registry  /  @okki-global/okki-claw  /  1.2.8-beta

@okki-global/okki-claw@1.2.8-beta

Node.js sidecar that bridges local OpenClaw gateway to the agent-relay cloud relay.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. User-invoked CLI sidecar bridges a local OpenClaw gateway and configured agent commands to an agent-relay WebSocket service. It reads local gateway credentials and can execute approved agent/terminal operations during a connected session. No install-time or import-time attack trigger was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `okki-claw` pairing, run, or daemon command
Impact
A paired relay service can mediate configured local agent and terminal capabilities
Mechanism
Persistent cloud relay tunnel with local AI-agent and PTY bridges
Rationale
Source establishes a high-impact, first-party agent-relay sidecar with persistent connectivity and daemon self-updates, but no concrete malicious behavior, exfiltration chain, lifecycle hook, or foreign AI-agent control-surface write was found. Flag as a guarded agent extension lifecycle risk rather than malicious.
Evidence
package.jsonREADME.mddist/index.jsdist/main.jsdist/chunk-G2TVJH3L.js~/.agent-relay/config.json~/.openclaw/openclaw.json
Network endpoints3
agent-relay.okki.comlocalhost:18799localhost:18789

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-G2TVJH3L.js` opens a persistent relay tunnel and exposes local agent/PTY capabilities after sidecar startup.
  • Daemon mode auto-updates with `npm install -g @okki-global/okki-claw@<latest>` when enabled.
Evidence against
  • `package.json` has no npm preinstall, install, postinstall, or other lifecycle hook.
  • Pairing requires an explicit user-supplied token; credentials are written only to `~/.agent-relay/config.json` with restrictive permissions.
  • OpenClaw configuration is read for gateway discovery; inspected source does not write `~/.openclaw`, `.claude`, or `.codex` configuration.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 270 KB of source, external domains: 127.0.0.1, agent-relay.okki.com

Source & flagged code

3 flagged · loading source
dist/chunk-G2TVJH3L.jsView file
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po...
High
Child Process

Package source references child process execution.

dist/chunk-G2TVJH3L.jsView on unpkg · L1
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunk-G2TVJH3L.jsView on unpkg · L1
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po... L3: Set OPENCLAW_GATEWAY_TOKEN to override`);return{url:`http://${i}:${a}`,token:d}}async function ci(t){try{return(await fetch(`${t.url}/health`,{headers:{Authorization:`Bearer ${t.to... L4: `),{id:s,promise:r,cancel:i=>{let a=this.pendingRequests.get(s);a&&(this.pendingRequests.delete(s),a.reject(i))}}}sendNotification(e,n){if(!this.proc)throw new Error("ACP client no...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-G2TVJH3L.jsView on unpkg · L1

Findings

3 High2 Medium4 Low
HighChild Processdist/chunk-G2TVJH3L.js
HighSame File Env Network Executiondist/chunk-G2TVJH3L.js
HighCommand Output Exfiltrationdist/chunk-G2TVJH3L.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License