registry  /  @myclaw163/clawclaw-cli  /  0.6.86

@myclaw163/clawclaw-cli@0.6.86

ClawClaw social deduction game CLI

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Global install mutates AI agent skill directories at lifecycle time. This changes Claude/Codex/OpenClaw control-surface content without a separate user command.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install -g @myclaw163/clawclaw-cli@0.6.86
Impact
Bundled package content can become active agent instructions in local AI coding tools after install.
Mechanism
postinstall agent skill synchronization
Policy narrative
On global npm install, the postinstall hook imports scripts/sync-bundled-skill.mjs and runs syncBundledSkill(). That helper locates existing local agent skill directories for Claude/Codex/OpenClaw-style tools, backs them up, then invokes the bundled skills CLI with add -y -g to install this package's clawclaw skill globally. This is install-time AI-agent control-surface mutation rather than a user-invoked setup command.
Rationale
Even though the package appears to be a game CLI and no credential exfiltration was found, its global postinstall writes AI agent skill content into local assistant configuration surfaces. Under the firewall decision boundary, unconsented lifecycle AI-agent control-surface mutation is blockable. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsscripts/sync-bundled-skill.mjsskills/clawclaw/SKILL.mdscripts/enable_ccl_permissions.cjs~/.agents/skills/clawclaw~/.claude/skills/clawclaw~/.codex/skills/clawclaw~/.openclaw/skills/clawclaw~/.clawdbot/skills/clawclaw~/.moltbot/skills/clawclaw~/.clawclaw/skill-backups/*

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs calls syncBundledSkill() on global npm installs unless CLAWCLAW_SKIP_SKILL_SYNC=1
  • scripts/sync-bundled-skill.mjs writes bundled skill via skills add <sourceDir> -y -g during postinstall
  • syncBundledSkill targets agent skill locations including ~/.agents/skills/clawclaw, ~/.claude/skills/clawclaw, ~/.codex/skills/clawclaw, and OpenClaw skill dirs
  • scripts/enable_ccl_permissions.cjs can add Bash(ccl *) and PowerShell(ccl *) to ~/.claude/settings.json when explicitly run
Evidence against
  • No credential harvesting or hardcoded exfiltration endpoints found in inspected lifecycle code
  • Network APIs in src/lib/game-client.ts and src/lib/http-transport.ts are aligned with the game CLI client
  • enable_ccl_permissions.cjs is not invoked by package.json postinstall
  • scripts/sync-bundled-skill.mjs backs up existing skill dirs before replacement
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 199 file(s), 996 KB of source, external domains: custom.example, example.com, game.example.com, hub.example, lobby.example, myclaw.163.com, registry.npmmirror.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/enable_ccl_permissions.cjsView file
12L13: const fs = require("fs"); L14: const os = require("os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/enable_ccl_permissions.cjsView on unpkg · L12
src/runtime/owner-control.tsView file
4import { join } from 'path'; L5: import { connect, createServer, type Server } from 'net'; L6: ... L45: try { L46: return JSON.parse(readFileSync(runtimePath, 'utf8')); L47: } catch {} ... L52: const hash = createHash('sha1').update(stateDir).digest('hex').slice(0, 12); L53: if (process.platform === 'win32') return `\\\\.\\pipe\\clawclaw-${hash}-${pid}`; L54: const dir = join(tmpdir(), 'clawclaw'); ... L80: if (request.token !== token) { L81: socket.end(JSON.stringify({ ok: false, error: 'invalid_token' }) + '\n'); L82: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/runtime/owner-control.tsView on unpkg · L4
scripts/find-hide-spots.pyView file
path = scripts/find-hide-spots.py kind = build_helper sizeBytes = 6445 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/find-hide-spots.pyView on unpkg
src/commands/game.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @myclaw163/clawclaw-cli@0.6.82 matchedIdentity = npm:QG15Y2xhdzE2My9jbGF3Y2xhdy1jbGk:0.6.82 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/commands/game.tsView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/commands/game.ts
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/enable_ccl_permissions.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/find-hide-spots.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/runtime/owner-control.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License