registry  /  mlclaw  /  0.2.3

mlclaw@0.2.3

<p align="center"> <img src="https://raw.githubusercontent.com/osolmaz/mlclaw/main/assets/mlclaw.svg" alt="ML Claw" width="180"> </p>

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed first-party agent-tooling setup in the deployed ML Claw workspace, plus deployment management that stores Hugging Face/OpenClaw secrets and controls Docker or Hugging Face Spaces. This is package-aligned but mutates an AI-agent workspace control surface.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
explicit mlclaw bootstrap/update/gateway commands or deployed entrypoint.sh runtime startup
Impact
Workspace agent instructions/skills are added; Hugging Face Space secrets/variables and local mlclaw config are managed for the deployment.
Mechanism
first-party agent skill/context seeding and deployment orchestration
Rationale
Source inspection does not support the scanner's malicious verdict because dangerous primitives are explicit, package-aligned deployment/runtime features and there are no npm install hooks. Per policy, first-party package-owned agent extension setup should warn rather than block.
Evidence
package.jsondist/mlclaw.mjsdist/hf-tooling-seed.jsdist/mlclaw-space-runtime.jsentrypoint.shscripts/report-telegram-probe.mjsworkspace/.agents/skillsworkspace/skillsworkspace/AGENTS.mdworkspace/.agents/.mlclaw-hf-tooling.json~/.config/mlclaw/deployments/<agent>.json~/.config/mlclaw/secrets/<agent>.env
Network endpoints4
huggingface.corouter.huggingface.co/v1api.telegram.orgghcr.io/osolmaz/mlclaw

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/hf-tooling-seed.js copies bundled skills into workspace .agents/skills and skills and writes AGENTS.md context.
  • entrypoint.sh runs hf-tooling-seed.js inside the deployed runtime workspace.
  • dist/mlclaw.mjs writes local deployment manifests and secret env files under the mlclaw config root.
  • dist/mlclaw.mjs user commands can set Hugging Face Space variables/secrets and run Docker containers.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Risky behavior is behind explicit mlclaw CLI/deployed runtime actions, not npm install or import.
  • Network use is package-aligned: Hugging Face deployment/state APIs, Telegram getMe validation, Docker image pull.
  • No source evidence of credential exfiltration to unrelated endpoints, destructive behavior, remote payload execution, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 36 file(s), 1.43 MB of source, external domains: 127.0.0.1, api.telegram.org, github.com, huggingface.co, raw.githubusercontent.com, react.dev, router.huggingface.co, www.w3.org

Source & flagged code

8 flagged · loading source
dist/hf-state-sync.jsView file
4863// src/hf-state-sync/archive.ts L4864: import { execFile } from "node:child_process"; L4865: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/hf-state-sync.jsView on unpkg · L4863
dist/mlclaw.mjsView file
47* Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/mlclaw.mjsView on unpkg · L47
47Trigger-reachable chain: manifest.bin -> dist/mlclaw.mjs L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/mlclaw.mjsView on unpkg · L47
2056} L2057: const execArgv = process5.execArgv ?? []; L2058: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/mlclaw.mjsView on unpkg · L2056
47Cross-file remote execution chain: dist/mlclaw.mjs spawns dist/hf-state-sync.js; helper contains network access plus dynamic code execution. L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/mlclaw.mjsView on unpkg · L47
assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView file
39L40: const token = process.env.HF_TOKEN; L41: const headers: Record<string, string> = token ... L44: L45: const url = `https://huggingface.co/api/models?limit=${limit}`; L46: ... L54: L55: const text = await res.text(); L56: process.stdout.write(text); L57: })();
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView on unpkg · L39
mlclaw.shView file
path = mlclaw.sh kind = build_helper sizeBytes = 3428 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mlclaw.shView on unpkg
dist/mlclaw-space-runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mlclaw@0.2.1 matchedIdentity = npm:bWxjbGF3:0.2.1 similarity = 0.972 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/mlclaw-space-runtime.jsView on unpkg

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/mlclaw.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/mlclaw.mjs
CriticalPrevious Version Dangerous Deltadist/mlclaw-space-runtime.js
HighChild Processdist/hf-state-sync.js
HighShelldist/mlclaw.mjs
HighCredential Exfiltrationassets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsx
HighCross File Remote Execution Contextdist/mlclaw.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermlclaw.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings