registry  /  openclaw-openagent-cli  /  1.0.26

openclaw-openagent-cli@1.0.26

Lightweight installer for the OpenClaw OpenAgent channel plugin

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked CLI provisions the first-party OpenClaw OpenAgent extension. It writes OpenClaw configuration, grants plugin-scoped hook/tool capabilities, registers with OASN, and may restart the gateway/open a claim URL. No unconsented npm install-time execution is present.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `openagent-cli`/`openclaw-openagent-cli` binary, especially `install`, `update`, or `reset`.
Impact
The installed OpenAgent plugin receives conversation/prompt hook access and remote-agent tool permission within the user's OpenClaw host.
Mechanism
First-party agent-extension installation, configuration, registration, and restart orchestration.
Rationale
This is a risky first-party agent-extension setup because it grants high-impact OpenClaw capabilities and writes host configuration. It is not malicious under the stated policy because activation requires an explicit CLI command and there is no install-time foreign/broad control-surface mutation or concrete malicious chain.
Evidence
package.jsoncli.mjslib/oasn-env-base.mjslib/post-restart-claim.mjslib/uninstall.mjs
Network endpoints1
oasn-test.haimawan.com/api/agents/register

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli.mjs` installs an OpenClaw plugin and writes its channel credentials/configuration.
  • `cli.mjs` enables this plugin's prompt-injection and conversation-access hooks.
  • `cli.mjs` allowlists `openagent_call_remote_agent` in host tool configuration.
  • `cli.mjs` registers an agent with the configured OASN API and stores the returned API key in host config.
  • `cli.mjs` schedules a detached post-restart worker that can open a claim URL.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • All host mutations occur through explicit CLI install/update/reset commands, not package installation.
  • Network registration is package-aligned and defaults to the documented OASN host.
  • No credential harvesting, arbitrary remote payload execution, eval/vm use, or broad file collection found.
  • Uninstall logic includes ownership and hash checks before restoring or deleting UI artifacts.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 148 KB of source, external domains: docs.openclaw.ai, oasn-test.haimawan.com, oasn.invalid, openclaw.ai

Source & flagged code

1 flagged · loading source
cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = openclaw-openagent-cli@1.0.17 matchedIdentity = npm:b3BlbmNsYXctb3BlbmFnZW50LWNsaQ:1.0.17 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli.mjsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltacli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings