registry  /  openclaw-channel-gateway  /  1.1.2

openclaw-channel-gateway@1.1.2

OpenClaw IM channel gateway — bridge Telegram/Discord/WeChat/DingTalk/QQ to any OpenAI-compatible agent API

AI Security Review

scanned 7h ago · by lpm-firewall-ai

No confirmed malware or install-time attack behavior was found. The main unresolved risk is a user-invoked CLI command injection in plugin installation because the package name is interpolated into a shell command.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ocg plugins install <pkg>` with attacker-controlled shell metacharacters in the package argument.
Impact
Potential arbitrary command execution in the current project when the vulnerable CLI command is invoked with malicious input.
Mechanism
shell command injection in user-invoked plugin install helper
Attack narrative
The package is an IM-to-agent gateway CLI. It does not execute on npm install and its network/file behavior matches the advertised gateway, config, callback, and login flows. However, the `plugins install` subcommand passes raw user input through `execSync` as a shell string, so a crafted package argument can execute extra shell commands when the user runs that command.
Rationale
Static inspection supports a serious user-invoked command injection vulnerability, but not malicious lifecycle behavior, credential exfiltration, persistence, or AI-agent control hijack. Warn rather than block because activation requires an explicit CLI subcommand and attacker-controlled argument.
Evidence
package.jsonbin/ocg.cjsdist/cli.jsdist/config.jsdist/plugin-loader.jsdist/shims/reply-dispatch-runtime.jsdist/callback-server.jsdist/auth/dingtalk-login.js~/.openclaw-channel-gateway/ocg.json~/.openclaw-channel-gateway/ocg-sessions.json~/.openclaw-channel-gateway/ocg.logs/*
Network endpoints2
oapi.dingtalk.com127.0.0.1:11434/v1/chat/completions

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • dist/cli.js cmdPluginsInstall uses execSync(`npm install ${pkg}`) with CLI package argument in a shell
  • dist/cli.js supports user-invoked detached background start via spawn(...,{detached:true})
  • dist/plugin-loader.js dynamically imports channel plugin entry modules discovered from node_modules
Evidence against
  • package.json has no consumer install/postinstall hook; prepublishOnly only runs build for publishing
  • bin/ocg.cjs only spawns this package's dist/loader.js and dist/cli.js on explicit ocg CLI use
  • Network calls are package-aligned: configured OpenAI-compatible agentUrl, local callback server, DingTalk login API
  • Config/session writes stay under ~/.openclaw-channel-gateway or OCG_CONFIG_PATH; no foreign AI-agent control surface writes found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 161 KB of source, external domains: 127.0.0.1, oapi.dingtalk.com

Source & flagged code

5 flagged · loading source
bin/ocg.cjsView file
11L12: const { spawn } = require("child_process"); L13: const path = require("path");
High
Child Process

Package source references child process execution.

bin/ocg.cjsView on unpkg · L11
11L12: const { spawn } = require("child_process"); L13: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ocg.cjsView on unpkg · L11
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openclaw-channel-gateway@1.1.1 matchedIdentity = npm:[redacted]:1.1.1 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
284const err = openSync(logPath, "a"); L285: const child = spawn(process.execPath, [...process.execArgv, process.argv[1], ...buildBackgroundStartArgs(args)], { L286: cwd: process.cwd(),
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L284
658try { L659: execSync(`npm install ${pkg}`, { cwd, stdio: "inherit" }); L660: console.log(`[ocg] ${pkg} installed.`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L658

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processbin/ocg.cjs
HighShelldist/cli.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requirebin/ocg.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings