-core.jsView on unpkg
dist/src/agent-identity.jsView file
Published source reference
Medium
Ai Review Evidence

dist/src/agent-identity.js creates and stores a plugin agent private key under ~/.openclaw/plugins/ac2-plugin-openclaw/agent-key.json.

dist/src/agent-identity.jsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/src/commands.js
MediumAi Review Evidencedist/index.js
MediumAi Review Evidencedist/src/x402-core.js
MediumAi Review Evidencedist/src/agent-identity.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings