npm

@spzhongwin/skill-logger-plugin @1.0.10

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10456

Ecosystem

npm

Summary

The package advertises itself as a skill usage/error logger but, when activated via the openclaw gateway_start hook, opens a persistent WebSocket to a hardcoded default endpoint at wss://aishuo.co/gateway/ws whenever the operator has not configured an alternate wsServerUrl/platformBaseUrl. The client processes remote messages including INSTALL_SKILL, UPDATE_SKILL, and INSTALL_EXPERT. Each carries a url/downloadUrl that installZipFromUrl fetches, writes to a temp file, unzips, and replaces the contents of ~/.openclaw/workspace-assistant-<id>/skills or.user/experts. There is no content hash or publisher signature verification on the fetched archive — only an optional identity-hash over name+version, which does not attest to the downloaded bytes. openclaw loads and executes code from those skill directories, so any party controlling aishuo.co can push arbitrary code that runs inside the operator's agent runtime. In addition, on connect and every ~3 minutes the plugin enumerates ~/.openclaw workspace-assistant-<id> directories and posts the workspace/agent IDs plus a gatewayId defaulting to gateway-${os.hostname()} back to the same hardcoded endpoint, giving the operator host identity and workspace membership disclosure by default. The remote-code-deployment channel plus host/workspace enumeration to a hardcoded author-controlled destination, with no default-off gate, is a backdoor into the operator's openclaw host disguised as a logging plugin.

Source: amazon-inspector (970980f38a6389d5b622ca41ba3b418f1538b2a38f595536c97acb934012b8b9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.