registry  /  nextclaw  /  0.24.0

nextclaw@0.24.0

Powerful AI assistant for coordinating agents, skills, CLI tools, automations, and messaging apps.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The optional WhatsApp bridge starts an unauthenticated WebSocket command listener. Any client able to reach that listener can request outbound WhatsApp messages after the account is linked.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User explicitly builds and starts the nested bridge service.
Impact
Unauthorized parties on a reachable listener could send messages through the linked WhatsApp account.
Mechanism
Unauthenticated WebSocket-to-WhatsApp message relay.
Rationale
No malicious install-time or covert behavior was confirmed. The unauthenticated messaging bridge is nevertheless a concrete security risk that warrants a warning.
Evidence
package.jsonbridge/package.jsonbridge/src/index.tsbridge/src/server.tsbridge/src/whatsapp.tsdist/cli/launcher/index.jsui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.js
Network endpoints1
ws://localhost:3001

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • bridge/src/server.ts opens a WebSocket server with no host or authentication.
  • bridge/src/server.ts parses each client message and forwards type:"send" to WhatsApp.
  • bridge/src/whatsapp.ts sends caller-supplied recipient and text through the linked WhatsApp account.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hook.
  • Root CLI launcher only initializes the package runtime from process.argv.
  • Bridge execution is explicit via bridge/package.json start, not install- or import-time.
  • No source reads foreign AI-agent configs or performs credential exfiltration.
  • Flagged UI asset contains a normal dynamic PDF-module import; no bidi control was confirmed by direct scan.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 182 file(s), 6.81 MB of source, external domains: 127.0.0.1, api.example.com, api.minimax.io, api.minimaxi.com, chevrotain.io, docs.nextclaw.io, en.wikipedia.org, github.com, langium.org, open.bocha.cn, open.feishu.cn, open.larksuite.com, radix-ui.com, reactjs.org, rolldown.rs, schemas.microsoft.com, schemas.openxmlformats.org, skillhub.cn, stuk.github.io, www.w3.org

Source & flagged code

2 flagged · loading source
ui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.jsView file
23contains invisible/control Unicode U+200B (zero width space) `){let e=u.endParaRPr.numAttr(`sz`);if(e!==void 0){let t=document.createElement(`span`);t.textContent=`<U+200B>`,t.style.fontSize=`${e/100*o}pt`,(k??m).appendChild(t)}}r.appendChild(m)}}function LH(e){let t=0,n=0;for(let r of e.allChildren(
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

ui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.jsView on unpkg · L23
36if (!pdfjsLib) { L37: pdfjsLib = await import(pdfjsUrl); L38: pdfjsLib.GlobalWorkerOptions.workerSrc = pdfWorkerUrl;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

ui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.jsView on unpkg · L36

Findings

1 Critical5 Medium5 Low
CriticalTrojan Source Unicodeui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.js
MediumDynamic Requireui-dist/assets/aiden0z-pptx-renderer.es-D87ywFdC.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings