registry  /  @xgjktech/xg_cwork_im  /  1.16.4

@xgjktech/xg_cwork_im@1.16.4

XG CWork IM channel plugin for OpenClaw

AI Security Review

scanned 8h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
An authenticated IM WebSocket message named `openclawApplySyncMapping`, with `syncServiceBaseUrl` configured.
Impact
May enable an external sync service to act on an operator-provided or remote-command-selected host directory.
Mechanism
Remote WebSocket command configures external directory-sync mappings.
Rationale
No concrete malware chain or install-time mutation was found. The remote-triggered directory-sync mapping capability remains a real, configurable risk and warrants a warning rather than a block.
Evidence
package.jsondist/index.jsdist/src/connection.jsdist/src/apply-sync-mapping.jsdist/src/sync-service-client.jsdist/src/send-file-tool.jsdist/src/project-path-normalize.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/src/connection.js` accepts the `openclawApplySyncMapping` WebSocket command.
  • `dist/src/apply-sync-mapping.js` accepts `host_absolute` local roots and forwards resolved paths to a sync-service API.
  • The remote command can PUT or DELETE mappings once `syncServiceBaseUrl` is configured.
  • `dist/src/sync-service-client.js` performs the mapping API requests without an additional local confirmation.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` only builds.
  • `dist/index.js` registers an OpenClaw channel and optional IM tools, matching the declared plugin purpose.
  • No shell execution, eval/vm, dynamic code loading, binaries, or package-local persistence was found.
  • File reads for the send-file tool are constrained to the current agent workspace in `dist/src/send-file-tool.js`.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 320 KB of source, external domains: example.com, im.example.com

Source & flagged code

3 flagged · loading source
dist/src/connection.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/src/connection.js` accepts the `openclawApplySyncMapping` WebSocket command.

dist/src/connection.jsView on unpkg
dist/src/apply-sync-mapping.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/src/apply-sync-mapping.js` accepts `host_absolute` local roots and forwards resolved paths to a sync-service API.

dist/src/apply-sync-mapping.jsView on unpkg
dist/src/sync-service-client.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/src/sync-service-client.js` performs the mapping API requests without an additional local confirmation.

dist/src/sync-service-client.jsView on unpkg

Findings

5 Medium5 Low
MediumNetwork
MediumAi Review Evidencedist/src/connection.js
MediumAi Review Evidencedist/src/apply-sync-mapping.js
MediumAi Review Evidence
MediumAi Review Evidencedist/src/sync-service-client.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings