AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package provides a first-party OpenClaw/Friday extension setup and runtime bridge with powerful authenticated agent-management features. Risk is from explicit CLI setup and authenticated runtime use, not npm lifecycle auto-execution.
Decision evidence
public snapshot- install.js is a bin-only installer that writes ~/.openclaw/openclaw.json, enables friday-next/canvas plugins, allowConversationAccess, LAN gateway bind, canvas node commands, and main agent tools.
- install.js runs openclaw plugins install and gateway restart, and fetches npm registry/latest plus public-IP echo services during explicit CLI setup.
- Runtime exposes authenticated /friday-next HTTP routes that can dispatch messages, edit whitelisted agent prompt files, mutate agent config, upload/download attachments, and trigger plugin upgrade.
- dist/index.js forwards agent events, llm_output, tool params/results, and command stdout to Friday SSE sessions tied to friday-next session/device mapping.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script and a user-invoked bin install.js.
- HTTP routes use bearer token validation against OpenClaw gateway auth before sensitive handlers.
- Agent file editing is limited to a whitelist of core prompt files with path traversal checks and size limits.
- Dynamic import in dist/src/agent/node-pairing-bridge.js resolves local OpenClaw modules by env/PATH, not remote payloads.
- Network endpoints are package-aligned: npm registry, local gateway verification, public IP detection, user-supplied link preview/media fetch with SSRF guard.
- No credential harvesting, remote payload execution at import time, destructive behavior, or stealth persistence found.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/src/agent/node-pairing-bridge.jsView on unpkg · L62Manifest entrypoint contains risky behavior absent from dist/build output.
install.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg