registry  /  forge-openclaw-plugin  /  0.3.30

forge-openclaw-plugin@0.3.30

⚠ Under review

Curated OpenClaw adapter for the Forge collaboration API, UI entrypoint, and localhost auto-start runtime.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 324 file(s), 9.87 MB of source, external domains: 127.0.0.1, accounts.google.com, api.nal.usda.gov, api.open-meteo.com, api.openai.com, apidata.googleusercontent.com, auth.openai.com, bit.ly, caldav.example.com, caldav.icloud.com, cdn.who.int, chatgpt.com, console.cloud.google.com, developers.google.com, example.com, forge.local, github.com, graph.microsoft.com, iris.who.int, learn.microsoft.com, login.microsoftonline.com, maplibre.org, mhpssknowledgehub.sph.cuny.edu, oauth2.googleapis.com, open.spotify.com, openclaw.local, openidconnect.googleapis.com, pro.reactflow.dev, radix-ui.com, react-dnd.github.io, react.dev, reactflow.dev, reactjs.org, redux-toolkit.js.org, redux.js.org, support.apple.com, tile.openstreetmap.org, world.openfoodfacts.org, www.anima.com.au, www.apple.com, www.googleapis.com, www.phqscreeners.com, www.ptsd.va.gov, www.w3.org, www.who.int

Source & flagged code

8 flagged · loading source
dist/openclaw/local-runtime.jsView file
1import { spawn } from "node:child_process"; L2: import { closeSync, existsSync, mkdirSync, openSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/openclaw/local-runtime.jsView on unpkg · L1
509const enableManagedDevWeb = shouldEnableManagedDevWeb(plan); L510: const child = spawn(process.execPath, args, { L511: cwd: plan.packageRoot, L512: env: { L513: ...process.env, L514: HOST: "127.0.0.1", ... L518: ? { L519: FORGE_DEV_WEB_ORIGIN: process.env.FORGE_DEV_WEB_ORIGIN ?? "http://127.0.0.1:3027/forge/" L520: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/openclaw/local-runtime.jsView on unpkg · L509
dist/server/apps/api/src/web.jsView file
86env: input.env, L87: shell: true L88: };
High
Shell

Package source references shell execution.

dist/server/apps/api/src/web.jsView on unpkg · L86
dist/assets/graph-CE7RmeLj.jsView file
317`,hl=ll,Vo=WebGLRenderingContext,er=Vo.UNSIGNED_BYTE,lt=Vo.FLOAT,fl=["u_matrix","u_zoomRatio","u_sizeRatio","u_correctionRatio","u_pixelRatio","u_feather","u_minEdgeThickness"],gl=... L318: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function ur(e){return Hl(e)||jl(e)||Ro(e)||Vl()}function Wl(e,t){if(e==null)return{};var n={};f...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/graph-CE7RmeLj.jsView on unpkg · L317
dist/openclaw/session-registry.jsView file
52path: "/api/v1/agents/sessions", L53: body: { L54: provider: SESSION_PROVIDER, L55: agentLabel: process.env.FORGE_AGENT_LABEL?.trim() || DEFAULT_RUNTIME_AGENT_LABEL, L56: agentType: SESSION_PROVIDER,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/openclaw/session-registry.jsView on unpkg · L52
dist/server/apps/api/src/health-weight-loss.jsView file
249if (!candidate) { L250: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L251: } ... L293: try { L294: const parsed = JSON.parse(value); L295: return parsed ?? fallback; ... L1981: async function searchOpenFoodFacts(query, limit) { L1982: const url = new URL("https://world.openfoodfacts.org/cgi/search.pl"); L1983: url.searchParams.set("search_terms", query); ... L1999: async function lookupOpenFoodFactsBarcode(barcode) { L2000: const response = await fetch(`https://world.openfoodfacts.org/api/v2/product/${encodeURIComponent(barcode)}.json`, { headers: { accept: "application/json" } }); L2001: if (!response.ok) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/server/apps/api/src/health-weight-loss.jsView on unpkg · L249
dist/favicon.icoView file
path = dist/favicon.ico kind = high_entropy_blob sizeBytes = 12681 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/favicon.icoView on unpkg
dist/server/apps/api/src/services/macos-calendar-helper.jsView file
matchType = previous_version_dangerous_delta matchedPackage = forge-openclaw-plugin@0.3.24 matchedIdentity = npm:Zm9yZ2Utb3BlbmNsYXctcGx1Z2lu:0.3.24 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/apps/api/src/services/macos-calendar-helper.jsView on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalCredential Exfiltrationdist/server/apps/api/src/health-weight-loss.js
CriticalPrevious Version Dangerous Deltadist/server/apps/api/src/services/macos-calendar-helper.js
HighChild Processdist/openclaw/local-runtime.js
HighShelldist/server/apps/api/src/web.js
HighSame File Env Network Executiondist/openclaw/local-runtime.js
HighShips High Entropy Blobdist/favicon.ico
MediumDynamic Requiredist/assets/graph-CE7RmeLj.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/openclaw/session-registry.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings