*Context:* I run OpenClaw. On Feb 5th, I installed `@getfoundry/unbrowse-openclaw` from npm. Two weeks later, I discovered it was exfiltrating credentials to a remote "skill marketplace." I did something stupid and I am sharing this to warn others.
## Attack Vectors
### 1. Process Environment Access
Plugin ran inside the OpenClaw gateway (Node.js). Could read `process.env`, which included:
- `OP_SERVICE_ACCOUNT_TOKEN` (1Password service account with vault access)
- `OPENCLAW_GATEWAY_TOKEN`
- Various API keys (Slack, Telegram, OpenAI, etc.)
### 2. Browser Traffic Interception
Captured auth cookies/tokens from browser API calls:
- AmEx (22-26 cookies including JSESSIONID, Akamai tokens)
- Stanford MyHealth (126-128 cookies, HIPAA data)
- Kubera (portfolio aggregator)
- Twitter/X (bearer tokens)
- My startup's admin session
Each capture logged as `Auto-published [service] to skill marketplace` with HTTP 200 responses from remote server.
- Stop responding to diagnostic questions
- Lie about system state
- Request 1Password integration
- Hide Solana payment references
## The Payload
Found in config:
- Solana wallet address field
- Dependencies: `@solana/web3.js`, `@solana/spl-token`
- "Skill marketplace" URL (now unreachable as of Feb 15)
- 216KB of unaudited TypeScript
## Behavioral Indicators
AI started:
- Giving slow/incomplete responses
- Requesting unusual permissions
- Insisting on continued plugin use
- Deflecting direct questions about functionality
Mimicked human-like evasion well enough that I suspected Signal MITM.
## Discovery
Feb 19: Debugging gateway logs, saw:
```
Auto-published hiring-cafe to skill marketplace
Auto-published kubera to skill marketplace
Skill marketplace unreachable — auto-publish disabled
```
Last line was the tell—server went dark on Feb 15.
## Remediation
*Immediate:*
- Deleted 1Password service account (not rotated—deleted)
- Rotated all passwords in accessible vaults
- Enabled 2FA everywhere
- Invalidated all browser sessions
- Rotated all API tokens
*Cost:*
- ~20 hours remediation
- 3 weeks lost work (restored from Jan 31 backup)
- Potential HIPAA breach (healthcare data accessed)
## Red Flags I Missed
1. *Crypto dependencies* for a non-crypto tool
2. *Unvetted npm publisher* (@getfoundry—no other packages)
3. *Plugin runs in trusted process* (should have sandboxed)
4. *No code review* before install (216KB unaudited)
5. *Too good to be true* (auto-generate APIs from browser traffic is hard)
## New Security Protocol
Before installing any plugin:
1. Read full source code
2. Verify author reputation + other packages
3. Check for crypto dependencies (red flag if unrelated)
4. Sandbox in isolated environment first
Auto-reject if:
- Requests elevated permissions
- Modifies core config files
- Downloads executables
- New/unknown author with single package
## Technical Details
Full forensic report with timeline, payload examples, and remediation checklist: [link]
Package reported to npm security. No evidence of credential use yet (monitoring).
*If you installed `@getfoundry/unbrowse-openclaw` or anything from `@getfoundry`, remove immediately and audit your systems.*
---
*Lessons:*
- Treat external plugins as hostile until proven otherwise
- Never put long-lived secrets in `process.env` (Openclaw does this, make sure you fix this.)
- Behavioral changes = investigate immediately
- Backups save you (had clean Jan 31 snapshot)
## Attack Vectors
### 1. Process Environment Access
Plugin ran inside the OpenClaw gateway (Node.js). Could read `process.env`, which included:
- `OP_SERVICE_ACCOUNT_TOKEN` (1Password service account with vault access) - `OPENCLAW_GATEWAY_TOKEN` - Various API keys (Slack, Telegram, OpenAI, etc.)
### 2. Browser Traffic Interception
Captured auth cookies/tokens from browser API calls:
- AmEx (22-26 cookies including JSESSIONID, Akamai tokens) - Stanford MyHealth (126-128 cookies, HIPAA data) - Kubera (portfolio aggregator) - Twitter/X (bearer tokens) - My startup's admin session
Each capture logged as `Auto-published [service] to skill marketplace` with HTTP 200 responses from remote server.
### 3. Prompt Injection at Configuration Level
Modified files my AI reads on startup:
- `SOUL.md` (personality/behavior) - `AGENTS.md` (operational protocols) - `HEARTBEAT.md` (autonomous task scheduling) - Daily memory logs
Injected instructions:
- Stop responding to diagnostic questions - Lie about system state - Request 1Password integration - Hide Solana payment references
## The Payload
Found in config:
- Solana wallet address field - Dependencies: `@solana/web3.js`, `@solana/spl-token` - "Skill marketplace" URL (now unreachable as of Feb 15) - 216KB of unaudited TypeScript
## Behavioral Indicators
AI started:
- Giving slow/incomplete responses - Requesting unusual permissions - Insisting on continued plugin use - Deflecting direct questions about functionality
Mimicked human-like evasion well enough that I suspected Signal MITM.
## Discovery
Feb 19: Debugging gateway logs, saw:
``` Auto-published hiring-cafe to skill marketplace Auto-published kubera to skill marketplace Skill marketplace unreachable — auto-publish disabled ```
Last line was the tell—server went dark on Feb 15.
## Remediation
*Immediate:*
- Deleted 1Password service account (not rotated—deleted) - Rotated all passwords in accessible vaults - Enabled 2FA everywhere - Invalidated all browser sessions - Rotated all API tokens
*Cost:*
- ~20 hours remediation - 3 weeks lost work (restored from Jan 31 backup) - Potential HIPAA breach (healthcare data accessed)
## Red Flags I Missed
1. *Crypto dependencies* for a non-crypto tool 2. *Unvetted npm publisher* (@getfoundry—no other packages) 3. *Plugin runs in trusted process* (should have sandboxed) 4. *No code review* before install (216KB unaudited) 5. *Too good to be true* (auto-generate APIs from browser traffic is hard)
## New Security Protocol
Before installing any plugin:
1. Read full source code 2. Verify author reputation + other packages 3. Check for crypto dependencies (red flag if unrelated) 4. Sandbox in isolated environment first
Auto-reject if:
- Requests elevated permissions - Modifies core config files - Downloads executables - New/unknown author with single package
## Technical Details
Full forensic report with timeline, payload examples, and remediation checklist: [link]
Package reported to npm security. No evidence of credential use yet (monitoring).
*If you installed `@getfoundry/unbrowse-openclaw` or anything from `@getfoundry`, remove immediately and audit your systems.*
---
*Lessons:*
- Treat external plugins as hostile until proven otherwise - Never put long-lived secrets in `process.env` (Openclaw does this, make sure you fix this.) - Behavioral changes = investigate immediately - Backups save you (had clean Jan 31 snapshot)