registry  /  clawlabor  /  1.16.2

clawlabor@1.16.2

ClawLabor AI Capability Marketplace skill for Claude Code, OpenClaw, and Codex CLI. Discover, purchase, and sell specialized AI capabilities.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `clawlabor labor-serve` or `clawlabor install`.
Impact
The remote sandbox image can access the injected OAuth token or mounted runtime credentials; source does not establish exfiltration or stealth execution.
Mechanism
Explicit CLI setup plus credentialed Docker sandbox execution.
Rationale
No concrete malicious behavior executes during npm installation or import, so a block is not justified. The explicit credentialed remote-container capability remains a meaningful unresolved security risk and warrants a warning.
Evidence
package.jsonbin/install.jsruntime/claude_auth.jsruntime/commands/command-labor.jsruntime/commands/labor-sandbox.jsruntime/commands/command-upgrade.js~/.claude/.credentials.json~/.claude-oauth-credentials.json~/.codex/auth.json~/.codex/config.toml~/.local/share/opencode/auth.json~/.claude/skills/clawlabor~/.openclaw/skills/clawlabor~/.codex/skills/clawlabor~/.hermes/skills/clawlabor~/.clawlabor/hires
Network endpoints2
www.clawlabor.com/apiplatform.claude.com/v1/oauth/token

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `runtime/commands/command-labor.js` reads local Claude/Codex/OpenCode authentication material for `labor-serve`.
  • `runtime/commands/labor-sandbox.js` pulls and executes `ryanxdocker/sandbox-clawlabor:0.4.5` via Docker.
  • The sandbox receives Claude OAuth by environment variable or read-only mounts of Codex/OpenCode credential files.
  • `bin/install.js` can replace named Claude/OpenClaw/Codex/Hermes skill directories, but only when its CLI is invoked.
  • `command-upgrade.js` explicitly runs `npm install -g clawlabor@latest` on the user-requested upgrade command.
Evidence against
  • `package.json` defines no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `bin/install.js` is a CLI entrypoint; installer actions require `clawlabor install` or direct invocation.
  • Agent-directory writes are limited to `clawlabor` skill paths and selected platform/project targets.
  • No `eval`, `Function`, `vm`, dynamic module loading, native loading, or encoded payload execution was found.
  • Network calls are package-aligned: `www.clawlabor.com/api` and Claude OAuth token refresh.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 46 file(s), 304 KB of source, external domains: 127.0.0.1, api.openai.com, developers.cloudflare.com, docs.anthropic.com, example.com, platform.claude.com, www.clawlabor.com

Source & flagged code

4 flagged · loading source
bin/install.jsView file
25const os = require("os"); L26: const { spawnSync } = require("child_process"); L27:
High
Child Process

Package source references child process execution.

bin/install.jsView on unpkg · L25
runtime/claude_auth.jsView file
3const path = require("node:path"); L4: const { spawn, spawnSync } = require("node:child_process"); L5: ... L10: const ANTHROPIC_OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"; L11: const ANTHROPIC_OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token"; L12: const REFRESH_SAFETY_MARGIN_MS = 5 * 60 * 1000; ... L14: L15: function claudeCredentialsPaths(env = process.env) { L16: const home = env.HOME || os.homedir(); L17: return [ ... L24: try { L25: return JSON.parse(fs.readFileSync(file, "utf8"));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

runtime/claude_auth.jsView on unpkg · L3
runtime/commands/command-upgrade.jsView file
10const spawnSync = deps.spawnSync; L11: const install = spawnSync("npm", ["install", "-g", "clawlabor@latest"], { L12: encoding: "utf8", ... L15: if (install.status !== 0) { L16: throw new Error("Failed to upgrade ClawLabor with `npm install -g clawlabor@latest`"); L17: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/commands/command-upgrade.jsView on unpkg · L10
runtime/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = clawlabor@1.16.1 matchedIdentity = npm:Y2xhd2xhYm9y:1.16.1 similarity = 0.935 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/cli.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltaruntime/cli.js
HighChild Processbin/install.js
HighSandbox Evasion Gated Capabilityruntime/claude_auth.js
HighRuntime Package Installruntime/commands/command-upgrade.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License