registry  /  @syengup/friday-channel-next  /  1.0.10

@syengup/friday-channel-next@1.0.10

OpenClaw Friday Next Apple channel plugin

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package provides a first-party OpenClaw/Friday extension setup and runtime bridge with powerful authenticated agent-management features. Risk is from explicit CLI setup and authenticated runtime use, not npm lifecycle auto-execution.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the friday-channel-next bin/npx installer or uses authenticated /friday-next routes after plugin registration.
Impact
Enables Friday app access to OpenClaw gateway, agent runs, tool event streaming, agent config/prompt edits, attachment handling, and plugin upgrades.
Mechanism
first-party OpenClaw channel setup and authenticated agent bridge
Rationale
Source inspection shows a user-invoked first-party OpenClaw channel installer and authenticated runtime bridge, with broad but package-aligned agent extension capabilities. Because there is no npm lifecycle mutation, exfiltration, remote code payload, or unauthorized control-surface hijack, this should warn rather than block.
Evidence
package.jsoninstall.jsdist/index.jsdist/src/http/server.jsdist/src/http/middleware/auth.jsdist/src/http/handlers/agent-config.jsdist/src/http/handlers/agent-files.jsdist/src/http/handlers/plugin-upgrade.jsdist/src/agent/node-pairing-bridge.js~/.openclaw/openclaw.json~/.openclaw/extensions/friday-channel-next~/.openclaw/friday-next/attachments~/.openclaw/media/inboundagent workspace AGENTS.md/IDENTITY.md/SOUL.md/TOOLS.md/MEMORY.md/USER.md/HEARTBEAT.md/BOOTSTRAP.md
Network endpoints5
registry.npmjs.org/@syengup/friday-channel-next/latestapi.ipify.orgifconfig.me/ipicanhazip.com127.0.0.1:<gatewayPort>/friday-next/status

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • install.js is a bin-only installer that writes ~/.openclaw/openclaw.json, enables friday-next/canvas plugins, allowConversationAccess, LAN gateway bind, canvas node commands, and main agent tools.
  • install.js runs openclaw plugins install and gateway restart, and fetches npm registry/latest plus public-IP echo services during explicit CLI setup.
  • Runtime exposes authenticated /friday-next HTTP routes that can dispatch messages, edit whitelisted agent prompt files, mutate agent config, upload/download attachments, and trigger plugin upgrade.
  • dist/index.js forwards agent events, llm_output, tool params/results, and command stdout to Friday SSE sessions tied to friday-next session/device mapping.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build script and a user-invoked bin install.js.
  • HTTP routes use bearer token validation against OpenClaw gateway auth before sensitive handlers.
  • Agent file editing is limited to a whitelist of core prompt files with path traversal checks and size limits.
  • Dynamic import in dist/src/agent/node-pairing-bridge.js resolves local OpenClaw modules by env/PATH, not remote payloads.
  • Network endpoints are package-aligned: npm registry, local gateway verification, public IP detection, user-supplied link preview/media fetch with SSRF guard.
  • No credential harvesting, remote payload execution at import time, destructive behavior, or stealth persistence found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 226 file(s), 1.14 MB of source, external domains: 10.0.0.5, 127.0.0.1, 192.168.1.1, 93.184.216.34, a.com, api.ipify.org, app.example, app.local, cdn.example.com, db.internal, dead.example.com, docs.openclaw.ai, example.com, gateway.local, icanhazip.com, ifconfig.me, nas.home.arpa, nope.example.com, other.example.com, picsum.photos, qqpublic.qpic.cn, rebind.example.com, registry.npmjs.org, schema.org, www.zhihu.com

Source & flagged code

3 flagged · loading source
dist/src/agent/node-pairing-bridge.jsView file
62throw new Error("node-pairing module not found in OpenClaw dist"); L63: // ESM import() returns the minified export names (r, t, …) because the L64: // bundled module uses `export { listNodePairing as r, … }`. Resolve the
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/agent/node-pairing-bridge.jsView on unpkg · L62
install.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L1: #!/usr/bin/env node L2: import { execSync } from "node:child_process"; L3: import { existsSync, readFileSync, writeFileSync, rmSync } from "node:fs"; ... L6: L7: const sudoUser = process.env.SUDO_USER; L8: L9: function realHome() { L10: if (!sudoUser) return homedir(); L11: const current = homedir(); ... L72: if (!hasOpenclaw()) { L73: err("openclaw is required but not found. Install OpenClaw first: https://docs.openclaw.ai"); L74: process.exit(1);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

install.jsView on unpkg · L1
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @syengup/friday-channel-next@1.0.9 matchedIdentity = npm:[redacted]:1.0.9 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

2 High4 Medium5 Low
HighEntrypoint Build Divergenceinstall.js
HighPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/src/agent/node-pairing-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings