registry  /  @myclaw163/clawclaw-cli  /  0.6.82

@myclaw163/clawclaw-cli@0.6.82

ClawClaw social deduction game CLI

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of AI-agent control surface on global install. The package registers a bundled gameplay skill into common agent skill directories without an interactive approval gate from npm install.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Global npm install with lifecycle scripts enabled
Impact
Adds/replaces agent instructions that control future Claude/Codex/OpenClaw gameplay behavior; bundled helper can later alter Claude Code config if invoked.
Mechanism
postinstall-driven global agent skill registration
Policy narrative
On global install, npm runs postinstall, which calls syncBundledSkill. That code locates common AI-agent skill locations, backs up existing clawclaw skills, then executes the bundled skills CLI with -y -g to add the package's skill globally. This creates unconsented install-time modification of agent instruction surfaces. A separate shipped helper can alter Claude Code feature flags and settings, though it is user-invoked by the skill documentation rather than lifecycle-triggered.
Rationale
Source inspection confirms lifecycle-driven AI-agent control-surface mutation, not merely scanner noise. Even with backups and opt-outs, registering agent instructions during npm postinstall is a concrete unconsented control-surface change. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsscripts/sync-bundled-skill.mjsscripts/enable_monitor.cjsskills/clawclaw/SKILL.md~/.agents/skills/clawclaw~/.claude/skills/clawclaw~/.codex/skills/clawclaw~/.openclaw/skills/clawclaw~/.clawclaw/skill-backups~/.claude.json~/.claude/settings.json
Network endpoints3
myclaw.163.comregistry.npmjs.orggit-scm.com/downloads/win

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs invokes syncBundledSkill during global npm install unless opted out.
  • scripts/sync-bundled-skill.mjs targets agent skill dirs under ~/.agents, ~/.claude, ~/.codex, and OpenClaw homes.
  • syncBundledSkill runs the bundled skills CLI with add <sourceDir> -y -g, overwriting/registering an agent skill at install time.
  • scripts/enable_monitor.cjs can modify ~/.claude.json and ~/.claude/settings.json to enable hidden Claude Code Monitor/tool-search flags.
Evidence against
  • postinstall is skipped for non-global installs and supports CLAWCLAW_SKIP_SKILL_SYNC=1.
  • Skill sync backs up existing skill dirs before replacement.
  • Network use in src/lib and src/commands is aligned with ClawClaw game/hub functionality.
  • enable_monitor.cjs is not invoked by postinstall; bundled skill text tells agents to ask user before running it.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 195 file(s), 964 KB of source, external domains: example.com, game.example.com, hub.example, myclaw.163.com, registry.npmmirror.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/enable_monitor.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @myclaw163/clawclaw-cli@0.6.81 matchedIdentity = npm:QG15Y2xhdzE2My9jbGF3Y2xhdy1jbGk:0.6.81 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/enable_monitor.cjsView on unpkg
27L28: const fs = require("fs"); L29: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/enable_monitor.cjsView on unpkg · L27
src/runtime/owner-control.tsView file
4import { join } from 'path'; L5: import { connect, createServer, type Server } from 'net'; L6: ... L45: try { L46: return JSON.parse(readFileSync(runtimePath, 'utf8')); L47: } catch {} ... L52: const hash = createHash('sha1').update(stateDir).digest('hex').slice(0, 12); L53: if (process.platform === 'win32') return `\\\\.\\pipe\\clawclaw-${hash}-${pid}`; L54: const dir = join(tmpdir(), 'clawclaw'); ... L80: if (request.token !== token) { L81: socket.end(JSON.stringify({ ok: false, error: 'invalid_token' }) + '\n'); L82: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/runtime/owner-control.tsView on unpkg · L4
scripts/find-hide-spots.pyView file
path = scripts/find-hide-spots.py kind = build_helper sizeBytes = 6445 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/find-hide-spots.pyView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltascripts/enable_monitor.cjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/enable_monitor.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/find-hide-spots.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/runtime/owner-control.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License