AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are tied to explicit CLI actions for a Permission Slip approval workflow, not install-time execution or hidden persistence.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs permission-slip commands such as register, config, request, or watch.
Impact
Can create package-owned local credentials/config, contact a user-configured server, and run a notification command when explicitly invoked.
Mechanism
user-invoked approval CLI with signed API calls, local key/config storage, and optional watcher notification command
Rationale
Source inspection shows an explicit agent-facing CLI whose network, key generation, config writes, and OpenClaw notification behavior are activated by user-run commands and are package-aligned. There is no install-time mutation of foreign AI-agent control surfaces, credential harvesting, hardcoded exfiltration endpoint, destructive behavior, or persistence outside the documented CLI workflow.
Evidence
package.jsondist/index.jsdist/api/client.jsdist/config/serverUrl.jsdist/config/store.jsdist/auth/keys.jsdist/approvals/notifyCommand.jsdist/approvals/watchLoop.jsdist/commands/register.jsdist/commands/watch.js~/.permission-slip/config.json~/.permission-slip/registrations.json~/.ssh/permission_slip_agent~/.ssh/permission_slip_agent.pub
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/approvals/watchLoop.js executes a user/configured notify command via /bin/sh during the watch command.
- dist/approvals/notifyCommand.js auto-detects openclaw and can wake an OpenClaw session when watch resolves.
- dist/auth/keys.js invokes ssh-keygen and writes ~/.ssh/permission_slip_agent keys on register.
Evidence against
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publisher-side build only.
- dist/index.js only registers Commander CLI subcommands; no import-time network or filesystem mutation beyond changelog notice logic.
- dist/config/serverUrl.js requires user-supplied --server, PS_SERVER, or config default_server; no hardcoded exfiltration host.
- dist/api/client.js sends signed Permission Slip API requests to the configured server for register/status/approval flows.
- dist/config/store.js writes only package-owned ~/.permission-slip config/registration files.
- No code writes foreign AI-agent control files such as .mcp.json, CLAUDE.md, Claude/Codex/Cursor settings, or shell startup persistence.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
8 flagged · loading sourcedist/auth/keys.jsView file
41patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/auth/keys.jsView on unpkg · L4141patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
42patternName = private_key_openssh
severity = critical
line = 42
matchedText = * unders...--`,
Critical
62patternName = private_key_openssh
severity = critical
line = 62
matchedText = .replace... "")
Critical
161patternName = private_key_rsa
severity = critical
line = 161
matchedText = * NOTE: ... the
Critical
162patternName = private_key_openssh
severity = critical
line = 162
matchedText = * OpenSS...de's
Critical
dist/auth/keys.d.tsView file
28patternName = private_key_rsa
severity = critical
line = 28
matchedText = * Suppor...vely
Critical
29patternName = private_key_openssh
severity = critical
line = 29
matchedText = * unders...--`,
Critical
Findings
8 Critical2 Medium4 Low
CriticalCritical Secretdist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.d.ts
CriticalSecret Patterndist/auth/keys.d.ts
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings