registry  /  natureco-cli  /  5.21.0

natureco-cli@5.21.0

OpenClaw'dan daha güvenli, daha hızlı, daha ucuz AI agent CLI. Multi-agent, self-evolving skills, audit log, maliyet optimizasyonu ve NatureCo platform-native.

AI Security Review

scanned 15h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code mutates the package-owned ~/.natureco namespace and runs the package doctor, creating audit/config data without explicit user action. This is agent platform lifecycle risk, but no confirmed foreign agent hijack, persistence, or exfiltration was established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall; later user-invoked CLI/tool commands
Impact
Unprompted home-directory state creation and audit logging; user-invoked tools can run shell/ADB and send configured notifications/SMS.
Mechanism
first-party AI agent setup plus user-invoked dangerous tools
Policy narrative
On installation, the package runs scripts/postinstall.js, creates first-party NatureCo directories under the user's home directory, and invokes natureco doctor, which performs local checks and writes an audit record. The package also ships broad agent tools for shell execution, ADB phone control, plugin installation, and configured API calls, but these are exposed as CLI/tool features rather than automatic exfiltration or foreign agent control-surface mutation.
Rationale
The source shows install-time first-party agent namespace mutation and broad user-invoked capabilities, so a warning is appropriate. I did not find concrete malicious behavior such as credential exfiltration, remote payload execution at install time, persistence outside the product namespace, or unconsented writes into foreign AI-agent surfaces.
Evidence
package.jsonscripts/postinstall.jsbin/natureco.jssrc/commands/doctor.jssrc/utils/audit.jssrc/tools/phone_control_enhanced.jssrc/utils/plugin-registry.js~/.natureco/~/.natureco/memory/~/.natureco/soul/~/.natureco/sessions/~/.natureco/personal/~/.natureco/audit/audit-YYYY-MM-DD.jsonl
Network endpoints5
api.pushover.net/1/messages.jsonntfy.shapi.twilio.com/2010-04-01/Accounts/api.natureco.me/api/v1/user/meapi.natureco.me/api/v1/bots

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js creates ~/.natureco/{memory,soul,sessions,personal} during install
  • scripts/postinstall.js executes bin/natureco.js doctor at install time
  • src/commands/doctor.js writes ~/.natureco/audit via audit.logSync and may create ~/.natureco data dirs
  • src/tools/phone_control_enhanced.js exposes ADB camera/SMS/contacts actions and push/SMS APIs when user-invoked
Evidence against
  • No lifecycle write to CLAUDE.md, .mcp.json, Cursor/Codex/Claude settings, shell startup, VCS hooks, or foreign agent surfaces found
  • Lifecycle network exfiltration not found; doctor only validates configured provider URL format
  • Credential-looking env use in phone_control_enhanced.js is for configured Pushover/ntfy/Twilio actions, not automatic harvesting
  • Runtime npm/git installs in plugin-registry.js are explicit plugin install/update paths and use --ignore-scripts for npm
  • Shell and ADB capabilities are CLI/agent tools, not import-time execution
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 278 file(s), 1.89 MB of source, external domains: 127.0.0.1, accounts.spotify.com, api.anthropic.com, api.browser-use.com, api.cohere.ai, api.deepgram.com, api.deepinfra.com, api.deepseek.com, api.duckduckgo.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.fireworks.ai, api.github.com, api.groq.com, api.medium.com, api.minimax.io, api.mistral.ai, api.natureco.me, api.openai.com, api.perplexity.ai, api.pushover.net, api.runwayml.com, api.sunoa.ai, api.tavily.com, api.together.xyz, api.twilio.com, api.twitter.com, api.udio.ai, api.vydra.ai, api.x.ai, browser-use.com, clawhub.ai, cloud.browser-use.com, console.anthropic.com, console.deepgram.com, console.groq.com, console.mistral.ai, dashboard.exa.ai, developers.deepgram.com, developers.natureco.me, docs.anthropic.com, docs.mistral.ai, docs.openclaw.ai, docs.perplexity.ai, docs.together.ai, docs.vydra.ai, docs.x.ai, elevenlabs.io

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
11L12: const { execSync } = require('child_process'); L13: const fs = require('fs');
High
Child Process

Package source references child process execution.

scripts/postinstall.jsView on unpkg · L11
src/commands/policy.jsView file
90const { execSync } = require('child_process'); L91: const output = execSync(`powershell -Command "Get-PSDrive -Name ${drive} | Select-Object -ExpandProperty Free"`, { encoding: 'utf-8' }).trim(); L92: const free = parseInt(output);
High
Shell

Package source references shell execution.

src/commands/policy.jsView on unpkg · L90
bin/natureco.jsView file
2L3: const { Command } = require('commander'); L4: const chalk = require('chalk');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/natureco.jsView on unpkg · L2
src/commands/gateway-server.jsView file
4const os = require('os'); L5: const { spawn, execSync } = require('child_process'); L6: const pino = require('pino'); ... L9: L10: const PID_FILE = path.join(os.homedir(), '.natureco', 'gateway.pid'); L11: const LOG_FILE = path.join(os.homedir(), '.natureco', 'gateway.log'); ... L16: // restart this would crash. Explicit. L17: const https = require('https'); L18: // saveConfig (and the loaded `config` value, when not shadowed in scope) ... L70: L71: // Note: File writing removed - parent process redirects stdout/stderr to log file L72: // This prevents duplicate log entries
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/commands/gateway-server.jsView on unpkg · L4
src/tools/cron_create.jsView file
10const os = require("os"); L11: const { execSync } = require("child_process"); L12: L13: const CRON_FILE = path.join(os.homedir(), ".natureco", "crons.json"); L14: ... L17: if (!fs.existsSync(CRON_FILE)) return []; L18: return JSON.parse(fs.readFileSync(CRON_FILE, "utf8")); L19: } catch { return []; } ... L68: L69: // İstege bagli: gercek crontab'a da ekle (sistem cron) L70: // Bu tehlikeli olabilir, sadece bilgi veriyoruz
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/tools/cron_create.jsView on unpkg · L10
src/tools/voice_chat.jsView file
15const path = require("path"); L16: const { spawn } = require("child_process"); L17: const https = require("https"); L18: ... L25: return new Promise((resolve, reject) => { L26: const apiKey = process.env.OPENAI_API_KEY || process.env.WHISPER_API_KEY; L27: if (!apiKey) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/tools/voice_chat.jsView on unpkg · L15
src/tools/phone_control_enhanced.jsView file
1const { getConfig, saveConfig } = require('../utils/config'); L2: const { execSync } = require('child_process'); L3: ... L46: if (service === 'pushover') { L47: const token = config.pushoverToken || process.env.PUSHOVER_TOKEN; L48: const user = config.pushoverUser || process.env.PUSHOVER_USER; L49: if (!token || !user) return { success: false, error: 'Pushover token/user gerekli' }; L50: const r = await fetch('https://api.pushover.net/1/messages.json', { L51: method: 'POST', L52: headers: { 'Content-Type': 'application/json' }, L53: body: JSON.stringify({ token, user, title: params.title || 'NatureCo', message: params.message, priority: params.priority || 0 }) L54: });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/tools/phone_control_enhanced.jsView on unpkg · L1
src/utils/plugin-registry.jsView file
124try { L125: execSync(`npm install ${pkg} --prefix "${tmpDir}" --no-save --ignore-scripts --no-audit --no-fund`, { stdio: 'pipe', timeout: 120000 }); L126: const pkgDir = path.join(tmpDir, 'node_modules', pkg.split('/').pop());
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/utils/plugin-registry.jsView on unpkg · L124

Findings

1 Critical5 High7 Medium6 Low
CriticalCredential Exfiltrationsrc/tools/phone_control_enhanced.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.js
HighShellsrc/commands/policy.js
HighSame File Env Network Executionsrc/tools/voice_chat.js
HighRuntime Package Installsrc/utils/plugin-registry.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/natureco.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/tools/cron_create.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/commands/gateway-server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings