Openclaw Cli Bridge Elvatis
Bridge local AI CLIs + web browser sessions (Grok, Gemini, Claude.ai, ChatGPT) into OpenClaw as model providers. Includes /cli-* slash commands for instant m...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 486 · 1 current installs · 1 all-time installs
byelvatis_com@homeofe
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (bridge CLIs + browser sessions) aligns with the code: the package contains a local proxy, CLI subprocess runners, Playwright browser automation, and token/cookie handling. However, the manifest declares no required config paths or env vars while the code reads user credential files (e.g. ~/.codex/auth.json, ~/.claude/.credentials.json) and writes persistent state under ~/.openclaw — these file accesses are expected for the plugin's purpose but are not reflected in the declared requirements (incoherent manifest vs. actual I/O).
Instruction Scope
SKILL.md and code instruct the gateway to read OAuth/token files, manage cookie expiry, control persistent Chromium profiles, run CLI binaries, and auto-restore sessions. Those actions are within the described purpose, but there are two notable scope concerns: (1) the plugin reads and reuses local credential files (sensitive), and (2) SKILL.md says it will send automatic WhatsApp alerts with exact login commands on session expiry — sending external notifications is scope creep relative to simple model bridging and requires network/credential configuration that is not declared. The instructions also launch headed browsers for manual logins and run local binaries (claude/gemini), all of which grant broad local access.
Install Mechanism
Registry metadata states 'No install spec — instruction-only', but the package includes full source (package.json with dependency on Playwright). That means the plugin is not truly instruction-only; installing or enabling it will pull and use Node/Playwright (which may in turn download browser binaries). Playwright is a heavyweight dependency and typically downloads browsers on install/run; this is expected for browser automation but should be disclosed. No remote download-from-arbitrary-URL installs were seen.
Credentials
No environment variables or primary credentials are declared, yet the code: (a) reads sensitive local credential files (~/.codex/auth.json, ~/.claude/.credentials.json), (b) writes persistent state under ~/.openclaw (cookie-expiry, cli-bridge-state), and (c) spawns CLI processes with environment forwarding. The mismatch (undeclared file/credential accesses and the SKILL.md claim of WhatsApp alerts without any declared notification credentials) is a proportionality and transparency issue: users should be told exactly which files/credentials will be read and where data is sent.
Persistence & Privilege
The plugin creates and uses persistent Chromium profiles in ~/.openclaw/*, writes a cookie-expiry file and CLI-bridge state file, and runs background timers (token refresh). Those persistent artifacts are expected for session persistence but are non-trivial privileges (long-lived access to cookies and tokens). 'always' is false (good), but the plugin performs automatic token refreshes and automatic external alerts (WhatsApp) after gateway restarts — combination of persistent credentials + automatic external notifications increases risk and should be confirmed by the user.
What to consider before installing
Before installing, be aware this plugin will: (1) read existing CLI credential files from your home directory (~/.codex/auth.json, ~/.claude/.credentials.json) and manage/refresh tokens, (2) create and persist Chromium profiles and store cookie-expiry/state under ~/.openclaw, (3) spawn local CLI binaries (claude, gemini) and run them, and (4) claim to send automatic WhatsApp alerts with login commands on session expiry. Ask the author (or inspect the remaining source files) how the WhatsApp alerts are implemented and whether any external credentials are required or stored; confirm you are comfortable with the plugin having read/write access to the listed local files. If you want to proceed, test in an isolated account or VM, back up the credential files, and review/limit what binaries and profiles the plugin can access. If you need higher assurance, request explicit manifest updates that declare required config paths and any external notification endpoints/credentials.src/chrome-check.ts:32
Shell command execution detected (child_process).
src/claude-auth.ts:234
Shell command execution detected (child_process).
src/cli-runner.ts:113
Shell command execution detected (child_process).
src/session-manager.ts:101
Shell command execution detected (child_process).
test/session-manager.test.ts:76
Shell command execution detected (child_process).
index.ts:29
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
Current versionv2.0.0
Download zipbridgeclilatestllmplaywrightproxy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌉 Clawdis
Binsopenclaw, claude, gemini
SKILL.md
OpenClaw CLI Bridge
Bridges locally installed AI CLIs + web browser sessions into OpenClaw as model providers. Four phases:
Phase 1 — Codex Auth Bridge
Registers openai-codex provider from existing ~/.codex/auth.json tokens. No re-login.
Phase 2 — Request Proxy
Local OpenAI-compatible HTTP proxy (127.0.0.1:31337) routes vllm model calls to CLI subprocesses:
vllm/cli-gemini/gemini-2.5-pro/gemini-2.5-flash/gemini-3-provllm/cli-claude/claude-sonnet-4-6/claude-opus-4-6/claude-haiku-4-5vllm/local-bitnet/bitnet-2b→ BitNet llama-server on 127.0.0.1:8082
Prompts go via stdin/tmpfile — never as CLI args (prevents E2BIG for long sessions).
Phase 3 — Slash Commands
Six instant model-switch commands (authorized senders only):
| Command | Model |
|---|---|
/cli-sonnet | vllm/cli-claude/claude-sonnet-4-6 |
/cli-opus | vllm/cli-claude/claude-opus-4-6 |
/cli-haiku | vllm/cli-claude/claude-haiku-4-5 |
/cli-gemini | vllm/cli-gemini/gemini-2.5-pro |
/cli-gemini-flash | vllm/cli-gemini/gemini-2.5-flash |
/cli-gemini3 | vllm/cli-gemini/gemini-3-pro |
/cli-codex | openai-codex/gpt-5.3-codex |
/cli-codex54 | openai-codex/gpt-5.4 |
/cli-bitnet | vllm/local-bitnet/bitnet-2b |
/cli-back | Restore previous model |
/cli-test [model] | Health check (no model switch) |
Each command uses staged switching by default (apply with /cli-apply).
Phase 4 — Web Browser Providers
Persistent Chromium profiles for 4 web providers (no API key needed):
- Grok (
web-grok/*):/grok-login,/grok-status,/grok-logout - Gemini (
web-gemini/*):/gemini-login,/gemini-status,/gemini-logout - Claude.ai (
web-claude/*):/claude-login,/claude-status,/claude-logout - ChatGPT (
web-chatgpt/*):/chatgpt-login,/chatgpt-status,/chatgpt-logout
Sessions survive gateway restarts. /bridge-status shows all 4 at a glance.
On gateway restart, if any session has expired, a WhatsApp alert is sent automatically with the exact /xxx-login commands needed — no guessing required.
Browser health dashboard: http://127.0.0.1:31337/status — live overview of all 4 providers, cookie expiry, and model list. Auto-refreshes every 30s.
Setup
- Enable plugin + restart gateway
- (Optional) Register Codex auth:
openclaw models auth login --provider openai-codex - Use
/cli-*commands to switch models from any channel
See README.md for full configuration reference and architecture diagram.
Version: 1.9.1
Files
36 totalSelect a file
Select a file to preview.
Comments
Loading comments…