registry  /  @0xmaxma/claude-gateway  /  1.3.17

@0xmaxma/claude-gateway@1.3.17

Multi-agent gateway for Claude

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a high-capability Claude gateway, and inspected command execution, network calls, env loading, workspace writes, and package updates are aligned with documented runtime/admin features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs MCP dependency install; CLI startup and authenticated API/admin actions activate gateway features.
Impact
User-configured agents can run Claude and tools with broad local capability, but no covert package attack was identified.
Mechanism
documented AI-agent gateway orchestration with subprocesses and chat/API bridges
Rationale
Static inspection confirms high-risk primitives, but they are documented, user/admin-invoked gateway functionality rather than covert installation, import-time execution, credential theft, or exfiltration. The install hook only installs bundled MCP dependencies with bun and does not mutate AI-agent control surfaces or run hidden payload code.
Evidence
package.jsonmcp/package.jsondist/index.jsdist/api/router.jsdist/api/packages.jsdist/discord/receiver.jsdist/api/gateway-router.jsmcp/server.tsREADME.md
Network endpoints5
api.telegram.orgdiscord.com/api/v10registry.npmjs.orgraw.githubusercontent.com/0xMaxMa/claude-gateway-appstore/main/apps.jsoncdn.jsdelivr.net/npm/@xterm/xterm@6.0.0

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall running `bun install --cwd mcp`.
  • dist/api/router.js spawns `claude --print --dangerously-skip-permissions` in admin-authenticated wizard generation.
  • dist/api/packages.js admin route can run `npm install -g` for fixed package names.
  • dist/index.js writes generated CLAUDE.md into configured agent workspaces at CLI runtime.
Evidence against
  • README.md documents a Claude multi-agent gateway with Telegram/Discord/API, MCP tools, self-update, and app install features.
  • Network calls are package-aligned: Telegram, Discord, npm registry, GitHub app/skill registries, local gateway callbacks.
  • Dangerous command paths are runtime/admin/user-configured, not hidden import-time or install-time exfiltration.
  • No credential harvesting or covert exfiltration found; env/bot tokens are loaded for configured channel operation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 100 file(s), 1.17 MB of source, external domains: 127.0.0.1, api.telegram.org, cdn.jsdelivr.net, discord.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/discord/receiver.jsView file
36exports.DiscordReceiver = void 0; L37: const child_process_1 = require("child_process"); L38: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/discord/receiver.jsView on unpkg · L36
dist/api/router.jsView file
42const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/api/router.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js -> dist/api/gateway-router.js -> dist/api/router.js L42: const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/api/router.jsView on unpkg · L42
81}; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L88: return new Promise((resolve, reject) => { L89: const child = (0, child_process_1.spawn)('claude', ['--print', '--dangerously-sk[redacted]'], { L90: env: { ...process.env },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/api/router.jsView on unpkg · L81
dist/api/packages.jsView file
192try { L193: (0, child_process_1.execSync)(`npm install -g ${packageName}@latest`, { L194: stdio: ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/api/packages.jsView on unpkg · L192

Findings

3 Critical5 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationdist/api/router.js
CriticalTrigger Reachable Dangerous Capabilitydist/api/router.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/discord/receiver.js
HighShell
HighSame File Env Network Executiondist/api/router.js
HighRuntime Package Installdist/api/packages.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License