AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs the friday-channel-next bin, e.g. npx -y @syengup/friday-channel-next, or authenticated Friday HTTP route use at runtime.
Impact
Enables Friday/canvas plugins, LAN gateway access, selected canvas/nodes commands, conversation access, plugin upgrade, file attachment storage, and whitelisted agent prompt-file edits for bearer-authenticated clients.
Mechanism
explicit OpenClaw plugin setup and authenticated agent/channel bridge
Rationale
Source inspection found explicit user-command OpenClaw configuration and authenticated agent-control features, but no unconsented npm lifecycle mutation, credential harvesting, stealth persistence, remote payload execution, or exfiltration. Under the policy this should warn rather than block.
Evidence
package.jsoninstall.jsdist/index.jsdist/src/http/server.jsdist/src/http/middleware/auth.jsdist/src/http/handlers/agent-files.jsdist/src/http/handlers/plugin-upgrade.jsdist/src/agent/node-pairing-bridge.js~/.openclaw/openclaw.json~/.openclaw/extensions/friday-channel-next~/.openclaw/friday-next/attachments~/.openclaw/media/inbound/<id><agent workspace>/AGENTS.md<agent workspace>/IDENTITY.md<agent workspace>/SOUL.md<agent workspace>/TOOLS.md<agent workspace>/MEMORY.md<agent workspace>/USER.md<agent workspace>/HEARTBEAT.md<agent workspace>/BOOTSTRAP.md
Network endpoints5
registry.npmjs.org/@syengup/friday-channel-next/latestapi.ipify.orgifconfig.me/ipicanhazip.com127.0.0.1:<gatewayPort>/friday-next/status
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- install.js bin command writes ~/.openclaw/openclaw.json settings for plugins, gateway, and agent tools.
- install.js enables friday-next hook allowConversationAccess and canvas plugin, sets gateway.bind to lan, allows canvas.eval/nodes commands, and removes canvas/nodes from main agent deny list.
- install.js runs openclaw plugins install and gateway restart, then prints gateway URL and bearer token as connection info.
- dist/src/http/handlers/agent-files.js exposes authenticated PUT to whitelisted agent workspace prompt files such as AGENTS.md and TOOLS.md.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook; install.js is a user-invoked bin, not automatic npm install execution.
- HTTP routes are registered under /friday-next/* and validate bearer token via dist/src/http/middleware/auth.js.
- Network use is package-aligned: npm registry version checks, local gateway verification, link/media fetching, and public IP helper endpoints.
- Dynamic import in dist/src/agent/node-pairing-bridge.js loads OpenClaw's local node-pairing module from resolved OpenClaw dist, not a remote payload.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/agent/node-pairing-bridge.jsView file
62throw new Error("node-pairing module not found in OpenClaw dist");
L63: // ESM import() returns the minified export names (r, t, …) because the
L64: // bundled module uses `export { listNodePairing as r, … }`. Resolve the
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/src/agent/node-pairing-bridge.jsView on unpkg · L62install.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network
L1: #!/usr/bin/env node
L2: import { execSync } from "node:child_process";
L3: import { existsSync, readFileSync, writeFileSync, rmSync } from "node:fs";
...
L6:
L7: const sudoUser = process.env.SUDO_USER;
L8:
L9: function realHome() {
L10: if (!sudoUser) return homedir();
L11: const current = homedir();
...
L72: if (!hasOpenclaw()) {
L73: err("openclaw is required but not found. Install OpenClaw first: https://docs.openclaw.ai");
L74: process.exit(1);
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
install.jsView on unpkg · L1Findings
1 High4 Medium5 Low
HighEntrypoint Build Divergenceinstall.js
MediumDynamic Requiredist/src/agent/node-pairing-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings