AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `weclawbotctl openclaw install` installs and enables the package-owned OpenClaw plugin, then grants its conversation hook access. An optional separately installed bridge polls `weclawbot.link` for authenticated jobs and starts the configured OpenClaw agent with those job contents.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `weclawbotctl openclaw install`, or manually installs and starts the supplied user systemd bridge service.
Impact
The configured OpenClaw agent can process gateway job data and the plugin can read paired-screen credentials from `~/.config/weclawbot/agent-mqtt.json` to publish MQTT screen controls; no npm-install-time or unconsented foreign-agent mutation was found.
Mechanism
Package-owned OpenClaw extension lifecycle setup and authenticated remote job-to-agent bridge.
Rationale
Static inspection resolves this as a package-owned OpenClaw extension with explicit CLI-driven installation and an optional manually installed bridge. It has meaningful agent-facing and remote-job capabilities, including enabling conversation hooks and passing authenticated gateway job content to a configured local agent, so it is not clean under the agent-extension policy. However, there is no npm lifecycle trigger, no automatic service installation, no unconsented mutation of a foreign or broad AI-agent control surface, no remote code loader, and no credential exfiltration or destructive chain. Warn-only handling is appropriate.
Evidence
package.jsonbin/weclawbotctl.mjsbin/weclawbot-openclaw-bridge.mjsindex.mjsopenclaw.plugin.jsonsystemd/weclawbot-openclaw-curator.serviceREADME.md~/.config/weclawbot/agent-mqtt.json~/.config/systemd/user/weclawbot-openclaw-curator.service
Network endpoints2
weclawbot.linkweclawbot.link/api/agent/curator/jobs
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `bin/weclawbotctl.mjs` exposes an explicit `weclawbotctl openclaw install` command that runs `openclaw plugins install`, enables the `weclawbot` plugin, and sets `plugins.entries.weclawbot.hooks.allowConversationAccess` to `true`.
- `bin/weclawbot-openclaw-bridge.mjs` polls the authenticated `https://weclawbot.link/api/agent/curator/jobs` path using `WEC_GATEWAY_TOKEN`, then launches the configured `openclaw` binary with a gateway-provided job rendered as the agent message.
- `systemd/weclawbot-openclaw-curator.service` defines an always-restarting user service that executes `weclawbot-openclaw-bridge`; `README.md` instructs users to manually copy it to `~/.config/systemd/user/` and enable it.
- `openclaw.plugin.json` activates the package-owned OpenClaw extension on startup and exposes tools that read local pairing credentials and publish controls to the paired screen.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle hook, so npm installation does not trigger the plugin installation, configuration mutation, bridge, or service registration.
- The OpenClaw configuration change is behind the explicit user-invoked `weclawbotctl openclaw install` command and targets the package's own `plugins.entries.weclawbot` namespace rather than a foreign agent configuration surface.
- No inspected source uses `eval`, `Function`, `vm`, shell-string execution, detached subprocesses, or fetched JavaScript/command text. Subprocess calls use fixed argument arrays for the configured `openclaw` and package CLI binaries.
- `bin/weclawbotctl.mjs` writes `~/.config/weclawbot/agent-mqtt.json` only after an explicit six-digit pairing operation and applies restrictive `0700` directory and `0600` file permissions.
- The provided version diff changes only `lib/mqtt-control.mjs`, `package.json`, and MQTT tests, with no new lifecycle script, dependency, or static capability reported.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourcebin/weclawbotctl.mjsView file
180patternName = generic_password
severity = medium
line = 180
matchedText = `WEC_MQT...)}`,
Medium
189patternName = generic_password
severity = medium
line = 189
matchedText = `passwor..."}`,
Medium
574patternName = generic_password
severity = medium
line = 574
matchedText = password...**",
Medium
585patternName = generic_password
severity = medium
line = 585
matchedText = if (!inc...**";
Medium
index.mjsView file
682patternName = generic_password
severity = medium
line = 682
matchedText = password...**",
Medium
Findings
7 Medium4 Low
MediumSecret Patternbin/weclawbotctl.mjs
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternindex.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings