registry  /  forge-openclaw-plugin  /  0.3.23

forge-openclaw-plugin@0.3.23

Curated OpenClaw adapter for the Forge collaboration API, UI entrypoint, and localhost auto-start runtime.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Forge/OpenClaw adapter that can start a localhost Forge runtime, proxy configured Forge API calls, and expose user-invoked tools.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
plugin startup, agent bootstrap, or explicit Forge tool/API actions
Impact
Package-aligned local service startup, local state/log writes, and optional user/config-driven external API calls.
Mechanism
localhost runtime bootstrap and configured API proxy
Rationale
Static source inspection found risky primitives, but they are aligned with the advertised Forge localhost runtime/plugin features and are gated by startup, config, or user-invoked tools. I did not find install-time execution, credential harvesting, exfiltration to attacker infrastructure, persistence beyond runtime state/logs, or unconsented AI-agent control hijack.
Evidence
package.jsonopenclaw.plugin.jsonserver/index.jsdist/openclaw/local-runtime.jsdist/openclaw/api-client.jsdist/openclaw/plugin-entry-shared.jsdist/openclaw/session-bootstrap.jsdist/server/apps/api/src/health-weight-loss.jsdist/server/apps/api/src/services/gamification-assets.jsdist/server/apps/api/src/web.js~/.openclaw/run/forge-openclaw-plugin/*.json~/.openclaw/logs/forge-openclaw-plugin/*.log~/.forgeruntime-assets/gamification/styles/*.forge/generated/FORGE_SESSION_BOOTSTRAP.md
Network endpoints7
127.0.0.1localhostworld.openfoodfacts.orgapi.nal.usda.gov/fdc/v1/foods/searchgithub.com/albertbuchard/forge/releases/download/forge-gamification-assets-v0.2.59api.openai.com/v1chatgpt.com/backend-api

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/preinstall lifecycle hooks; only a build script is declared.
    • dist/openclaw/local-runtime.js child_process use is localhost runtime management: starts packaged Forge server, npm install uses --ignore-scripts, writes state/logs under ~/.openclaw.
    • dist/openclaw/api-client.js sends configured apiToken only as Bearer to configured Forge baseUrl and can bootstrap only localhost/Tailscale operator sessions.
    • dist/openclaw/session-bootstrap.js injects generated Forge context on agent bootstrap, but this is declared plugin functionality with config flag injectBootstrapContext.
    • dist/server/apps/api/src/health-weight-loss.js network calls are nutrition/model-provider features to OpenFoodFacts, USDA FDC, or configured ChatGPT/OpenAI profile; no env/credential harvesting found.
    • dist/server/apps/api/src/services/gamification-assets.js downloads fixed GitHub asset archives with SHA-256 validation before extraction.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 320 file(s), 9.63 MB of source, external domains: 127.0.0.1, accounts.google.com, api.nal.usda.gov, api.open-meteo.com, api.openai.com, apidata.googleusercontent.com, auth.openai.com, bit.ly, caldav.example.com, caldav.icloud.com, cdn.who.int, chatgpt.com, console.cloud.google.com, developers.google.com, example.com, forge.local, github.com, graph.microsoft.com, iris.who.int, learn.microsoft.com, login.microsoftonline.com, maplibre.org, mhpssknowledgehub.sph.cuny.edu, oauth2.googleapis.com, open.spotify.com, openclaw.local, openidconnect.googleapis.com, pro.reactflow.dev, radix-ui.com, react-dnd.github.io, react.dev, reactflow.dev, reactjs.org, redux-toolkit.js.org, redux.js.org, support.apple.com, world.openfoodfacts.org, www.anima.com.au, www.apple.com, www.googleapis.com, www.phqscreeners.com, www.ptsd.va.gov, www.w3.org, www.who.int

    Source & flagged code

    7 flagged · loading source
    dist/openclaw/local-runtime.jsView file
    1import { spawn } from "node:child_process"; L2: import { closeSync, existsSync, mkdirSync, openSync } from "node:fs";
    High
    Child Process

    Package source references child process execution.

    dist/openclaw/local-runtime.jsView on unpkg · L1
    509const enableManagedDevWeb = shouldEnableManagedDevWeb(plan); L510: const child = spawn(process.execPath, args, { L511: cwd: plan.packageRoot, L512: env: { L513: ...process.env, L514: HOST: "127.0.0.1", ... L518: ? { L519: FORGE_DEV_WEB_ORIGIN: process.env.FORGE_DEV_WEB_ORIGIN ?? "http://127.0.0.1:3027/forge/" L520: }
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/openclaw/local-runtime.jsView on unpkg · L509
    dist/server/apps/api/src/web.jsView file
    70env: input.env, L71: shell: true L72: };
    High
    Shell

    Package source references shell execution.

    dist/server/apps/api/src/web.jsView on unpkg · L70
    dist/assets/motion-BryW_XlF.jsView file
    8} L9: `),()=>{var R;(R=a.current)==null||R.removeAttribute("data-motion-pop-id"),C.contains(P)&&C.removeChild(P)}},[e]),nt.jsx(Tu,{isPresent:e,childRef:a,sizeRef:l,pop:r,children:r===!1?...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/assets/motion-BryW_XlF.jsView on unpkg · L8
    dist/openclaw/session-registry.jsView file
    52path: "/api/v1/agents/sessions", L53: body: { L54: provider: SESSION_PROVIDER, L55: agentLabel: process.env.FORGE_AGENT_LABEL?.trim() || DEFAULT_RUNTIME_AGENT_LABEL, L56: agentType: SESSION_PROVIDER,
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/openclaw/session-registry.jsView on unpkg · L52
    dist/server/apps/api/src/health-weight-loss.jsView file
    252if (!candidate) { L253: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L254: } ... L296: try { L297: const parsed = JSON.parse(value); L298: return parsed ?? fallback; ... L1987: async function searchOpenFoodFacts(query, limit) { L1988: const url = new URL("https://world.openfoodfacts.org/cgi/search.pl"); L1989: url.searchParams.set("search_terms", query); ... L2005: async function lookupOpenFoodFactsBarcode(barcode) { L2006: const response = await fetch(`https://world.openfoodfacts.org/api/v2/product/${encodeURIComponent(barcode)}.json`, { headers: { accept: "application/json" } }); L2007: if (!response.ok) {
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/server/apps/api/src/health-weight-loss.jsView on unpkg · L252
    dist/favicon.icoView file
    path = dist/favicon.ico kind = high_entropy_blob sizeBytes = 12681 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/favicon.icoView on unpkg

    Findings

    1 Critical4 High5 Medium6 Low
    CriticalCredential Exfiltrationdist/server/apps/api/src/health-weight-loss.js
    HighChild Processdist/openclaw/local-runtime.js
    HighShelldist/server/apps/api/src/web.js
    HighSame File Env Network Executiondist/openclaw/local-runtime.js
    HighShips High Entropy Blobdist/favicon.ico
    MediumDynamic Requiredist/assets/motion-BryW_XlF.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/openclaw/session-registry.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings