registry  /  mlclaw  /  0.2.1

mlclaw@0.2.1

<p align="center"> <img src="https://raw.githubusercontent.com/osolmaz/mlclaw/main/assets/mlclaw.svg" alt="ML Claw" width="180"> </p>

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a deployment CLI that can provision Hugging Face Spaces/buckets, run Docker containers, and seed agent skills into an OpenClaw workspace. This is a guarded first-party agent extension lifecycle risk, not confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs mlclaw bootstrap/gateway/state/update/doctor or entrypoint runs inside the deployed runtime.
Impact
Can create/update Hugging Face resources, store deployment secrets, run Docker, and write managed agent-skill/context files in the OpenClaw workspace.
Mechanism
user-invoked deployment automation and workspace skill seeding
Rationale
Source inspection shows powerful deployment and agent-extension behavior, but it is user-invoked/package-aligned and there are no npm lifecycle hooks, unrelated exfiltration endpoints, stealth persistence, or destructive behavior. Per policy this fits a warning for first-party agent extension lifecycle risk rather than a publish block.
Evidence
package.jsondist/mlclaw.mjsdist/hf-tooling-seed.jsentrypoint.shmlclaw.shmlclaw.ps1assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsx.agents/skills/mlclaw/SKILL.md~/.config/mlclaw/deployments/<agent>.json~/.config/mlclaw/secrets/<agent>.env<workspace>/.agents/skills/<workspace>/skills/<workspace>/AGENTS.md<workspace>/.agents/.mlclaw-hf-tooling.json
Network endpoints5
huggingface.corouter.huggingface.co/v1api.telegram.orgnodejs.org/dist/ghcr.io/osolmaz/mlclaw

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/hf-tooling-seed.js copies bundled Hugging Face skills into workspace .agents/skills and skills and updates AGENTS.md.
  • dist/mlclaw.mjs supports explicit --skill install via bundled skillflag installer for agent skill installation.
  • dist/mlclaw.mjs reads HF_TOKEN or local Hugging Face token files and writes deployment secrets locally and to Hugging Face Space secrets during bootstrap.
  • dist/mlclaw.mjs can run Docker commands and print local/Space logs, but only through user-invoked gateway commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin is user-invoked dist/mlclaw.mjs.
  • Network use is aligned with deployment: huggingface.co APIs, hf.space, router.huggingface.co, api.telegram.org, nodejs.org bootstrap helper, and ghcr.io runtime image.
  • No evidence of import-time execution beyond CLI main guard; privileged actions are command-gated and often prompt/require --yes.
  • HF token is used for creating/updating user Hugging Face resources and Space secrets, not sent to an unrelated endpoint in inspected source.
  • assets/hf-tooling reference sample uses HF_TOKEN only as Authorization to huggingface.co API.
  • Agent skill writes are first-party/package-owned setup inside the managed OpenClaw workspace or explicit --skill install, not npm lifecycle mutation of a foreign broad control surface.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 36 file(s), 1.43 MB of source, external domains: 127.0.0.1, api.telegram.org, github.com, huggingface.co, raw.githubusercontent.com, react.dev, router.huggingface.co, www.w3.org

Source & flagged code

7 flagged · loading source
dist/hf-state-sync.jsView file
4863// src/hf-state-sync/archive.ts L4864: import { execFile } from "node:child_process"; L4865: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/hf-state-sync.jsView on unpkg · L4863
dist/mlclaw.mjsView file
47* Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/mlclaw.mjsView on unpkg · L47
47Trigger-reachable chain: manifest.bin -> dist/mlclaw.mjs L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/mlclaw.mjsView on unpkg · L47
2056} L2057: const execArgv = process5.execArgv ?? []; L2058: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/mlclaw.mjsView on unpkg · L2056
47Cross-file remote execution chain: dist/mlclaw.mjs spawns dist/hf-state-sync.js; helper contains network access plus dynamic code execution. L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/mlclaw.mjsView on unpkg · L47
assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView file
39L40: const token = process.env.HF_TOKEN; L41: const headers: Record<string, string> = token ... L44: L45: const url = `https://huggingface.co/api/models?limit=${limit}`; L46: ... L54: L55: const text = await res.text(); L56: process.stdout.write(text); L57: })();
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView on unpkg · L39
mlclaw.shView file
path = mlclaw.sh kind = build_helper sizeBytes = 3428 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mlclaw.shView on unpkg

Findings

2 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/mlclaw.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/mlclaw.mjs
HighChild Processdist/hf-state-sync.js
HighShelldist/mlclaw.mjs
HighCredential Exfiltrationassets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsx
HighCross File Remote Execution Contextdist/mlclaw.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermlclaw.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings