registry  /  openclaw-channel-gateway  /  1.1.4

openclaw-channel-gateway@1.1.4

OpenClaw IM channel gateway — bridge Telegram/Discord/WeChat/DingTalk/QQ to any OpenAI-compatible agent API

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs ocg chat/start with ACP configuration or uses ocg plugins install/upgrade.
Impact
An agent backend or CLI-supplied plugin package could perform broad actions under the user's account when explicitly invoked.
Mechanism
user-invoked agent subprocess and package-manager execution
Rationale
Static inspection supports a warning for dangerous explicit agent capability and shell/package-manager commands, but not malicious install-time behavior or covert exfiltration. The risky behavior is package-aligned for an IM-to-agent gateway and requires user invocation/configuration.
Evidence
package.jsonbin/ocg.cjsdist/cli.jsdist/acp-agent.jsdist/config.jsdist/shims/reply-dispatch-runtime.jsdist/callback-server.jsdist/auth/dingtalk-login.js~/.openclaw-channel-gateway/ocg.json~/.openclaw-channel-gateway/workspace~/.openclaw-channel-gateway/ocg.logs~/.openclaw-channel-gateway/ocg-sessions.json
Network endpoints2
127.0.0.1:11434/v1/chat/completionsoapi.dingtalk.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/acp-agent.js starts user-configured/default ACP subprocess and auto-answers permission requests with allow.
  • dist/acp-agent.js sends Codex app-server turns with approvalPolicy never and sandbox dangerFullAccess.
  • dist/cli.js exposes user-invoked upgrade/plugins install commands that run package managers.
  • dist/cli.js plugins install uses execSync with interpolated package name from CLI input.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build.
  • bin/ocg.cjs only spawns Node with package loader/CLI on explicit bin invocation.
  • HTTP fetches in shims target configured agentUrl or localhost default for gateway function.
  • Config writes are to ~/.openclaw-channel-gateway or OCG_CONFIG_PATH and occur via explicit CLI/config flows.
  • No evidence of credential harvesting, stealth persistence, destructive actions, or hardcoded exfiltration endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 198 KB of source, external domains: 127.0.0.1, oapi.dingtalk.com

Source & flagged code

5 flagged · loading source
bin/ocg.cjsView file
11L12: const { spawn } = require("child_process"); L13: const path = require("path");
High
Child Process

Package source references child process execution.

bin/ocg.cjsView on unpkg · L11
11L12: const { spawn } = require("child_process"); L13: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ocg.cjsView on unpkg · L11
dist/cli.jsView file
297const err = openSync(logPath, "a"); L298: const child = spawn(process.execPath, [...process.execArgv, process.argv[1], ...buildBackgroundStartArgs(args)], { L299: cwd: process.cwd(),
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L297
807try { L808: execSync(`npm install ${pkg}`, { cwd, stdio: "inherit" }); L809: console.log(`[ocg] ${pkg} installed.`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L807
dist/acp-agent.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openclaw-channel-gateway@1.1.2 matchedIdentity = npm:[redacted]:1.1.2 similarity = 0.563 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/acp-agent.jsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/acp-agent.js
HighChild Processbin/ocg.cjs
HighShelldist/cli.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requirebin/ocg.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings