AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an agent-facing approval CLI with user-invoked registration, API calls, webhook configuration, and optional OpenClaw notification commands.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit CLI commands such as `register`, `request`, `watch`, or `webhook set`.
Impact
Can create package-specific local config/keys and contact the configured Permission Slip server; no unconsented lifecycle mutation or exfiltration found.
Mechanism
user-configured signed approval client
Rationale
Static inspection shows a package-aligned CLI whose sensitive operations are explicit runtime commands using user-supplied server URLs and package-owned local files. There is no install-time execution, hardcoded exfiltration endpoint, persistence, credential harvesting, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/api/client.jsdist/config/store.jsdist/auth/keys.jsdist/commands/register.jsdist/commands/watch.jsdist/commands/webhook.jsdist/approvals/notifyCommand.js~/.permission-slip/config.json~/.permission-slip/registrations.json~/.ssh/permission_slip_agent~/.ssh/permission_slip_agent.pub
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- User-invoked `permission-slip watch` can run a notify shell command, defaulting to `openclaw system event` when present.
- `register` creates/reuses `~/.ssh/permission_slip_agent{,.pub}` and writes `~/.permission-slip/registrations.json`.
- CLI sends signed requests and optional webhook tokens to a user-supplied Permission Slip server.
Evidence against
- `package.json` has no install/postinstall lifecycle hook; `prepublishOnly` only runs `npm run build` before publishing.
- No hardcoded network endpoint: server comes from `--server`, `PS_SERVER`, or `~/.permission-slip/config.json`.
- No foreign AI-agent control-surface files such as `.mcp.json`, `CLAUDE.md`, Codex/Cursor settings, hooks, or startup persistence are written.
- `dist/auth/keys.js` generates package-specific Ed25519 keys; scanner secret hit is key-handling code, not an embedded credential.
- Network, key generation, webhook setup, and notify command execution are tied to explicit CLI commands, not import/install time.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
8 flagged · loading sourcedist/auth/keys.jsView file
41patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/auth/keys.jsView on unpkg · L4141patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
42patternName = private_key_openssh
severity = critical
line = 42
matchedText = * unders...--`,
Critical
62patternName = private_key_openssh
severity = critical
line = 62
matchedText = .replace... "")
Critical
161patternName = private_key_rsa
severity = critical
line = 161
matchedText = * NOTE: ... the
Critical
162patternName = private_key_openssh
severity = critical
line = 162
matchedText = * OpenSS...de's
Critical
dist/auth/keys.d.tsView file
28patternName = private_key_rsa
severity = critical
line = 28
matchedText = * Suppor...vely
Critical
29patternName = private_key_openssh
severity = critical
line = 29
matchedText = * unders...--`,
Critical
Findings
8 Critical2 Medium4 Low
CriticalCritical Secretdist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.d.ts
CriticalSecret Patterndist/auth/keys.d.ts
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings