registry  /  @permission-slip/cli  /  0.1.23

@permission-slip/cli@0.1.23

Agent-facing CLI for Permission Slip — register, verify, and interact with Permission Slip servers

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an agent-facing approval CLI with user-invoked registration, API calls, webhook configuration, and optional OpenClaw notification commands.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit CLI commands such as `register`, `request`, `watch`, or `webhook set`.
Impact
Can create package-specific local config/keys and contact the configured Permission Slip server; no unconsented lifecycle mutation or exfiltration found.
Mechanism
user-configured signed approval client
Rationale
Static inspection shows a package-aligned CLI whose sensitive operations are explicit runtime commands using user-supplied server URLs and package-owned local files. There is no install-time execution, hardcoded exfiltration endpoint, persistence, credential harvesting, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/api/client.jsdist/config/store.jsdist/auth/keys.jsdist/commands/register.jsdist/commands/watch.jsdist/commands/webhook.jsdist/approvals/notifyCommand.js~/.permission-slip/config.json~/.permission-slip/registrations.json~/.ssh/permission_slip_agent~/.ssh/permission_slip_agent.pub

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked `permission-slip watch` can run a notify shell command, defaulting to `openclaw system event` when present.
  • `register` creates/reuses `~/.ssh/permission_slip_agent{,.pub}` and writes `~/.permission-slip/registrations.json`.
  • CLI sends signed requests and optional webhook tokens to a user-supplied Permission Slip server.
Evidence against
  • `package.json` has no install/postinstall lifecycle hook; `prepublishOnly` only runs `npm run build` before publishing.
  • No hardcoded network endpoint: server comes from `--server`, `PS_SERVER`, or `~/.permission-slip/config.json`.
  • No foreign AI-agent control-surface files such as `.mcp.json`, `CLAUDE.md`, Codex/Cursor settings, hooks, or startup persistence are written.
  • `dist/auth/keys.js` generates package-specific Ed25519 keys; scanner secret hit is key-handling code, not an embedded credential.
  • Network, key generation, webhook setup, and notify command execution are tied to explicit CLI commands, not import/install time.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 91.3 KB of source

Source & flagged code

8 flagged · loading source
dist/auth/keys.jsView file
41patternName = private_key_rsa severity = critical line = 41 matchedText = * Suppor...vely
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/auth/keys.jsView on unpkg · L41
41patternName = private_key_rsa severity = critical line = 41 matchedText = * Suppor...vely
Critical
Secret Pattern

RSA private key in dist/auth/keys.js

dist/auth/keys.jsView on unpkg · L41
42patternName = private_key_openssh severity = critical line = 42 matchedText = * unders...--`,
Critical
Secret Pattern

OpenSSH private key in dist/auth/keys.js

dist/auth/keys.jsView on unpkg · L42
62patternName = private_key_openssh severity = critical line = 62 matchedText = .replace... "")
Critical
Secret Pattern

OpenSSH private key in dist/auth/keys.js

dist/auth/keys.jsView on unpkg · L62
161patternName = private_key_rsa severity = critical line = 161 matchedText = * NOTE: ... the
Critical
Secret Pattern

RSA private key in dist/auth/keys.js

dist/auth/keys.jsView on unpkg · L161
162patternName = private_key_openssh severity = critical line = 162 matchedText = * OpenSS...de's
Critical
Secret Pattern

OpenSSH private key in dist/auth/keys.js

dist/auth/keys.jsView on unpkg · L162
dist/auth/keys.d.tsView file
28patternName = private_key_rsa severity = critical line = 28 matchedText = * Suppor...vely
Critical
Secret Pattern

RSA private key in dist/auth/keys.d.ts

dist/auth/keys.d.tsView on unpkg · L28
29patternName = private_key_openssh severity = critical line = 29 matchedText = * unders...--`,
Critical
Secret Pattern

OpenSSH private key in dist/auth/keys.d.ts

dist/auth/keys.d.tsView on unpkg · L29

Findings

8 Critical2 Medium4 Low
CriticalCritical Secretdist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.d.ts
CriticalSecret Patterndist/auth/keys.d.ts
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings