registry  /  @syengup/friday-channel-next  /  1.0.6

@syengup/friday-channel-next@1.0.6

OpenClaw Friday Next Apple channel plugin

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious attack chain found, but the package has agent extension lifecycle risk. It can mutate OpenClaw/Codex agent configuration and expose authenticated agent-management routes as part of its Friday channel functionality.

Static reason
No blocking static signals were detected.
Trigger
User runs friday-channel-next bin or OpenClaw loads the plugin and authenticated app clients call its routes.
Impact
Enables Friday channel integration, LAN gateway access, canvas/nodes tools, conversation access, Codex reasoning summaries, and app-driven agent config/file edits.
Mechanism
First-party OpenClaw channel setup and authenticated agent control surface
Rationale
Source inspection supports a warn-level lifecycle/control-surface risk rather than malicious behavior: powerful mutations are first-party integration features gated by explicit user command, plugin activation, or Bearer-authenticated routes. No concrete exfiltration or covert install-time attack behavior was found.
Evidence
package.jsoninstall.jsdist/index.jsdist/src/codex-reasoning-config.jsdist/src/http/middleware/auth.jsdist/src/http/handlers/agent-config.jsdist/src/http/handlers/agent-files.jsdist/src/http/handlers/plugin-upgrade.jsdist/src/agent/node-pairing-bridge.jsdist/src/link-preview/ssrf-guard.js~/.openclaw/openclaw.json~/.openclaw/agents/<agentId>/agent/codex-home/config.tomlagent workspace AGENTS.md/IDENTITY.md/SOUL.md/TOOLS.md/MEMORY.md/USER.md/HEARTBEAT.md/BOOTSTRAP.md
Network endpoints5
registry.npmjs.org/@syengup/friday-channel-next/latest127.0.0.1:<gatewayPort>/friday-next/statusapi.ipify.orgifconfig.me/ipicanhazip.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • install.js bin command edits ~/.openclaw/openclaw.json: enables plugins, LAN gateway bind, canvas/nodes tools, allowConversationAccess.
  • dist/src/codex-reasoning-config.js writes model_reasoning_summary into per-agent codex-home/config.toml during plugin activation.
  • dist/src/http/handlers/agent-config.js and agent-files.js expose authenticated endpoints to edit agent config and whitelisted agent prompt files.
  • dist/src/http/handlers/plugin-upgrade.js can run openclaw plugins install after authenticated POST.
  • Network use includes npm registry version checks, local gateway verification, public IP echo services, and user-supplied media/link preview fetches.
Evidence against
  • package.json has no preinstall/install/postinstall; mutation is via user-invoked bin or plugin runtime, not npm lifecycle autostart.
  • HTTP routes validate Bearer token against OpenClaw gateway auth in dist/src/http/middleware/auth.js.
  • Dynamic import in node-pairing-bridge loads OpenClaw's local dist module by name, not a remote payload.
  • Link preview has SSRF checks for protocol, ports, private hosts/IPs, DNS results, redirects, timeout, and size cap.
  • No credential harvesting or exfiltration endpoint beyond package-aligned Friday/OpenClaw channel behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 207 file(s), 1.01 MB of source, external domains: 10.0.0.5, 127.0.0.1, 192.168.1.1, 93.184.216.34, a.com, api.ipify.org, app.example, app.local, cdn.example.com, db.internal, dead.example.com, docs.openclaw.ai, example.com, gateway.local, icanhazip.com, ifconfig.me, nas.home.arpa, nope.example.com, other.example.com, picsum.photos, qqpublic.qpic.cn, rebind.example.com, registry.npmjs.org, schema.org, www.zhihu.com

Source & flagged code

2 flagged · loading source
dist/src/agent/node-pairing-bridge.jsView file
62throw new Error("node-pairing module not found in OpenClaw dist"); L63: // ESM import() returns the minified export names (r, t, …) because the L64: // bundled module uses `export { listNodePairing as r, … }`. Resolve the
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/agent/node-pairing-bridge.jsView on unpkg · L62
install.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L1: #!/usr/bin/env node L2: import { execSync } from "node:child_process"; L3: import { existsSync, readFileSync, writeFileSync, rmSync } from "node:fs"; ... L6: L7: const sudoUser = process.env.SUDO_USER; L8: L9: function realHome() { L10: if (!sudoUser) return homedir(); L11: const current = homedir(); ... L72: if (!hasOpenclaw()) { L73: err("openclaw is required but not found. Install OpenClaw first: https://docs.openclaw.ai"); L74: process.exit(1);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

install.jsView on unpkg · L1

Findings

1 High4 Medium5 Low
HighEntrypoint Build Divergenceinstall.js
MediumDynamic Requiredist/src/agent/node-pairing-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings