registry  /  mlclaw  /  0.3.0

mlclaw@0.3.0

<p align="center"> <img src="https://raw.githubusercontent.com/osolmaz/mlclaw/main/assets/mlclaw.svg" alt="ML Claw" width="180"> </p>

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the `mlclaw` CLI or starts the supplied container runtime.
Impact
Can create persistent local gateway containers and modify the package-managed OpenClaw runtime configuration.
Mechanism
User-directed OpenClaw deployment, Docker management, and integration configuration.
Rationale
Scanner findings reflect a powerful deployment tool rather than confirmed malicious behavior. Flag as warn because explicit use provisions and configures an AI-agent control surface with persistent Docker runtime behavior.
Evidence
package.jsondist/mlclaw.mjsdist/mlclaw-space-runtime.jsentrypoint.shscripts/configure-huggingface-model.mjsscripts/configure-telegram.mjs
Network endpoints3
huggingface.corouter.huggingface.co/v1api.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/mlclaw.mjs` runs Docker lifecycle commands, including persistent `--restart unless-stopped`, after explicit CLI actions.
  • `entrypoint.sh` and `dist/mlclaw-space-runtime.js` create/configure an OpenClaw runtime and integration endpoints.
  • `scripts/configure-telegram.mjs` and `scripts/configure-huggingface-model.mjs` write OpenClaw configuration from supplied environment values.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • The executable is an explicit `mlclaw` CLI, not import-time code.
  • Docker commands use `execFile` with fixed command arguments rather than shell interpolation.
  • Token handling in `dist/mlclaw.mjs` is for Hugging Face deployment authentication; no source-confirmed exfiltration path was found.
  • `entrypoint.sh` unsets broad Hub tokens before launching the unprivileged OpenClaw process.
  • No `eval`, `Function`, VM execution, or dynamic untrusted module loading was found in reviewed artifacts.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 1.56 MB of source, external domains: 127.0.0.1, api.telegram.org, evalstate-research-agent-two.hf.space, github.com, huggingface.co, raw.githubusercontent.com, react.dev, router.huggingface.co, www.w3.org

Source & flagged code

8 flagged · loading source
dist/hf-state-sync.jsView file
4946// src/hf-state-sync/archive.ts L4947: import { execFile } from "node:child_process"; L4948: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/hf-state-sync.jsView on unpkg · L4946
dist/mlclaw.mjsView file
47* Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/mlclaw.mjsView on unpkg · L47
47Trigger-reachable chain: manifest.bin -> dist/mlclaw.mjs L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/mlclaw.mjsView on unpkg · L47
2056} L2057: const execArgv = process5.execArgv ?? []; L2058: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/mlclaw.mjsView on unpkg · L2056
47Cross-file remote execution chain: dist/mlclaw.mjs spawns dist/hf-state-sync.js; helper contains network access plus dynamic code execution. L47: * Constructs the CommanderError class L48: * @param {number} exitCode suggested exit code which could be used with process.exit L49: * @param {string} code an id string representing the error ... L1203: var EventEmitter = __require("node:events").EventEmitter; L1204: var childProcess = __require("node:child_process"); L1205: var path15 = __require("node:path"); ... L1253: this._outputConfiguration = { L1254: writeOut: (str) => process5.stdout.write(str), L1255: writeErr: (str) => process5.stderr.write(str), ... L1295: * @returns {Command[]} L1296: * @private L1297: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/mlclaw.mjsView on unpkg · L47
assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView file
39L40: const token = process.env.HF_TOKEN; L41: const headers: Record<string, string> = token ... L44: L45: const url = `https://huggingface.co/api/models?limit=${limit}`; L46: ... L54: L55: const text = await res.text(); L56: process.stdout.write(text); L57: })();
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

assets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsxView on unpkg · L39
mlclaw.shView file
path = mlclaw.sh kind = build_helper sizeBytes = 3428 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mlclaw.shView on unpkg
dist/mlclaw-space-runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mlclaw@0.2.3 matchedIdentity = npm:bWxjbGF3:0.2.3 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/mlclaw-space-runtime.jsView on unpkg

Findings

3 Critical4 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/mlclaw.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/mlclaw.mjs
CriticalPrevious Version Dangerous Deltadist/mlclaw-space-runtime.js
HighChild Processdist/hf-state-sync.js
HighShelldist/mlclaw.mjs
HighCredential Exfiltrationassets/hf-tooling/skills/huggingface-tool-builder/references/baseline_hf_api.tsx
HighCross File Remote Execution Contextdist/mlclaw.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermlclaw.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings