registry  /  aivibeclaw  /  2026.6.11

aivibeclaw@2026.6.11

Upgrade to 2026.7.2+ — AiVibeClaw enforces auto-update; older versions are unsupported and blocked by the version gate.

Multi-channel AI gateway with extensible messaging integrations

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code mutates AivibeClaw plugin registry/state outside the package. This is an AI-agent control surface change during npm install rather than an explicit runtime command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall
Impact
Can alter the installed AI gateway plugin index/state used by later agent runs
Mechanism
unconsented plugin registry migration and legacy plugin dependency pruning
Policy narrative
During npm postinstall, the package runs bundled-plugin maintenance. That code prunes legacy plugin runtime dependency directories derived from user home/state config and imports the dist plugin-registry migration module. The migration reads existing config/install records and writes a persisted installed plugin index, changing the agent/plugin control surface at install time without a separate user command.
Rationale
Although much of the package is a legitimate AI gateway and no exfiltration was found, the install hook performs unconsented AI-agent plugin registry/state mutation outside the package. Under the firewall boundary this is blocking behavior even when package-aligned. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall-bundled-plugins.mjsscripts/preinstall-package-manager-warning.mjsdist/commands/doctor/shared/plugin-registry-migration.jsdist/plugin-registry-migration-CfNMVte7.js~/.aivibeclaw/plugin-runtime-depsAIVIBECLAW_STATE_DIR/plugin-runtime-deps

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json defines preinstall and postinstall lifecycle hooks
  • scripts/postinstall-bundled-plugins.mjs runs on direct postinstall invocation
  • postinstall imports dist/commands/doctor/shared/plugin-registry-migration.js and calls migratePluginRegistryForInstall
  • dist/plugin-registry-migration-CfNMVte7.js persists a migrated installed plugin index
  • postinstall also deletes legacy plugin-runtime-deps under AIVIBECLAW_HOME/state-derived roots
Evidence against
  • preinstall only emits a package-manager warning
  • postinstall has symlink/path containment checks around dist pruning and Baileys patching
  • No install-time network fetch or credential exfiltration endpoint found
  • CLI/systemd/service behavior appears user-invoked runtime functionality
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4,799 file(s), 51.9 MB of source, external domains: 127.0.0.1, 169.254.169.254, a.co, a2ui.org, account.minimax.io, account.minimaxi.com, accounts.feishu.cn, accounts.google.com, accounts.larksuite.com, agentskills.io, ai.azure.com, aiplatform.googleapis.com, aistudio.google.com, aivibeclaw.com, albumart.url, api-dashboard.search.brave.com, api-data.line.me, api.anthropic.com, api.botframework.com, api.chutes.ai, api.cohere.ai, api.deepgram.com, api.deepseek.com, api.dev.runwayml.com, api.example.com, api.github.com, api.imgflip.com, api.individual.githubcopilot.com, api.line.me, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.novita.ai, api.openai.com, api.plivo.com, api.pluralkit.me, api.push.apple.com, api.sandbox.push.apple.com, api.search.brave.com, api.senseaudio.cn, api.synthetic.new, api.telegram.org, api.telnyx.com, api.together.xyz, api.twilio.com, api.voyageai.com, api.x.ai, api.xiaomimimo.com

Source & flagged code

19 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-bundled-plugins.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/dist-CdD4a7gg.jsView file
5588patternName = private_key_rsa severity = critical line = 5588 matchedText = if (type...g");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dist-CdD4a7gg.jsView on unpkg · L5588
5588patternName = private_key_rsa severity = critical line = 5588 matchedText = if (type...g");
Critical
Secret Pattern

RSA private key in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L5588
13656patternName = generic_password severity = medium line = 13656 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L13656
21205patternName = generic_password severity = medium line = 21205 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L21205
scripts/postinstall-bundled-plugins.mjsView file
818} L819: const importModule = params.importModule ?? ((specifier) => import(specifier)); L820: return await importModule(resolveDistModuleUrl(packageRoot, distPath));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/postinstall-bundled-plugins.mjsView on unpkg · L818
dist/clawhub-D9h8o5bB.jsView file
13//#region src/infra/clawhub.ts L14: const DEFAULT_CLAWHUB_URL = "https://clawhub.ai"; L15: const DEFAULT_GITHUB_CODELOAD_URL = "https://codeload.github.com"; ... L33: function normalizeBaseUrl(baseUrl) { L34: const envValue = normalizeOptionalString(process.env.AIVIBECLAW_CLAWHUB_URL) || normalizeOptionalString(process.env.CLAWHUB_URL) || DEFAULT_CLAWHUB_URL; L35: return (normalizeOptionalString(baseUrl) || envValue).replace(/\/+$/, "") || DEFAULT_CLAWHUB_URL; ... L48: const xdgConfigHome = normalizeOptionalString(process.env.XDG_CONFIG_HOME); L49: const configHome = xdgConfigHome && xdgConfigHome.length > 0 ? xdgConfigHome : path.join(os.homedir(), ".config"); L50: const xdgPath = path.join(configHome, "clawhub", "config.json"); L51: if (process.platform === "darwin") return [path.join(os.homedir(), "Library", "Application Support", "clawhub", "config.json"), xdgPath]; L52: return [xdgPath]; ... L58: const raw = await fs.readFile(configPath, "utf8");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/clawhub-D9h8o5bB.jsView on unpkg · L13
dist/systemd-D1cMFGus.jsView file
104try { L105: return os.userInfo().username; L106: } catch { ... L114: try { L115: const { stdout } = await runExec("loginctl", [ L116: "show-user", ... L482: async function execSystemctl(args, env) { L483: return await execFileUtf8("systemctl", args, { env: env ? resolveSystemctlProcessEnv(env) : process.env }); L484: } ... L848: await [redacted](env); L849: if (removed) stdout.write(`${formatLine("Removed systemd service", unitPath)}\n`); L850: else stdout.write(`Systemd service not found at ${unitPath}\n`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/systemd-D1cMFGus.jsView on unpkg · L104
dist/control-ui/assets/config-runtime-Chws_C6h.jsView file
2contains invisible/control Unicode U+FEFF (zero width no-break space) `?(o++,s=0):e?s+=e.length:s++,e&&(a+=e.length),e}var te={default(){switch(_){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/control-ui/assets/config-runtime-Chws_C6h.jsView on unpkg · L2
skills/model-usage/scripts/test_model_usage.pyView file
path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 5654 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/model-usage/scripts/test_model_usage.pyView on unpkg
dist/proxy-cli.runtime-DARm2C1E.jsView file
856patternName = generic_password severity = medium line = 856 matchedText = url.pass...ed";
Medium
Secret Pattern

Hardcoded password in dist/proxy-cli.runtime-DARm2C1E.js

dist/proxy-cli.runtime-DARm2C1E.jsView on unpkg · L856
dist/i18n-2H5-8AI2.jsView file
11patternName = generic_password severity = medium line = 11 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/i18n-2H5-8AI2.js

dist/i18n-2H5-8AI2.jsView on unpkg · L11
docs/help/faq.mdView file
1511patternName = generic_password severity = medium line = 1511 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/help/faq.md

docs/help/faq.mdView on unpkg · L1511
docs/gateway/tailscale.mdView file
118patternName = generic_password severity = medium line = 118 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/gateway/tailscale.md

docs/gateway/tailscale.mdView on unpkg · L118
docs/gateway/configuration-reference.mdView file
515patternName = generic_password severity = medium line = 515 matchedText = // passw...WORD
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L515
545patternName = generic_password severity = medium line = 545 matchedText = // passw...rd",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L545
docs/gateway/config-channels.mdView file
756patternName = generic_password severity = medium line = 756 matchedText = password...D}",
Medium
Secret Pattern

Hardcoded password in docs/gateway/config-channels.md

docs/gateway/config-channels.mdView on unpkg · L756
docs/channels/matrix.mdView file
74patternName = generic_password severity = medium line = 74 matchedText = password...cret
Medium
Secret Pattern

Hardcoded password in docs/channels/matrix.md

docs/channels/matrix.mdView on unpkg · L74
docs/channels/irc.mdView file
206patternName = generic_password severity = medium line = 206 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/channels/irc.md

docs/channels/irc.mdView on unpkg · L206

Findings

3 Critical1 High18 Medium8 Low
CriticalCritical Secretdist/dist-CdD4a7gg.js
CriticalTrojan Source Unicodedist/control-ui/assets/config-runtime-Chws_C6h.js
CriticalSecret Patterndist/dist-CdD4a7gg.js
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requirescripts/postinstall-bundled-plugins.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/systemd-D1cMFGus.js
MediumProtestware
MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/proxy-cli.runtime-DARm2C1E.js
MediumSecret Patterndist/i18n-2H5-8AI2.js
MediumSecret Patterndist/dist-CdD4a7gg.js
MediumSecret Patterndist/dist-CdD4a7gg.js
MediumSecret Patterndocs/help/faq.md
MediumSecret Patterndocs/gateway/tailscale.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/config-channels.md
MediumSecret Patterndocs/channels/matrix.md
MediumSecret Patterndocs/channels/irc.md
LowScripts Present
LowEval
LowWeak Cryptodist/clawhub-D9h8o5bB.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings