registry  /  @trustbaseai/openclaw-collab  /  0.2.0

@trustbaseai/openclaw-collab@0.2.0

OpenClaw 7.1+ adapter for collab-mcp HTTP API (Phase 3: X-API-Key auth)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Caller invokes `createListener()` or either supplied CLI.
Impact
A trusted or attacker-controlled configured collab-mcp endpoint can cause repeated OpenClaw session wakeups; the configured API key is sent only to that endpoint.
Mechanism
Configurable HTTP polling followed by `execFile` OpenClaw wakeup events.
Rationale
The package is an explicit OpenClaw/collab adapter with a capable message-to-agent-event bridge. Its lack of install-time execution and absence of a concrete malicious or exfiltration chain make blocking unwarranted, but the agent-control capability merits a warning.
Evidence
package.jsonsrc/config-store.jssrc/listener.jssrc/wakeup.jsbin/openclaw-collab-install.jsbin/openclaw-collab-wakeup.js~/.openclaw-collab/config.jsonD:/myopenclaw/.tmp/pending-<target>.json
Network endpoints3
127.0.0.1:3010127.0.0.1:3010/tools/list_pending127.0.0.1:3010/health

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/listener.js` polls a configurable collab-mcp endpoint and forwards each non-heartbeat message into `wakeup()`.
  • `src/wakeup.js` runs a hard-coded external `openclaw.mjs system event --mode now` command via `execFile`.
  • `src/config-store.js` persists an API key and listener state outside the package directory.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Network default is local `http://127.0.0.1:3010`; no fixed external host or data-exfiltration path appears.
  • The config initializer and wakeup behavior require explicit CLI/library use; import of `src/index.js` alone has no side effect.
  • No eval, shell interpolation, dynamic loading, destructive deletion, or stealth persistence was found.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 18.3 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
src/listener.jsView file
Published source reference
Medium
Ai Review Evidence

`src/listener.js` polls a configurable collab-mcp endpoint and forwards each non-heartbeat message into `wakeup()`.

src/listener.jsView on unpkg
src/wakeup.jsView file
Published source reference
Medium
Ai Review Evidence

`src/wakeup.js` runs a hard-coded external `openclaw.mjs system event --mode now` command via `execFile`.

src/wakeup.jsView on unpkg
src/config-store.jsView file
Published source reference
Medium
Ai Review Evidence

`src/config-store.js` persists an API key and listener state outside the package directory.

src/config-store.jsView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumAi Review Evidencesrc/listener.js
MediumAi Review Evidencesrc/wakeup.js
MediumAi Review Evidencesrc/config-store.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings