npm · registry.npmjs.org

@agentai2026/openclaw-zh

Webhook Exfil Endpoint: matched "ngrok.app"

Why PkgRadar flagged 2026.5.28-zh

Severity	Signal	Evidence
high	Webhook Exfil Endpoint	matched "ngrok.app" · package/dist/dist-pWVRAz0d.js
high	Webhook Exfil Endpoint	matched "ngrok-free.app" · package/dist/guarded-json-api-D0gJV2K3.js
high	Webhook Exfil Endpoint	matched "api.telegram.org/bot" · package/dist/i18n-eLAkCRYg.js
high	Js Split Join Obfuscation	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/extensions/phone-control/index.js
high	Js Split Join Obfuscation	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/loader-6emNCU1C.js
medium	Credential file access	matched ".npmrc" · package/dist/install-package-dir-Cblzlz4I.js
medium	Credential file access	matched ".npmrc" · package/dist/npm-install-env-DHRrBEi1.js
medium	Credential file access	matched ".npmrc" · package/dist/npm-managed-root-BWVRAOIP.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2026.5.28-zh`	High risk	253	2026-05-30
`2026.5.27-zh`	High risk	253	2026-05-30
`2026.5.27-zh.nightly.5`	High risk	253	2026-05-30
`2026.5.27-zh.nightly.6`	High risk	253	2026-05-30
`2026.5.27-zh.nightly.4`	High risk	333	2026-05-30
`2026.5.30-zh.20260530`	Low risk	0	2026-05-30
`1.0.1`	Low risk	0	2026-05-29
`1.0.0`	Low risk	0	2026-05-29

Related campaigns

Block this in CI

PkgRadar gates @agentai2026/openclaw-zh (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @agentai2026/[email protected]