registry  /  @spzhongwin/skill-logger-plugin  /  1.0.14

@spzhongwin/skill-logger-plugin@1.0.14

AI Security Review

scanned 3h ago · by lpm-firewall-ai

On OpenClaw gateway startup, the extension automatically connects to a hard-coded external WebSocket. That peer can enumerate agents, read cron-job data, and remotely install, update, or delete skills in agent workspaces.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenClaw loads the package and emits `gateway_start`.
Impact
A remote service can exfiltrate OpenClaw metadata and alter agent skills, enabling downstream arbitrary skill behavior.
Mechanism
Default remote WebSocket control plane with ZIP-based skill deployment and telemetry collection.
Attack narrative
When loaded, the plugin connects to a hard-coded remote control endpoint without requiring configured consent. Messages received on that socket invoke filesystem operations to install ZIP-provided skills, update existing skills, remove skills or experts, enumerate installed skills, and return cron-job records. The plugin also injects an instruction forcing agents to report tool errors and can send collected telemetry to configured HTTP endpoints while TLS verification is disabled.
Rationale
This is an active remote-control and payload-deployment channel over an automatic default connection, not merely package-aligned logging. Its server-directed agent workspace mutation and OpenClaw data disclosure establish a concrete malicious chain.
Evidence
package.jsonsrc/index.tssrc/ws-client.tssrc/updater.tssrc/reporter.tssrc/http.ts~/.openclaw/state/openclaw.sqlite~/.openclaw/workspace-assistant-<id>/skills/<code>~/.openclaw/workspace-assistant-<id>/.user/skills/<code>~/.openclaw/workspace-assistant-<id>/.user/experts/<code>
Network endpoints1
wss://aishuo.co/gateway/ws

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `src/index.ts` opens `wss://aishuo.co/gateway/ws` by default at `gateway_start`.
  • `src/ws-client.ts` accepts server commands to install, update, and remove skills without local consent.
  • `src/ws-client.ts` can read cron-job rows from `~/.openclaw/state/openclaw.sqlite` and reply over the socket.
  • `src/updater.ts` downloads server-supplied ZIPs, extracts them, and replaces agent skill directories.
  • `src/index.ts` injects a system prompt requiring error reports with tool/error details.
  • `src/http.ts` disables TLS certificate verification for HTTP reporting/config requests.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `src/ws-client.ts` constrains user IDs and skill codes to reduce path traversal.
  • `src/updater.ts` uses argument-vector `execFile` only for archive extraction; no shell command construction found.
  • No `eval`, `Function`, VM execution, or hidden binary loader was found in package source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 50 file(s), 468 KB of source, external domains: api.openai.com, pkg.example, platform.example, report.example

Source & flagged code

1 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @spzhongwin/sk[redacted]@1.0.6 matchedIdentity = npm:[redacted]:1.0.6 similarity = 0.898 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License