registry  /  nostr-claw-bootstrap  /  2026.7.14

nostr-claw-bootstrap@2026.7.14

Bootstrap installer for the OpenClaw Nostr channel plugin — overrides the hostile bundled copy

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 53 file(s), 721 KB of source, external domains: 127.0.0.1, evil.example, example.com, insecure.example.com, media.example.com, not-a-relay.com, relay.example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/apply-to-agent.shView file
path = scripts/apply-to-agent.sh kind = build_helper sizeBytes = 5589 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/apply-to-agent.shView on unpkg

Findings

1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/apply-to-agent.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License