@openclaw/tlon
OpenClaw Tlon/Urbit channel plugin
1
Versions
—
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
steipetevincentkoc
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Fires in a test asserting /etc/passwd URLs are rejected — not credential harvesting. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Fires in SSRF test asserting 127.0.0.1 requests are blocked — not a real outbound request. | ai | |
| typosquat | typosquat.levenshtein:glob | AI (typosquat): @openclaw/tlon is a scoped Urbit plugin; no plausible impersonation of 'glob'. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 2026.2.21 | 1 / 1 |
v2026.2.21
2 findings
HIGH
etc-passwd-access: src/urbit/base-url.test.ts:14
semgrep
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 12 | 13 | it("rejects non-http schemes", () => { > 14 | const result = validateUrbitBaseUrl("file:///etc/passwd"); 15 | expect(result.ok).toBe(false); 16 | if (result.ok) return;
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.