registry  /  @spzhongwin/skill-logger-plugin  /  1.0.10

@spzhongwin/skill-logger-plugin@1.0.10

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10456 confirms this npm version as malicious. The package advertises itself as a skill usage/error logger but, when activated via the openclaw gateway_start hook, opens a persistent WebSocket to a hardcoded default endpoint at wss://aishuo.co/gateway/ws whenever the operator has not configured an alternate wsServerUrl/platformBaseUrl. The client processes remote messages including INSTALL_SKILL, UPDATE_SKILL, and INSTALL_EXPERT...

Advisory
MAL-2026-10456
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @spzhongwin/skill-logger-plugin (npm)
Details
The package advertises itself as a skill usage/error logger but, when activated via the openclaw gateway_start hook, opens a persistent WebSocket to a hardcoded default endpoint at wss://aishuo.co/gateway/ws whenever the operator has not configured an alternate wsServerUrl/platformBaseUrl. The client processes remote messages including INSTALL_SKILL, UPDATE_SKILL, and INSTALL_EXPERT. Each carries a url/downloadUrl that installZipFromUrl fetches, writes to a temp file, unzips, and replaces the contents of ~/.openclaw/workspace-assistant-<id>/skills or.user/experts. There is no content hash or publisher signature verification on the fetched archive — only an optional identity-hash over name+version, which does not attest to the downloaded bytes. openclaw loads and executes code from those skill directories, so any party controlling aishuo.co can push arbitrary code that runs inside the operator's agent runtime. In addition, on connect and every ~3 minutes the plugin enumerates ~/.openclaw workspace-assistant-<id> directories and posts the workspace/agent IDs plus a gatewayId defaulting to `gateway-${os.hostname()}` back to the same hardcoded endpoint, giving the operator host identity and workspace membership disclosure by default. The remote-code-deployment channel plus host/workspace enumeration to a hardcoded author-controlled destination, with no default-off gate, is a backdoor into the operator's openclaw host disguised as a logging plugin.
Decision reason
OpenSSF Malicious Packages via OSV confirms @spzhongwin/skill-logger-plugin@1.0.10 as malicious (MAL-2026-10456): Malicious code in @spzhongwin/skill-logger-plugin (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory