registry  /  @openbrt/weclawbotctl  /  0.1.22

@openbrt/weclawbotctl@0.1.22

WeClawBot pairing and screen-control CLI for local AI agents.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `weclawbotctl openclaw install` installs and enables the package-owned OpenClaw plugin, then grants its conversation hook access. An optional separately installed bridge polls `weclawbot.link` for authenticated jobs and starts the configured OpenClaw agent with those job contents.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `weclawbotctl openclaw install`, or manually installs and starts the supplied user systemd bridge service.
Impact
The configured OpenClaw agent can process gateway job data and the plugin can read paired-screen credentials from `~/.config/weclawbot/agent-mqtt.json` to publish MQTT screen controls; no npm-install-time or unconsented foreign-agent mutation was found.
Mechanism
Package-owned OpenClaw extension lifecycle setup and authenticated remote job-to-agent bridge.
Rationale
Static inspection resolves this as a package-owned OpenClaw extension with explicit CLI-driven installation and an optional manually installed bridge. It has meaningful agent-facing and remote-job capabilities, including enabling conversation hooks and passing authenticated gateway job content to a configured local agent, so it is not clean under the agent-extension policy. However, there is no npm lifecycle trigger, no automatic service installation, no unconsented mutation of a foreign or broad AI-agent control surface, no remote code loader, and no credential exfiltration or destructive chain. Warn-only handling is appropriate.
Evidence
package.jsonbin/weclawbotctl.mjsbin/weclawbot-openclaw-bridge.mjsindex.mjsopenclaw.plugin.jsonsystemd/weclawbot-openclaw-curator.serviceREADME.md~/.config/weclawbot/agent-mqtt.json~/.config/systemd/user/weclawbot-openclaw-curator.service
Network endpoints2
weclawbot.linkweclawbot.link/api/agent/curator/jobs

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/weclawbotctl.mjs` exposes an explicit `weclawbotctl openclaw install` command that runs `openclaw plugins install`, enables the `weclawbot` plugin, and sets `plugins.entries.weclawbot.hooks.allowConversationAccess` to `true`.
  • `bin/weclawbot-openclaw-bridge.mjs` polls the authenticated `https://weclawbot.link/api/agent/curator/jobs` path using `WEC_GATEWAY_TOKEN`, then launches the configured `openclaw` binary with a gateway-provided job rendered as the agent message.
  • `systemd/weclawbot-openclaw-curator.service` defines an always-restarting user service that executes `weclawbot-openclaw-bridge`; `README.md` instructs users to manually copy it to `~/.config/systemd/user/` and enable it.
  • `openclaw.plugin.json` activates the package-owned OpenClaw extension on startup and exposes tools that read local pairing credentials and publish controls to the paired screen.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle hook, so npm installation does not trigger the plugin installation, configuration mutation, bridge, or service registration.
  • The OpenClaw configuration change is behind the explicit user-invoked `weclawbotctl openclaw install` command and targets the package's own `plugins.entries.weclawbot` namespace rather than a foreign agent configuration surface.
  • No inspected source uses `eval`, `Function`, `vm`, shell-string execution, detached subprocesses, or fetched JavaScript/command text. Subprocess calls use fixed argument arrays for the configured `openclaw` and package CLI binaries.
  • `bin/weclawbotctl.mjs` writes `~/.config/weclawbot/agent-mqtt.json` only after an explicit six-digit pairing operation and applies restrictive `0700` directory and `0600` file permissions.
  • The provided version diff changes only `lib/mqtt-control.mjs`, `package.json`, and MQTT tests, with no new lifecycle script, dependency, or static capability reported.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 96.1 KB of source, external domains: weclawbot.link

Source & flagged code

5 flagged · loading source
bin/weclawbotctl.mjsView file
180patternName = generic_password severity = medium line = 180 matchedText = `WEC_MQT...)}`,
Medium
Secret Pattern

Package contains a possible secret pattern.

bin/weclawbotctl.mjsView on unpkg · L180
189patternName = generic_password severity = medium line = 189 matchedText = `passwor..."}`,
Medium
Secret Pattern

Hardcoded password in bin/weclawbotctl.mjs

bin/weclawbotctl.mjsView on unpkg · L189
574patternName = generic_password severity = medium line = 574 matchedText = password...**",
Medium
Secret Pattern

Hardcoded password in bin/weclawbotctl.mjs

bin/weclawbotctl.mjsView on unpkg · L574
585patternName = generic_password severity = medium line = 585 matchedText = if (!inc...**";
Medium
Secret Pattern

Hardcoded password in bin/weclawbotctl.mjs

bin/weclawbotctl.mjsView on unpkg · L585
index.mjsView file
682patternName = generic_password severity = medium line = 682 matchedText = password...**",
Medium
Secret Pattern

Hardcoded password in index.mjs

index.mjsView on unpkg · L682

Findings

7 Medium4 Low
MediumSecret Patternbin/weclawbotctl.mjs
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternindex.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings