@keychat-io/keychat 0.1.22 → 0.1.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +19 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -19,6 +19,25 @@ That's it. The plugin automatically downloads the bridge binary and initializes
|
|
|
19
19
|
|
|
20
20
|
Supported platforms: macOS (ARM/x64), Linux (x64/ARM64).
|
|
21
21
|
|
|
22
|
+
### Security Warnings
|
|
23
|
+
|
|
24
|
+
During installation, OpenClaw will show the following warning:
|
|
25
|
+
|
|
26
|
+
```
|
|
27
|
+
WARNING: Plugin "keychat" contains dangerous code patterns:
|
|
28
|
+
Shell command execution detected (child_process) (src/bridge-client.ts)
|
|
29
|
+
Shell command execution detected (child_process) (src/keychain.ts)
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
**Both are expected and required.** Here's why:
|
|
33
|
+
|
|
34
|
+
| Warning | File | Why it's needed |
|
|
35
|
+
|---------|------|----------------|
|
|
36
|
+
| Shell command execution (child_process) | `bridge-client.ts` | Spawns the Rust sidecar process for Signal Protocol & MLS encryption. Keychat's cryptography runs in Rust and must be bridged to Node.js. |
|
|
37
|
+
| Shell command execution (child_process) | `keychain.ts` | Stores the agent's identity mnemonic in the OS keychain (macOS Keychain / Linux libsecret) instead of plain-text files. |
|
|
38
|
+
|
|
39
|
+
These warnings cannot be removed without sacrificing core functionality or security. The plugin does **not** execute arbitrary commands — it only spawns the bundled bridge binary and accesses the system keychain.
|
|
40
|
+
|
|
22
41
|
Alternatively, install via shell script:
|
|
23
42
|
|
|
24
43
|
```bash
|