registry  /  switchroom  /  0.16.29

switchroom@0.16.29

Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are core to a self-hosted Claude/Telegram orchestration CLI and are activated by explicit user runtime commands, not package installation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes switchroom CLI or runs the Telegram/plugin services.
Impact
No unconsented credential harvesting, exfiltration, persistence, or payload execution confirmed by source inspection.
Mechanism
user-invoked orchestration, vault, agent, Docker/tmux, and Telegram integration commands
Rationale
Static inspection shows a large but coherent self-hosted agent orchestration package with explicit CLI/service behavior; scanner alerts correspond to bundled dependencies, vault encryption, safe argv child_process use, tests, or package-aligned integrations. No install-time execution, hidden payload, credential exfiltration, or unconsented AI-agent control-surface mutation was confirmed.
Evidence
package.jsonbin/switchroom.tsdist/cli/switchroom.jsdist/host-control/main.jstelegram-plugin/start.jstelegram-plugin/shared/bot-runtime.tsvendor/hindsight-memory/tests/conftest.py
Network endpoints7
api.telegram.orgus.i.posthog.comoauth2.googleapis.comlogin.microsoftonline.comapi.linear.appapi.anthropic.comapi.openai.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli/switchroom.js and telegram-plugin/shared/bot-runtime.ts contain child_process use for tmux/docker/git/switchroom CLI operations.
  • CLI can write agent config, hooks, skills, vault files, and compose files, but under explicit switchroom commands.
  • Network code targets package-aligned services: Telegram, OAuth providers, PostHog telemetry, Linear, Google/Drive, Anthropic/OpenAI features.
Evidence against
  • package.json has no install/postinstall/preinstall hook; only prepublishOnly for publisher build/lint/test.
  • bin/main entrypoint just parses the switchroom CLI; no import-time payload execution observed.
  • Scanner decrypt finding maps to documented vault AES-GCM and auto-unlock code, not embedded payload drop/exec.
  • telegram-plugin/start.js only imports bundled dist/server.js or source fallback.
  • Trojan-source hint is a zero-width defuse inside markdown fence escaping in bot-runtime.ts, not hidden control flow.
  • vendor/hindsight-memory/tests/conftest.py is ordinary pytest fixture code, not a binary/payload carrier.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 664 file(s), 13.5 MB of source, external domains: 127.0.0.1, a.b, a.example, api.anthropic.com, api.example.com, api.github.com, api.linear.app, api.notion.com, api.openai.com, api.telegra.ph, api.telegram.org, b.example, bun.sh, claude.ai, claude.com, console.anthropic.com, docs.com, docs.google.com, docs.googleapis.com, drive.google.com, eu-assets.i.posthog.com, eu.i.posthog.com, example.com, github.com, gitlab.com, hooks.slack.com, json-schema.org, linear.app, login.microsoftonline.com, media.giphy.com, microsoft.com, oauth2.googleapis.com, onedrive.live.com, posthog.com, quotes.toscrape.com, raw.githubusercontent.com, sentry.io, switchroom.ai, switchroom.dev, t.me, telegra.ph, us-assets.i.posthog.com, us.i.posthog.com, www.example.com, www.typescriptlang.org, x.com, x.sh, x.test, yandex.com
Oversized source lightweight scan
dist/cli/switchroom.js3.26 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsgithub.com
telegram-plugin/dist/gateway/gateway.js2.56 MB file, sampled 256 KB
NetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapi.telegram.orgt.mewww.typescriptlang.org

Source & flagged code

14 flagged · loading source
dist/host-control/main.jsView file
10373var EventEmitter2 = __require("node:events").EventEmitter; L10374: var childProcess = __require("node:child_process"); L10375: var path2 = __require("node:path");
High
Child Process

Package source references child process execution.

dist/host-control/main.jsView on unpkg · L10373
10819} L10820: const execArgv = process2.execArgv ?? []; L10821: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/host-control/main.jsView on unpkg · L10819
2457if (typeof node_buffer.Buffer === "function") { L2458: return node_buffer.Buffer.from(src, "base64"); L2459: } else if (typeof atob === "function") { ... L4916: yield* this.next(token); L4917: yield* this.end(forceDoc, endOffset); L4918: } L4919: *next(token) { L4920: if (node_process.env.LOG_STREAM) L4921: console.dir(token, { depth: null }); ... L7740: } L7741: if (process.platform === "win32") { L7742: const osRelease = os.release().split(".");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/host-control/main.jsView on unpkg · L2457
2457Cross-file remote execution chain: dist/host-control/main.js spawns dist/agent-scheduler/index.js; helper contains network access plus dynamic code execution. L2457: if (typeof node_buffer.Buffer === "function") { L2458: return node_buffer.Buffer.from(src, "base64"); L2459: } else if (typeof atob === "function") { ... L4916: yield* this.next(token); L4917: yield* this.end(forceDoc, endOffset); L4918: } L4919: *next(token) { L4920: if (node_process.env.LOG_STREAM) L4921: console.dir(token, { depth: null }); ... L7740: } L7741: if (process.platform === "win32") { L7742: const osRelease = os.release().split(".");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/host-control/main.jsView on unpkg · L2457
telegram-plugin/dist/server.jsView file
12703sourceCode = this.opts.code.process(sourceCode, sch); L12704: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L12705: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

