registry  /  @unayung/lineworks  /  0.9.0

@unayung/lineworks@0.9.0

OpenClaw LINE WORKS channel plugin (PoC)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The plugin extends OpenClaw at runtime and supplies agent guidance that exposes the location and use of per-user OAuth tokens. It can retrieve a caller-supplied media URL and send it through LINE WORKS as part of outbound messaging.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenClaw loads the configured LINE WORKS plugin; agent-driven mail/API actions or outbound media sends invoke the behavior.
Impact
A compromised or over-permissive OpenClaw agent could use consented LINE WORKS OAuth tokens for the user's scoped data; arbitrary media URLs also create runtime SSRF-like fetch exposure.
Mechanism
OpenClaw agent prompt plus OAuth-token-backed LINE WORKS API and media-upload operations.
Rationale
No concrete malicious chain or unconsented install-time mutation is present. The package is a first-party OpenClaw extension with meaningful agent capability and runtime URL-fetch risk, so it warrants a warning rather than a block.
Evidence
package.jsonindex.tssrc/channel.tssrc/oauth-store.tssrc/attachments.tssrc/auth.ts
Network endpoints2
auth.worksmobile.com/oauth2/v2.0/tokenwww.worksapis.com/v1.0

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/channel.ts` injects agent instructions to read OAuth token files and invoke `exec` with `curl`.
  • `src/oauth-store.ts` persists LINE WORKS access and refresh tokens under `~/.openclaw/credentials/lineworks-oauth/`.
  • `src/attachments.ts` can fetch a runtime-supplied HTTP(S) media URL before uploading it to LINE WORKS.
  • `index.ts` registers an OpenClaw channel extension at runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Network calls target LINE WORKS OAuth/API endpoints, consistent with the declared channel plugin.
  • `src/oauth-store.ts` uses owner-only directory and file modes (`0700`/`0600`) for tokens.
  • `src/attachments.ts` invokes a fixed `ffmpeg` binary with an argument array, not a shell command.
  • No source evidence of arbitrary payload loading, credential exfiltration to an unrelated host, or destructive filesystem behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 68 file(s), 421 KB of source, external domains: auth.worksmobile.com, developers.worksmobile.com, example.com, help.example, www.worksapis.com

Source & flagged code

1 flagged · loading source
dist/src/directives.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @unayung/lineworks@0.8.1 matchedIdentity = npm:QHVuYXl1bmcvbGluZXdvcmtz:0.8.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/directives.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/directives.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings