AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious attack chain found, but the package has agent extension lifecycle risk. It can mutate OpenClaw/Codex agent configuration and expose authenticated agent-management routes as part of its Friday channel functionality.
Static reason
No blocking static signals were detected.
Trigger
User runs friday-channel-next bin or OpenClaw loads the plugin and authenticated app clients call its routes.
Impact
Enables Friday channel integration, LAN gateway access, canvas/nodes tools, conversation access, Codex reasoning summaries, and app-driven agent config/file edits.
Mechanism
First-party OpenClaw channel setup and authenticated agent control surface
Rationale
Source inspection supports a warn-level lifecycle/control-surface risk rather than malicious behavior: powerful mutations are first-party integration features gated by explicit user command, plugin activation, or Bearer-authenticated routes. No concrete exfiltration or covert install-time attack behavior was found.
Evidence
package.jsoninstall.jsdist/index.jsdist/src/codex-reasoning-config.jsdist/src/http/middleware/auth.jsdist/src/http/handlers/agent-config.jsdist/src/http/handlers/agent-files.jsdist/src/http/handlers/plugin-upgrade.jsdist/src/agent/node-pairing-bridge.jsdist/src/link-preview/ssrf-guard.js~/.openclaw/openclaw.json~/.openclaw/agents/<agentId>/agent/codex-home/config.tomlagent workspace AGENTS.md/IDENTITY.md/SOUL.md/TOOLS.md/MEMORY.md/USER.md/HEARTBEAT.md/BOOTSTRAP.md
Network endpoints5
registry.npmjs.org/@syengup/friday-channel-next/latest127.0.0.1:<gatewayPort>/friday-next/statusapi.ipify.orgifconfig.me/ipicanhazip.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- install.js bin command edits ~/.openclaw/openclaw.json: enables plugins, LAN gateway bind, canvas/nodes tools, allowConversationAccess.
- dist/src/codex-reasoning-config.js writes model_reasoning_summary into per-agent codex-home/config.toml during plugin activation.
- dist/src/http/handlers/agent-config.js and agent-files.js expose authenticated endpoints to edit agent config and whitelisted agent prompt files.
- dist/src/http/handlers/plugin-upgrade.js can run openclaw plugins install after authenticated POST.
- Network use includes npm registry version checks, local gateway verification, public IP echo services, and user-supplied media/link preview fetches.
Evidence against
- package.json has no preinstall/install/postinstall; mutation is via user-invoked bin or plugin runtime, not npm lifecycle autostart.
- HTTP routes validate Bearer token against OpenClaw gateway auth in dist/src/http/middleware/auth.js.
- Dynamic import in node-pairing-bridge loads OpenClaw's local dist module by name, not a remote payload.
- Link preview has SSRF checks for protocol, ports, private hosts/IPs, DNS results, redirects, timeout, and size cap.
- No credential harvesting or exfiltration endpoint beyond package-aligned Friday/OpenClaw channel behavior found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/agent/node-pairing-bridge.jsView file
62throw new Error("node-pairing module not found in OpenClaw dist");
L63: // ESM import() returns the minified export names (r, t, …) because the
L64: // bundled module uses `export { listNodePairing as r, … }`. Resolve the
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/src/agent/node-pairing-bridge.jsView on unpkg · L62install.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network
L1: #!/usr/bin/env node
L2: import { execSync } from "node:child_process";
L3: import { existsSync, readFileSync, writeFileSync, rmSync } from "node:fs";
...
L6:
L7: const sudoUser = process.env.SUDO_USER;
L8:
L9: function realHome() {
L10: if (!sudoUser) return homedir();
L11: const current = homedir();
...
L72: if (!hasOpenclaw()) {
L73: err("openclaw is required but not found. Install OpenClaw first: https://docs.openclaw.ai");
L74: process.exit(1);
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
install.jsView on unpkg · L1Findings
1 High4 Medium5 Low
HighEntrypoint Build Divergenceinstall.js
MediumDynamic Requiredist/src/agent/node-pairing-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings