AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The plugin extends OpenClaw at runtime and supplies agent guidance that exposes the location and use of per-user OAuth tokens. It can retrieve a caller-supplied media URL and send it through LINE WORKS as part of outbound messaging.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
OpenClaw loads the configured LINE WORKS plugin; agent-driven mail/API actions or outbound media sends invoke the behavior.
Impact
A compromised or over-permissive OpenClaw agent could use consented LINE WORKS OAuth tokens for the user's scoped data; arbitrary media URLs also create runtime SSRF-like fetch exposure.
Mechanism
OpenClaw agent prompt plus OAuth-token-backed LINE WORKS API and media-upload operations.
Rationale
No concrete malicious chain or unconsented install-time mutation is present. The package is a first-party OpenClaw extension with meaningful agent capability and runtime URL-fetch risk, so it warrants a warning rather than a block.
Evidence
package.jsonindex.tssrc/channel.tssrc/oauth-store.tssrc/attachments.tssrc/auth.ts
Network endpoints2
auth.worksmobile.com/oauth2/v2.0/tokenwww.worksapis.com/v1.0
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/channel.ts` injects agent instructions to read OAuth token files and invoke `exec` with `curl`.
- `src/oauth-store.ts` persists LINE WORKS access and refresh tokens under `~/.openclaw/credentials/lineworks-oauth/`.
- `src/attachments.ts` can fetch a runtime-supplied HTTP(S) media URL before uploading it to LINE WORKS.
- `index.ts` registers an OpenClaw channel extension at runtime.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- Network calls target LINE WORKS OAuth/API endpoints, consistent with the declared channel plugin.
- `src/oauth-store.ts` uses owner-only directory and file modes (`0700`/`0600`) for tokens.
- `src/attachments.ts` invokes a fixed `ffmpeg` binary with an argument array, not a shell command.
- No source evidence of arbitrary payload loading, credential exfiltration to an unrelated host, or destructive filesystem behavior.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/src/directives.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @unayung/lineworks@0.8.1
matchedIdentity = npm:QHVuYXl1bmcvbGluZXdvcmtz:0.8.1
similarity = 0.800
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/directives.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/directives.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings