AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked CLI provisions the first-party OpenClaw OpenAgent extension. It writes OpenClaw configuration, grants plugin-scoped hook/tool capabilities, registers with OASN, and may restart the gateway/open a claim URL. No unconsented npm install-time execution is present.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `openagent-cli`/`openclaw-openagent-cli` binary, especially `install`, `update`, or `reset`.
Impact
The installed OpenAgent plugin receives conversation/prompt hook access and remote-agent tool permission within the user's OpenClaw host.
Mechanism
First-party agent-extension installation, configuration, registration, and restart orchestration.
Rationale
This is a risky first-party agent-extension setup because it grants high-impact OpenClaw capabilities and writes host configuration. It is not malicious under the stated policy because activation requires an explicit CLI command and there is no install-time foreign/broad control-surface mutation or concrete malicious chain.
Evidence
package.jsoncli.mjslib/oasn-env-base.mjslib/post-restart-claim.mjslib/uninstall.mjs
Network endpoints1
oasn-test.haimawan.com/api/agents/register
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `cli.mjs` installs an OpenClaw plugin and writes its channel credentials/configuration.
- `cli.mjs` enables this plugin's prompt-injection and conversation-access hooks.
- `cli.mjs` allowlists `openagent_call_remote_agent` in host tool configuration.
- `cli.mjs` registers an agent with the configured OASN API and stores the returned API key in host config.
- `cli.mjs` schedules a detached post-restart worker that can open a claim URL.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- All host mutations occur through explicit CLI install/update/reset commands, not package installation.
- Network registration is package-aligned and defaults to the documented OASN host.
- No credential harvesting, arbitrary remote payload execution, eval/vm use, or broad file collection found.
- Uninstall logic includes ownership and hash checks before restoring or deleting UI artifacts.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcecli.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = openclaw-openagent-cli@1.0.17
matchedIdentity = npm:b3BlbmNsYXctb3BlbmFnZW50LWNsaQ:1.0.17
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
cli.mjsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltacli.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings