AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is a user-invoked agent approval CLI that stores its own config/registration and SSH-style key files, then talks to a user-configured Permission Slip server.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs permission-slip CLI commands
Impact
No install-time execution, credential harvesting, exfiltration, persistence, or foreign AI-agent control-surface mutation found.
Mechanism
user-invoked API client, local config/key management, optional watcher notification
Rationale
Static source inspection shows package-aligned, user-invoked approval CLI behavior with no lifecycle delivery into foreign agent surfaces and no hardcoded exfiltration endpoint. The scanner secret finding is explained by generated local key-management code, not an embedded credential.
Evidence
package.jsondist/index.jsdist/api/client.jsdist/config/serverUrl.jsdist/config/store.jsdist/auth/keys.jsdist/commands/watch.jsdist/approvals/watchLoop.jsdist/approvals/notifyCommand.js~/.permission-slip/config.json~/.permission-slip/registrations.json~/.ssh/permission_slip_agent~/.ssh/permission_slip_agent.pub
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall hook; prepublishOnly only runs build before publishing
- bin dist/index.js only registers commander subcommands and prints changelog notice
- server URL has no default host; resolved from --server, PS_SERVER, or ~/.permission-slip/config.json
- dist/api/client.js sends signed requests only to user-configured http(s) server paths
- dist/auth/keys.js generates/reads a package-specific Ed25519 key, not a hardcoded secret
- OpenClaw notify shell execution is user-invoked via watch/--notify-cmd and package-aligned
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
8 flagged · loading sourcedist/auth/keys.jsView file
41patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/auth/keys.jsView on unpkg · L4141patternName = private_key_rsa
severity = critical
line = 41
matchedText = * Suppor...vely
Critical
42patternName = private_key_openssh
severity = critical
line = 42
matchedText = * unders...--`,
Critical
62patternName = private_key_openssh
severity = critical
line = 62
matchedText = .replace... "")
Critical
161patternName = private_key_rsa
severity = critical
line = 161
matchedText = * NOTE: ... the
Critical
162patternName = private_key_openssh
severity = critical
line = 162
matchedText = * OpenSS...de's
Critical
dist/auth/keys.d.tsView file
28patternName = private_key_rsa
severity = critical
line = 28
matchedText = * Suppor...vely
Critical
29patternName = private_key_openssh
severity = critical
line = 29
matchedText = * unders...--`,
Critical
Findings
8 Critical2 Medium4 Low
CriticalCritical Secretdist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.js
CriticalSecret Patterndist/auth/keys.d.ts
CriticalSecret Patterndist/auth/keys.d.ts
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings