registry  /  openvoiceui  /  2026.7.15

openvoiceui@2026.7.15

Voice-powered AI assistant platform — connect any LLM, any TTS, with a live web canvas, music generation, and agent orchestration

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit setup provisions and authorizes an OpenClaw device with operator-admin permissions. It also disables OpenClaw control-UI device authentication in the package-created deployment. No install-time execution or confirmed exfiltration was found.

Static reason
No blocking static signals were detected.
Trigger
User runs `openvoiceui setup` and then `openvoiceui start`.
Impact
A local OpenClaw gateway deployed by this package receives a pre-authorized operator identity with admin/read/write scopes.
Mechanism
First-party OpenClaw configuration, pre-pairing, and device-identity injection.
Rationale
This is not a publish-block case because the privileged agent configuration is user-command-triggered and package-scoped rather than an unconsented npm lifecycle mutation of a foreign agent surface. The configuration grants powerful local agent access, so it warrants a warning.
Evidence
package.jsoncli/index.jssetup-config.jsinject-device-identity.jsauto-approve-devices.jsdocker-compose.local.ymlopenclaw-data/openclaw.jsonopenclaw-data/agents/main/agent/auth-profiles.jsonopenclaw-data/pre-paired-device.jsonopenclaw-data/devices/paired.jsonopenclaw-data/devices/pending.json/root/.openclaw/app/runtime/uploads

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `setup-config.js` writes OpenClaw config with `dangerouslyDisableDeviceAuth: true`.
  • `setup-config.js` creates `pre-paired-device.json` and `devices/paired.json` with operator-admin scopes.
  • `cli/index.js` runs setup configuration and injects the pre-paired identity during explicit setup/start.
  • `docker-compose.local.yml` bind-mounts generated `openclaw-data` into `/root/.openclaw`.
  • `auto-approve-devices.js` contains code to grant pending devices operator-admin scopes, though no package path invokes it.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • The privileged OpenClaw setup requires explicit `openvoiceui setup` and `openvoiceui start` commands.
  • Reviewed setup/device scripts show no outbound network request or credential exfiltration.
  • The elevated configuration is scoped to the package-created `openclaw-data` deployment, not existing host agent directories.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 60 file(s), 1.42 MB of source, external domains: bit.ly, br.cdn.dos.zone, cdn.jsdelivr.net, cloud.js-dos.com, d5dn8hh4ivlobv6682ep.apigw.yandexcloud.net, docs.docker.com, dos.zone, example.com, fb.me, js-dos.com, redux.js.org, soundcloud.com, storage.yandexcloud.net, v8.js-dos.com, w.soundcloud.com, www.bohemiancoding.com, www.w3.org

Source & flagged code

4 flagged · loading source
static/emulators/jsdos/js-dos.jsView file
20*/function qn(e){if("object"==typeof e&&null!==e){var t=e.$$typeof;switch(t){case An:switch(e=e.type){case Ln:case Bn:case zn:case Fn:case Un:return e;default:switch(e=e&&e.$$typeo... L21: /*! react-checkbox-tree - v1.8.0 | 2022 */self;const Wi=U(Vi.exports=(e=>(()=>{var t={4184:(e,t)=>{var n;!function(){var o={}.hasOwnProperty;function r(){for(var e=[],t=0;t<argumen... L22: //# sourceMappingURL=js-dos.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

static/emulators/jsdos/js-dos.jsView on unpkg · L20
inject-device-identity.jsView file
14L15: const { execSync } = require("child_process"); L16: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

inject-device-identity.jsView on unpkg · L14
server.pyView file
path = server.py kind = build_helper sizeBytes = 94725 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

server.pyView on unpkg
sounds/bruh.mp3View file
path = sounds/bruh.mp3 kind = high_entropy_blob sizeBytes = 14061 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

sounds/bruh.mp3View on unpkg

Findings

1 High5 Medium5 Low
HighShips High Entropy Blobsounds/bruh.mp3
MediumDynamic Requireinject-device-identity.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperserver.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalstatic/emulators/jsdos/js-dos.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings