registry  /  openclaw-code-agent  /  4.7.4

openclaw-code-agent@4.7.4

An OpenClaw plugin that orchestrates coding agent sessions as managed background processes. Launch, monitor, and control coding agents (Claude Code, Codex, experimental OpenCode, and more) directly from your AI gateway.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious or install-time attack chain is established. The package is an OpenClaw extension that can launch local coding agents and perform Git worktree/merge actions when invoked by the host.

Static reason
One or more suspicious static signals were detected.
Trigger
OpenClaw loads the extension and an operator or chat workflow invokes its agent/session tools.
Impact
Configured coding agents may modify selected repositories and create/merge worktree changes; this is a powerful intended capability.
Mechanism
First-party AI-agent orchestration with local process, Git, state-file, and loopback OpenCode control.
Rationale
Source supports a powerful first-party OpenClaw coding-agent extension rather than malware. Warn because it exposes high-impact local agent and repository automation, not because of a confirmed malicious chain.
Evidence
package.jsonopenclaw.plugin.jsondist/index.jsREADME.mdskills/code-agent-orchestration/SKILL.md~/.openclaw/code-agent-sessions.json~/.openclaw/plugin-state/openclaw-code-agent<repoRoot>/.worktrees
Network endpoints2
registry.npmjs.org/openclaw-code-agent/latest127.0.0.1:${port}

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` declares an OpenClaw extension loading `./dist/index.js`.
  • `dist/index.js` launches configured Codex, Claude, and OpenCode coding-agent processes and runs Git follow-through.
  • `dist/index.js` supports `bypassPermissions` for conflict-resolution sessions.
  • `dist/index.js` persists session and plugin state under the package-owned OpenClaw state paths.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • Only confirmed outbound fetch is a version check to `registry.npmjs.org`.
  • OpenCode authentication is sent only to a spawned loopback server at `127.0.0.1`.
  • No eval/vm/dynamic loader, native payload, credential harvesting, or non-local exfiltration path was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 524 KB of source, external domains: 127.0.0.1, github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
5`)}}function rm(t,e,n){let r=Kt(n),o=r.length>0?0:void 0,i=o!=null?r[o]:void 0,s=i?.options.map(d=>d.label)??[],a=i?je(i,o,r.length):ur(r);return{requestId:`${t||"claude"}-ask-${e}... L6: ${S.text}`:S.text,n.enqueue(St(S.text));continue}S.type==="tool_use"&&((S.name==="ExitPlanMode"||S.name==="set_permission_mode")&&(i=!0),S.name!=="AskUserQuestion"&&n.enqueue(cr(S.... L7: `)}async handleLine(e){let n=am(e);n&&await dm(n,{pending:this.pending,onNotification:this.onNotification,onRequest:this.onRequest,respond:r=>this.write(r)})}flushPending(e){this.p...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5
5`)}}function rm(t,e,n){let r=Kt(n),o=r.length>0?0:void 0,i=o!=null?r[o]:void 0,s=i?.options.map(d=>d.label)??[],a=i?je(i,o,r.length):ur(r);return{requestId:`${t||"claude"}-ask-${e}... L6: ${S.text}`:S.text,n.enqueue(St(S.text));continue}S.type==="tool_use"&&((S.name==="ExitPlanMode"||S.name==="set_permission_mode")&&(i=!0),S.name!=="AskUserQuestion"&&n.enqueue(cr(S.... L7: `)}async handleLine(e){let n=am(e);n&&await dm(n,{pending:this.pending,onNotification:this.onNotification,onRequest:this.onRequest,respond:r=>this.write(r)})}flushPending(e){this.p... L8: `).trim();return`${m()}${S?` Output:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L5
3`)}function je(t,e,n){return za(t,e,n).join(` L4: `)}var Pn=J(()=>{});function Vt(t){return{type:"backend_ref",ref:t}}function jt(t){return{type:"run_started",...t?{runId:t}:{}}}function St(t){return{type:"text_delta",text:t}}func... L5: `)}}function rm(t,e,n){let r=Kt(n),o=r.length>0?0:void 0,i=o!=null?r[o]:void 0,s=i?.options.map(d=>d.label)??[],a=i?je(i,o,r.length):ur(r);return{requestId:`${t||"claude"}-ask-${e}... L6: ${S.text}`:S.text,n.enqueue(St(S.text));continue}S.type==="tool_use"&&((S.name==="ExitPlanMode"||S.name==="set_permission_mode")&&(i=!0),S.name!=="AskUserQuestion"&&n.enqueue(cr(S.... L7: `)}async handleLine(e){let n=am(e);n&&await dm(n,{pending:this.pending,onNotification:this.onNotification,onRequest:this.onRequest,respond:r=>this.write(r)})}flushPending(e){this.p... L8: `).trim();return`${m()}${S?` Output:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L3
1var Yc=Object.defineProperty;var J=(t,e,n)=>()=>{if(n)throw n[0];try{return t&&(e=t(t=0)),e}catch(r){throw n=[r],r}};var Zc=(t,e)=>{for(var n in e)Yc(t,n,{get:e[n],enumerable:!0})}... L2: `)}var fp,Pp,ke=J(()=>{fp=new Set(["telegram","discord","slack","system","mattermost","feishu","line","whatsapp","signal","matrix","googlechat","bluebubbles","imessage","msteams"])... L3: `)}function je(t,e,n){return za(t,e,n).join(` L4: `)}var Pn=J(()=>{});function Vt(t){return{type:"backend_ref",ref:t}}function jt(t){return{type:"run_started",...t?{runId:t}:{}}}function St(t){return{type:"text_delta",text:t}}func... L5: `)}}function rm(t,e,n){let r=Kt(n),o=r.length>0?0:void 0,i=o!=null?r[o]:void 0,s=i?.options.map(d=>d.label)??[],a=i?je(i,o,r.length):ur(r);return{requestId:`${t||"claude"}-ask-${e}... L6: ${S.text}`:S.text,n.enqueue(St(S.text));continue}S.type==="tool_use"&&((S.name==="ExitPlanMode"||S.name==="set_permission_mode")&&(i=!0),S.name!=="AskUserQuestion"&&n.enqueue(cr(S.... L7: `)}async handleLine(e){let n=am(e);n&&await dm(n,{pending:this.pending,onNotification:this.onNotification,onRequest:this.onRequest,respond:r=>this.write(r)})}flushPending(e){this.p... L8: `).trim();return`$
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L1

Findings

3 High2 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings