AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked WeClawBot pairing/control CLI that stores local MQTT credentials and publishes device control messages after explicit commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs weclawbotctl bind/status/doctor/export/unbind/screen/preview/clear/thinking/idle or imports exported libs.
Impact
User-selected WeClawBot pairing and screen/activity control; no install-time execution or stealth exfiltration found.
Mechanism
explicit CLI credential storage and MQTT device control
Rationale
Static inspection shows suspicious primitives are tied to the documented CLI purpose: pairing, local credential management, preview file generation, and MQTT publishing to a user-paired device. There is no lifecycle hook, hidden import-time execution, broad agent configuration mutation, credential harvesting, or unconsented remote payload behavior.
Evidence
package.jsonbin/weclawbotctl.mjsbin/weclawbot-byoa-bind.mjslib/mqtt-control.mjsREADME.md~/.config/weclawbot/agent-mqtt.jsonuser-specified screen JSON pathsuser-specified export/preview output pathspreview spool directory from WECLAWBOT_PREVIEW_SPOOL_DIR or OS temp
Network endpoints2
weclawbot.link/byoawss:// URLs supplied by paired MQTT credentials
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/weclawbotctl.mjs can export stored MQTT password only when user passes --include-secret.
- bin/weclawbotctl.mjs writes/removes ~/.config/weclawbot/agent-mqtt.json via explicit bind/unbind commands.
Evidence against
- package.json has no preinstall/install/postinstall hooks; execution is only user-invoked CLI/imports.
- Network use is package-aligned: bind POSTs to https://weclawbot.link/byoa and MQTT uses wss:// URL from paired credentials.
- bin/weclawbot-byoa-bind.mjs only spawns node to run the local weclawbotctl bind command with inherited stdio.
- No code writes AI-agent configs, persistence hooks, or foreign control surfaces.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcebin/weclawbotctl.mjsView file
180patternName = generic_password
severity = medium
line = 180
matchedText = `WEC_MQT...)}`,
Medium
189patternName = generic_password
severity = medium
line = 189
matchedText = `passwor..."}`,
Medium
466patternName = generic_password
severity = medium
line = 466
matchedText = password...**",
Medium
477patternName = generic_password
severity = medium
line = 477
matchedText = if (!inc...**";
Medium
Findings
6 Medium4 Low
MediumSecret Patternbin/weclawbotctl.mjs
MediumNetwork
MediumEnvironment Vars
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
MediumSecret Patternbin/weclawbotctl.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings