AI Security Review
scanned 5h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a deployment CLI that can provision Hugging Face Spaces/buckets, run Docker containers, and seed agent skills into an OpenClaw workspace. This is a guarded first-party agent extension lifecycle risk, not confirmed malware.
Decision evidence
public snapshot- dist/hf-tooling-seed.js copies bundled Hugging Face skills into workspace .agents/skills and skills and updates AGENTS.md.
- dist/mlclaw.mjs supports explicit --skill install via bundled skillflag installer for agent skill installation.
- dist/mlclaw.mjs reads HF_TOKEN or local Hugging Face token files and writes deployment secrets locally and to Hugging Face Space secrets during bootstrap.
- dist/mlclaw.mjs can run Docker commands and print local/Space logs, but only through user-invoked gateway commands.
- package.json has no preinstall/install/postinstall lifecycle hooks; bin is user-invoked dist/mlclaw.mjs.
- Network use is aligned with deployment: huggingface.co APIs, hf.space, router.huggingface.co, api.telegram.org, nodejs.org bootstrap helper, and ghcr.io runtime image.
- No evidence of import-time execution beyond CLI main guard; privileged actions are command-gated and often prompt/require --yes.
- HF token is used for creating/updating user Hugging Face resources and Space secrets, not sent to an unrelated endpoint in inspected source.
- assets/hf-tooling reference sample uses HF_TOKEN only as Authorization to huggingface.co API.
- Agent skill writes are first-party/package-owned setup inside the managed OpenClaw workspace or explicit --skill install, not npm lifecycle mutation of a foreign broad control surface.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/hf-state-sync.jsView on unpkg · L4863Source executes local commands and sends command output to an external endpoint.
dist/mlclaw.mjsView on unpkg · L47A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/mlclaw.mjsView on unpkg · L47Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/mlclaw.mjsView on unpkg · L47Source combines credential-like environment material and outbound requests; review data flow before blocking.
assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView on unpkg · L39