registry  /  aivibeclaw  /  2026.7.7

aivibeclaw@2026.7.7

Multi-channel AI gateway with extensible messaging integrations

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has install-time lifecycle behavior that mutates package-owned AivibeClaw state and dependency files. This is risky agent-extension lifecycle setup, but source inspection did not confirm exfiltration, remote payload execution, or foreign AI-agent control-surface hijack.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install/postinstall or prepare in a source checkout
Impact
Can alter ~/.aivibeclaw state, package dist files, package node_modules hotfix target, and source-checkout git hook configuration; no confirmed malicious impact.
Mechanism
package-owned plugin registry migration, dist pruning, dependency hotfix, repo-local git hook setup
Rationale
Static inspection supports a warning for install-time agent-extension lifecycle mutation, not a publish block. The scanner’s secret/network/dynamic-require hints map to package-aligned CLI/provider functionality or metadata rather than a concrete malicious chain.
Evidence
package.jsonscripts/preinstall-package-manager-warning.mjsscripts/postinstall-bundled-plugins.mjsscripts/prepare-git-hooks.mjsdist/plugin-registry-migration-B4xRcfNw.jsdist/installed-plugin-index-store-DuPZrwp7.jsaivibeclaw.mjs~/.aivibeclaw/plugin-runtime-depsAivibeClaw state SQLite DBdist/node_modules/baileys/lib/Utils/messages-media.jsgit config core.hooksPath

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines preinstall, postinstall, and prepare lifecycle scripts.
  • scripts/postinstall-bundled-plugins.mjs runs install-time maintenance and imports fs write/remove APIs.
  • postinstall prunes ~/.aivibeclaw/plugin-runtime-deps and writes installed plugin index state via dist/plugin-registry-migration-B4xRcfNw.js.
  • scripts/prepare-git-hooks.mjs can run git config core.hooksPath git-hooks in a source worktree.
Evidence against
  • preinstall only detects npm/yarn/bun/pnpm and prints a package-manager warning.
  • postinstall dist pruning is constrained to package dist with realpath/symlink checks.
  • Baileys hotfix targets only packageRoot/node_modules/baileys/lib/Utils/messages-media.js with path validation.
  • Plugin registry migration writes AivibeClaw-owned state DB, not foreign .codex/.claude/.gemini config.
  • No lifecycle network fetch or credential exfiltration path confirmed.
  • Runtime network/child_process capabilities appear aligned with an AI gateway CLI and user-invoked features.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4,964 file(s), 55.3 MB of source, external domains: 127.0.0.1, 169.254.169.254, a.co, a2ui.org, account.minimax.io, account.minimaxi.com, accounts.feishu.cn, accounts.google.com, accounts.larksuite.com, agentskills.io, ai.azure.com, ai.ollama.com, aiplatform.googleapis.com, aistudio.google.com, aivibeclaw.com, albumart.url, api-dashboard.search.brave.com, api-data.line.me, api.anthropic.com, api.botframework.com, api.chutes.ai, api.cohere.ai, api.deepgram.com, api.deepseek.com, api.elevenlabs.io, api.example.com, api.github.com, api.individual.githubcopilot.com, api.ipify.org, api.line.me, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.novita.ai, api.openai.com, api.plivo.com, api.pluralkit.me, api.push.apple.com, api.sandbox.push.apple.com, api.search.brave.com, api.senseaudio.cn, api.synthetic.new, api.telegram.org, api.together.xyz, api.twitch.tv, api.voyageai.com, api.x.ai, api.xiaomimimo.com

Source & flagged code

24 flagged · loading source
package.jsonView file
scripts.preinstall = node scripts/preinstall-package-manager-warning.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/dist-CdD4a7gg.jsView file
5588patternName = private_key_rsa severity = critical line = 5588 matchedText = if (type...g");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dist-CdD4a7gg.jsView on unpkg · L5588
5588patternName = private_key_rsa severity = critical line = 5588 matchedText = if (type...g");
Critical
Secret Pattern

RSA private key in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L5588
13656patternName = generic_password severity = medium line = 13656 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L13656
21205patternName = generic_password severity = medium line = 21205 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in dist/dist-CdD4a7gg.js

dist/dist-CdD4a7gg.jsView on unpkg · L21205
dist/model-selection-normalize-BTP6EeF7.jsView file
12*/ L13: const require = createRequire(import.meta.url); L14: const PROVIDER_RUNTIME_CANDIDATES = ["../plugins/provider-runtime.js", "../plugins/provider-runtime.ts"];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/model-selection-normalize-BTP6EeF7.jsView on unpkg · L12
dist/dist-CDBT2qiy.jsView file
8import crypto from "node:crypto"; L9: import WebSocket$1 from "ws"; L10: import EventEmitter from "events"; ... L393: type: FriendEventType.UNKNOWN, L394: data: JSON.stringify(data), L395: threadId: "", ... L709: const floor = Math.floor; L710: const stringFromCharCode = String.fromCharCode; L711: /** L712: * A generic error utility function. L713: * @private L714: * @param {String} type The error type.
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-CDBT2qiy.jsView on unpkg · L8
dist/schtasks-tPVt5qOS.jsView file
7import { n as resolveGatewayTaskScriptPath } from "./paths-BYCHqu4_.js"; L8: import { a as getWindowsSystem32ExePath, r as getWindowsPowerShellExePath, t as getWindowsCmdExePath } from "./windows-install-roots-C10Fw_vo.js"; L9: import { o as inspectPortUsage } from "./ports-eF3JQrwz.js"; ... L13: import { t as [redacted] } from "./gateway-processes-DoXdsHjX.js"; L14: import { t as execSchtasks } from "./schtasks-exec-BEc5SB9D.js"; L15: import path from "node:path"; ... L65: return `<?xml version="1.0" encoding="UTF-16"?> L66: <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> L67: <RegistrationInfo> ... L108: const xmlPath = path.join(tmpDir, "task.xml"); L109: const bom = Buffer.from([255, 254]); L110: const body = Buffer.from(xml, "utf16le");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/schtasks-tPVt5qOS.jsView on unpkg · L7
dist/program-args-CJvxBmnh.jsView file
6import fs$1 from "node:fs/promises"; L7: import { execFileSync } from "node:child_process"; L8: //#region src/daemon/program-args.ts ... L95: async function resolveBinaryPath(binary) { L96: const cmd = process.platform === "win32" ? getWindowsSystem32ExePath("where.exe") : "which"; L97: try { ... L102: } catch { L103: if (binary === "bun") throw new Error("Bun not found in PATH. Install bun: https://bun.sh"); L104: throw new Error("Node not found in PATH. Install Node 24 (recommended) or Node 22 LTS (22.19+).");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/program-args-CJvxBmnh.jsView on unpkg · L6
dist/ssrf-BCB9zFYS.jsView file
2import { _ as parseLooseIpAddress, c as isIpv4Address, d as isLinkLocalIpAddress, g as parseCanonicalIpAddress, i as isCanonicalDottedDecimalIPv4, n as isBlockedSpecialUseIpv4Addre... L3: import { n as createHttp1EnvHttpProxyAgent, r as createHttp1ProxyAgent, t as createHttp1Agent } from "./undici-runtime-prOuGYkM.js"; L4: import { t as normalizeHostname } from "./hostname-DAZapKzN.js"; L5: import { lookup } from "node:dns"; L6: import { lookup as lookup$1 } from "node:dns/promises"; ... L23: return { L24: allowPrivateNetwork: policy.allowPrivateNetwork === true, L25: dangerouslyAllowPrivateNetwork: policy.dangerouslyAllowPrivateNetwork === true,
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/ssrf-BCB9zFYS.jsView on unpkg · L2
dist/tui-C2Fa59Vd.jsView file
673contains invisible/control Unicode U+2067 (right-to-left isolate) const RTL_ISOLATE_START = "<U+2067>";
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/tui-C2Fa59Vd.jsView on unpkg · L673
deploy/announce-control-center.shView file
path = deploy/announce-control-center.sh kind = build_helper sizeBytes = 5650 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

deploy/announce-control-center.shView on unpkg
apps/beste-android/gradle/wrapper/gradle-wrapper.jarView file
path = apps/beste-android/gradle/wrapper/gradle-wrapper.jar kind = high_entropy_blob sizeBytes = 43583 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

apps/beste-android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = apps/beste-android/gradle/wrapper/gradle-wrapper.jar kind = compressed_blob sizeBytes = 43583 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

apps/beste-android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = apps/beste-android/gradle/wrapper/gradle-wrapper.jar kind = nested_archive_needs_inspection sizeBytes = 43583 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

apps/beste-android/gradle/wrapper/gradle-wrapper.jarView on unpkg
dist/i18n-2H5-8AI2.jsView file
11patternName = generic_password severity = medium line = 11 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in dist/i18n-2H5-8AI2.js

dist/i18n-2H5-8AI2.jsView on unpkg · L11
dist/proxy-cli.runtime-BwXQBosl.jsView file
856patternName = generic_password severity = medium line = 856 matchedText = url.pass...ed";
Medium
Secret Pattern

Hardcoded password in dist/proxy-cli.runtime-BwXQBosl.js

dist/proxy-cli.runtime-BwXQBosl.jsView on unpkg · L856
docs/help/faq.mdView file
1511patternName = generic_password severity = medium line = 1511 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/help/faq.md

docs/help/faq.mdView on unpkg · L1511
docs/gateway/tailscale.mdView file
118patternName = generic_password severity = medium line = 118 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/gateway/tailscale.md

docs/gateway/tailscale.mdView on unpkg · L118
docs/gateway/configuration-reference.mdView file
515patternName = generic_password severity = medium line = 515 matchedText = // passw...WORD
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L515
545patternName = generic_password severity = medium line = 545 matchedText = // passw...rd",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L545
docs/gateway/config-channels.mdView file
756patternName = generic_password severity = medium line = 756 matchedText = password...D}",
Medium
Secret Pattern

Hardcoded password in docs/gateway/config-channels.md

docs/gateway/config-channels.mdView on unpkg · L756
docs/channels/matrix.mdView file
74patternName = generic_password severity = medium line = 74 matchedText = password...cret
Medium
Secret Pattern

Hardcoded password in docs/channels/matrix.md

docs/channels/matrix.mdView on unpkg · L74
docs/channels/irc.mdView file
206patternName = generic_password severity = medium line = 206 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/channels/irc.md

docs/channels/irc.mdView on unpkg · L206

Findings

3 Critical4 High19 Medium10 Low
CriticalCritical Secretdist/dist-CdD4a7gg.js
CriticalTrojan Source Unicodedist/tui-C2Fa59Vd.js
CriticalSecret Patterndist/dist-CdD4a7gg.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/program-args-CJvxBmnh.js
HighCloud Metadata Accessdist/ssrf-BCB9zFYS.js
HighShips High Entropy Blobapps/beste-android/gradle/wrapper/gradle-wrapper.jar
MediumDynamic Requiredist/model-selection-normalize-BTP6EeF7.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/schtasks-tPVt5qOS.js
MediumProtestware
MediumShips Build Helperdeploy/announce-control-center.sh
MediumShips Compressed Blobapps/beste-android/gradle/wrapper/gradle-wrapper.jar
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/i18n-2H5-8AI2.js
MediumSecret Patterndist/dist-CdD4a7gg.js
MediumSecret Patterndist/dist-CdD4a7gg.js
MediumSecret Patterndist/proxy-cli.runtime-BwXQBosl.js
MediumSecret Patterndocs/help/faq.md
MediumSecret Patterndocs/gateway/tailscale.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/config-channels.md
MediumSecret Patterndocs/channels/matrix.md
MediumSecret Patterndocs/channels/irc.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptodist/dist-CDBT2qiy.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectionapps/beste-android/gradle/wrapper/gradle-wrapper.jar