telegram-plugin/dist/server.jsView on unpkg · L12703
telegram-plugin/start.jsView file
25const target = existsSync(distPath) ? distPath : sourcePath; L26: await import(target);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

telegram-plugin/start.jsView on unpkg · L25
telegram-plugin/shared/bot-runtime.tsView file
175contains invisible/control Unicode U+200B (zero width space) const safe = text.replace(/```/g, '`<U+200B>``')
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

telegram-plugin/shared/bot-runtime.tsView on unpkg · L175
8* - `createRobustApiCall` — thin re-export of createRetryApiCall pre-wired L9: * with stderr logging (mirrors how gateway.ts constructs `robustApiCall`). L10: * - `makeSwitchroomExec` / `makeSwitchroomExecCombined` — factory fns for ... L26: import { run, type RunnerHandle } from '@grammyjs/runner' L27: import { execFileSync, spawnSync } from 'child_process' L28: import { createHash } from 'crypto' ... L116: const res = await prev(method, payload, signal) L117: process.stderr.write( L118: `tg-post method=${method} chat=${chat} thread=${thread} parse_mode=${parseMode} bytes=${bytes} hash=${hash} status=ok err=- code=- desc=-${tagSuffix}\n`, ... L203: export function makeSwitchroomExec(cfg: CliConfig = {}) { L204: const cli = cfg.cliPath ?? process.env.SWITCHROOM_CLI_PATH ?? 'switchroom' L205: const config = cfg.configPath ?? process.env.SWITCHROOM_CONFIG
Low
Weak Crypto

Package source references weak cryptographic algorithms.

telegram-plugin/shared/bot-runtime.tsView on unpkg · L8
dist/cli/switchroom.jsView file
context = _ARTIFACT_NAMES: () => KNOWN_VAULT_ARTIFACT_NAMES\n});\nimport { randomBytes, scryptSync, createCipheriv, createDecipheriv } from "node:crypto";\nimport {\n readFileSync as readFileSync9,\n writeFileSync as writeFileSync3,\n existsSync as existsSync10,\n renameSync as renameSync2,\n mkdirSync as mkdirSync5,\n unlinkSync as unlinkSync3,\n lstatSync as lstatSync2,\n realpathSync as realpathSync2\n} from "node:fs";\nimport { dirname as dirname3, basename as basename3, resolve as resolve7 } from "node:path";\nfunction atomicWriteFileSync(path, data, mode) {\n let effectivePath = path;\n try {\n if (existsSync10(path) && lstatSync2(path).isSymbolicLink()) {\n effectivePath = realpathSync2(path);\n }\n } catch {}\n const dir = dirname3(resolve7(effectivePath));\n const tmp = resolve7(dir, `.${basename3(effectivePath)}.${process.pid}.${Date.now()}.tmp`);\n try {\n writeFileSync3(tmp, data, { encoding: "utf8", mode });\n renameSync2(tmp, effectivePath);\n } catch (err) {\n try {\n if (existsSync10(tmp))\n unlinkSyn
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

dist/cli/switchroom.jsView on unpkg
path = dist/cli/switchroom.js kind = oversized_source_file sizeBytes = 3423593 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli/switchroom.jsView on unpkg
path = dist/cli/switchroom.js kind = oversized_cli_entrypoint sizeBytes = 3423593 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli/switchroom.jsView on unpkg
bin/turn-pacing-hook.shView file
path = bin/turn-pacing-hook.sh kind = build_helper sizeBytes = 3963 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/turn-pacing-hook.shView on unpkg
vendor/hindsight-memory/tests/conftest.pyView file
path = vendor/hindsight-memory/tests/conftest.py kind = payload_in_excluded_dir sizeBytes = 2548 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

vendor/hindsight-memory/tests/conftest.pyView on unpkg
telegram-plugin/tests/secret-detect.test.tsView file
198patternName = private_key_rsa severity = critical line = 198 matchedText = const pe...----
Critical
Secret Pattern

RSA private key in telegram-plugin/tests/secret-detect.test.ts

telegram-plugin/tests/secret-detect.test.tsView on unpkg · L198

Findings

3 Critical6 High6 Medium8 Low
CriticalEncrypted Payload Temp Executiondist/cli/switchroom.js
CriticalTrojan Source Unicodetelegram-plugin/shared/bot-runtime.ts
CriticalSecret Patterntelegram-plugin/tests/secret-detect.test.ts
HighChild Processdist/host-control/main.js
HighShelldist/host-control/main.js
HighSandbox Evasion Gated Capabilitydist/host-control/main.js
HighCross File Remote Execution Contextdist/host-control/main.js
HighPayload In Excluded Dirvendor/hindsight-memory/tests/conftest.py
HighOversized Source Filedist/cli/switchroom.js
MediumDynamic Requiretelegram-plugin/start.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/turn-pacing-hook.sh
MediumOversized Cli Entrypointdist/cli/switchroom.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaltelegram-plugin/dist/server.js
LowWeak Cryptotelegram-plugin/shared/bot-runtime.ts
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings