registry  /  @okki-global/okki-claw  /  1.3.1-beta

@okki-global/okki-claw@1.3.1-beta

Node.js sidecar that bridges local OpenClaw gateway to the agent-relay cloud relay.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `okki-claw`/the sidecar daemon after pairing.
Impact
A configured relay can access the local agent gateway under the paired device and gateway credentials; this is an explicit but high-impact remote-agent capability.
Mechanism
Authenticated WebSocket relay bridge to a local OpenClaw gateway.
Rationale
No concrete malicious chain was found, but the package deliberately creates a persistent authenticated relay path to a local AI-agent gateway and can self-update. Treat it as a warning-worthy, user-invoked agent capability rather than malware.
Evidence
package.jsonREADME.mddist/main.jsdist/chunk-BUKVIEU7.jsdist/index.d.ts~/.agent-relay/config.json~/.openclaw/openclaw.json
Network endpoints2
agent-relay.okki.comlocalhost:18799

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-BUKVIEU7.js` reads the OpenClaw gateway token/config and maintains a relay tunnel.
  • Pairing sends a supplied token to `https://agent-relay.okki.com/api/devices/complete-pairing` and persists relay credentials.
  • Daemon mode optionally self-updates with `npm install -g @okki-global/okki-claw@<latest>`.
  • CLI includes explicit agent process termination commands.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • The manifest, README, and runtime consistently describe a user-invoked OpenClaw-to-relay sidecar.
  • Config writes are limited to the package-owned `~/.agent-relay/config.json` with restrictive permissions.
  • No source evidence of hidden exfiltration, foreign AI-agent config mutation, or remote shell payload execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 271 KB of source, external domains: 127.0.0.1, agent-relay.okki.com

Source & flagged code

3 flagged · loading source
dist/chunk-BUKVIEU7.jsView file
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po...
High
Child Process

Package source references child process execution.

dist/chunk-BUKVIEU7.jsView on unpkg · L1
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunk-BUKVIEU7.jsView on unpkg · L1
1import{execFile as Ro}from"child_process";import{readFile as Po}from"fs/promises";import{dirname as Io,join as Gn}from"path";import{fileURLToPath as Eo}from"url";import{promisify a... L2: Set OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to override`)}let n;try{n=JSON.parse(e)}catch{throw new Error(`Invalid JSON in ${t.openclawConfigPath}`)}let s=n.gateway,r=s?.po... L3: Set OPENCLAW_GATEWAY_TOKEN to override`);return{url:`http://${i}:${a}`,token:d}}async function ci(t){try{return(await fetch(`${t.url}/health`,{headers:{Authorization:`Bearer ${t.to... L4: `),{id:s,promise:r,cancel:i=>{let a=this.pendingRequests.get(s);a&&(this.pendingRequests.delete(s),a.reject(i))}}}sendNotification(e,n){if(!this.proc)throw new Error("ACP client no...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-BUKVIEU7.jsView on unpkg · L1

Findings

3 High2 Medium4 Low
HighChild Processdist/chunk-BUKVIEU7.js
HighSame File Env Network Executiondist/chunk-BUKVIEU7.js
HighCommand Output Exfiltrationdist/chunk-BUKVIEU7.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License