AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit setup commands can register an AgenticROS MCP server in AI-agent host configuration files. The bundled OpenClaw extension activates on gateway startup after user-approved setup. No unconsented install-time mutation or confirmed exfiltration was established.
Decision evidence
public snapshot- `dist/util/mcp-setup.js` explicitly configures Codex, Hermes, and Claude MCP hosts.
- `dist/util/codex-config.js` writes an enabled `agenticros` server into `~/.codex/config.toml`.
- `dist/util/claude-config.js` and `dist/util/hermes-config.js` preserve other entries but write their `agenticros` host entries.
- `runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgz` contains a first-party OpenClaw plugin with `onStartup` activation.
- `dist/commands/init.js` runs plugin setup only after an interactive confirmation.
- `package.json` has only `prepublishOnly`; no install, preinstall, or postinstall hook.
- CLI entrypoint dispatches commands; source shows no import-time config mutation.
- No inspected source showed credential harvesting or secret exfiltration.
- No fixed non-local exfiltration endpoint or remote payload loader was found.
- Dynamic local skill loading in `dist/commands/skills-dev.js` is initiated by an explicit developer command.
Source & flagged code
10 flagged · loading sourcePackage source references child process execution.
dist/util/mcp-discovery.jsView on unpkg · L16Package source references dynamic require/import behavior.
dist/commands/skills-dev.jsView on unpkg · L89A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/util/marketplace.jsView on unpkg · L3Package source invokes a package manager install command at runtime.
runtime/scripts/check-cli-tarball-install.mjsView on unpkg · L197Package ships non-JavaScript build or shell helper files.
runtime/scripts/start_demo.shView on unpkgPackage ships high-entropy non-source blobs.
runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkgPackage ships compressed or archive-like blobs.
runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
runtime/packages/agenticros/agenticros-agenticros-0.0.1.tgzView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
runtime/packages/robot-eyes/src/index.jsView on unpkg