registry  /  forge-openclaw-plugin  /  0.3.30

forge-openclaw-plugin@0.3.30

Curated OpenClaw adapter for the Forge collaboration API, UI entrypoint, and localhost auto-start runtime.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Loading the OpenClaw extension can start its bundled Forge service for localhost and register agent hooks/tools. New sessions can receive Forge data as generated bootstrap context. No npm install-time mutation or confirmed malicious exfiltration is present.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
OpenClaw loads the plugin; local-runtime bootstrap runs for a localhost Forge origin, and agent session bootstrap runs when enabled.
Impact
The plugin expands the host agent's capabilities and exposes user-configured Forge data to its own session context; it writes only plugin-scoped runtime state/log files.
Mechanism
First-party OpenClaw extension lifecycle, local server spawning, and configured Forge API/session integration.
Rationale
Not malicious by static source inspection, but its first-party startup/runtime and agent-session bootstrap behavior warrants a warning under the extension lifecycle policy.
Evidence
package.jsonopenclaw.plugin.jsondist/openclaw/local-runtime.jsdist/openclaw/api-client.jsdist/openclaw/session-bootstrap.jsdist/server/apps/api/src/services/macos-calendar-helper.js~/.openclaw/run/forge-openclaw-plugin/<origin>-<port>.json~/.openclaw/logs/forge-openclaw-plugin/<origin>-<port>.log.forge/generated/FORGE_SESSION_BOOTSTRAP.md
Network endpoints4
127.0.0.1:<configured-port>/forge/world.openfoodfacts.org/cgi/search.plworld.openfoodfacts.org/api/v2/product/<barcode>.jsonapi.nal.usda.gov/fdc/v1/foods/search

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `openclaw.plugin.json` activates on startup and registers extensive agent tools.
  • `dist/openclaw/local-runtime.js` auto-starts a local Forge server and writes runtime state/logs under `~/.openclaw`.
  • `dist/openclaw/session-bootstrap.js` injects Forge-derived session context during `agent:bootstrap`.
  • `dist/server/apps/api/src/services/macos-calendar-helper.js` compiles/runs a local macOS Calendar helper after platform and permission checks.
Evidence against
  • `package.json` has no npm preinstall/install/postinstall lifecycle script.
  • `dist/openclaw/api-client.js` sends Forge credentials only to the user-configured Forge base URL.
  • `dist/server/apps/api/src/health-weight-loss.js` external requests are feature-specific nutrition lookups, not environment harvesting.
  • No concrete secret exfiltration, remote payload loading, eval/vm use, or stealth persistence found.
  • `dist/favicon.ico` is a normal Windows icon resource, not an opaque executable payload.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 324 file(s), 9.87 MB of source, external domains: 127.0.0.1, accounts.google.com, api.nal.usda.gov, api.open-meteo.com, api.openai.com, apidata.googleusercontent.com, auth.openai.com, bit.ly, caldav.example.com, caldav.icloud.com, cdn.who.int, chatgpt.com, console.cloud.google.com, developers.google.com, example.com, forge.local, github.com, graph.microsoft.com, iris.who.int, learn.microsoft.com, login.microsoftonline.com, maplibre.org, mhpssknowledgehub.sph.cuny.edu, oauth2.googleapis.com, open.spotify.com, openclaw.local, openidconnect.googleapis.com, pro.reactflow.dev, radix-ui.com, react-dnd.github.io, react.dev, reactflow.dev, reactjs.org, redux-toolkit.js.org, redux.js.org, support.apple.com, tile.openstreetmap.org, world.openfoodfacts.org, www.anima.com.au, www.apple.com, www.googleapis.com, www.phqscreeners.com, www.ptsd.va.gov, www.w3.org, www.who.int

Source & flagged code

8 flagged · loading source
dist/openclaw/local-runtime.jsView file
1import { spawn } from "node:child_process"; L2: import { closeSync, existsSync, mkdirSync, openSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/openclaw/local-runtime.jsView on unpkg · L1
509const enableManagedDevWeb = shouldEnableManagedDevWeb(plan); L510: const child = spawn(process.execPath, args, { L511: cwd: plan.packageRoot, L512: env: { L513: ...process.env, L514: HOST: "127.0.0.1", ... L518: ? { L519: FORGE_DEV_WEB_ORIGIN: process.env.FORGE_DEV_WEB_ORIGIN ?? "http://127.0.0.1:3027/forge/" L520: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/openclaw/local-runtime.jsView on unpkg · L509
dist/server/apps/api/src/web.jsView file
86env: input.env, L87: shell: true L88: };
High
Shell

Package source references shell execution.

dist/server/apps/api/src/web.jsView on unpkg · L86
dist/assets/graph-CE7RmeLj.jsView file
317`,hl=ll,Vo=WebGLRenderingContext,er=Vo.UNSIGNED_BYTE,lt=Vo.FLOAT,fl=["u_matrix","u_zoomRatio","u_sizeRatio","u_correctionRatio","u_pixelRatio","u_feather","u_minEdgeThickness"],gl=... L318: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function ur(e){return Hl(e)||jl(e)||Ro(e)||Vl()}function Wl(e,t){if(e==null)return{};var n={};f...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/graph-CE7RmeLj.jsView on unpkg · L317
dist/openclaw/session-registry.jsView file
52path: "/api/v1/agents/sessions", L53: body: { L54: provider: SESSION_PROVIDER, L55: agentLabel: process.env.FORGE_AGENT_LABEL?.trim() || DEFAULT_RUNTIME_AGENT_LABEL, L56: agentType: SESSION_PROVIDER,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/openclaw/session-registry.jsView on unpkg · L52
dist/server/apps/api/src/health-weight-loss.jsView file
249if (!candidate) { L250: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L251: } ... L293: try { L294: const parsed = JSON.parse(value); L295: return parsed ?? fallback; ... L1981: async function searchOpenFoodFacts(query, limit) { L1982: const url = new URL("https://world.openfoodfacts.org/cgi/search.pl"); L1983: url.searchParams.set("search_terms", query); ... L1999: async function lookupOpenFoodFactsBarcode(barcode) { L2000: const response = await fetch(`https://world.openfoodfacts.org/api/v2/product/${encodeURIComponent(barcode)}.json`, { headers: { accept: "application/json" } }); L2001: if (!response.ok) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/server/apps/api/src/health-weight-loss.jsView on unpkg · L249
dist/favicon.icoView file
path = dist/favicon.ico kind = high_entropy_blob sizeBytes = 12681 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/favicon.icoView on unpkg
dist/server/apps/api/src/services/macos-calendar-helper.jsView file
matchType = previous_version_dangerous_delta matchedPackage = forge-openclaw-plugin@0.3.24 matchedIdentity = npm:Zm9yZ2Utb3BlbmNsYXctcGx1Z2lu:0.3.24 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/apps/api/src/services/macos-calendar-helper.jsView on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalCredential Exfiltrationdist/server/apps/api/src/health-weight-loss.js
CriticalPrevious Version Dangerous Deltadist/server/apps/api/src/services/macos-calendar-helper.js
HighChild Processdist/openclaw/local-runtime.js
HighShelldist/server/apps/api/src/web.js
HighSame File Env Network Executiondist/openclaw/local-runtime.js
HighShips High Entropy Blobdist/favicon.ico
MediumDynamic Requiredist/assets/graph-CE7RmeLj.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/openclaw/session-registry.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings