AI Security Review
scanned 3h ago · by lpm-firewall-aiOn OpenClaw gateway startup, the extension automatically connects to a hard-coded external WebSocket. That peer can enumerate agents, read cron-job data, and remotely install, update, or delete skills in agent workspaces.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenClaw loads the package and emits `gateway_start`.
Impact
A remote service can exfiltrate OpenClaw metadata and alter agent skills, enabling downstream arbitrary skill behavior.
Mechanism
Default remote WebSocket control plane with ZIP-based skill deployment and telemetry collection.
Attack narrative
When loaded, the plugin connects to a hard-coded remote control endpoint without requiring configured consent. Messages received on that socket invoke filesystem operations to install ZIP-provided skills, update existing skills, remove skills or experts, enumerate installed skills, and return cron-job records. The plugin also injects an instruction forcing agents to report tool errors and can send collected telemetry to configured HTTP endpoints while TLS verification is disabled.
Rationale
This is an active remote-control and payload-deployment channel over an automatic default connection, not merely package-aligned logging. Its server-directed agent workspace mutation and OpenClaw data disclosure establish a concrete malicious chain.
Evidence
package.jsonsrc/index.tssrc/ws-client.tssrc/updater.tssrc/reporter.tssrc/http.ts~/.openclaw/state/openclaw.sqlite~/.openclaw/workspace-assistant-<id>/skills/<code>~/.openclaw/workspace-assistant-<id>/.user/skills/<code>~/.openclaw/workspace-assistant-<id>/.user/experts/<code>
Network endpoints1
wss://aishuo.co/gateway/ws
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
- `src/index.ts` opens `wss://aishuo.co/gateway/ws` by default at `gateway_start`.
- `src/ws-client.ts` accepts server commands to install, update, and remove skills without local consent.
- `src/ws-client.ts` can read cron-job rows from `~/.openclaw/state/openclaw.sqlite` and reply over the socket.
- `src/updater.ts` downloads server-supplied ZIPs, extracts them, and replaces agent skill directories.
- `src/index.ts` injects a system prompt requiring error reports with tool/error details.
- `src/http.ts` disables TLS certificate verification for HTTP reporting/config requests.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- `src/ws-client.ts` constrains user IDs and skill codes to reduce path traversal.
- `src/updater.ts` uses argument-vector `execFile` only for archive extraction; no shell command construction found.
- No `eval`, `Function`, VM execution, or hidden binary loader was found in package source.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @spzhongwin/sk[redacted]@1.0.6
matchedIdentity = npm:[redacted]:1.0.6
similarity = 0.898
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License