registry  /  @0xmaxma/claude-gateway  /  1.3.18

@0xmaxma/claude-gateway@1.3.18

Multi-agent gateway for Claude

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a high-privilege Claude gateway with intentional runtime command execution, prompt-file generation, bot APIs, app installs, and self-update features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User installs package, then starts/configures `claude-gateway` or calls authenticated/admin runtime APIs.
Impact
Configured agents and admin users can run Claude sessions, cron commands, app installs, and send results to configured channels.
Mechanism
Documented multi-agent gateway runtime capabilities, not hidden install-time malware.
Rationale
The scanner-highlighted primitives are real but align with the package's documented purpose as a self-hosted Claude agent gateway and are activated by startup/configured/admin/user actions rather than hidden install-time abuse. I found no hardcoded attacker endpoint, credential harvesting, covert exfiltration, persistence beyond documented service/app behavior, or unconsented lifecycle AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/api/router.jsdist/cron/manager.jsdist/api/packages.jsdist/apps/installer.jsdist/agent/workspace-loader.jsREADME.md~/.claude-gateway/.env~/.claude-gateway/config.json~/.claude-gateway/agents/<id>/.env~/.claude-gateway/agents/<id>/workspace/CLAUDE.md~/.claude/skills
Network endpoints6
api.telegram.orgdiscord.com/api/v10wss://gateway.discord.gg/?v=10&encoding=jsonregistry.npmjs.orgraw.githubusercontent.com/0xMaxMa/claude-gateway-appstore/main/apps.jsonraw.githubusercontent.com

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall running `bun install --cwd mcp`.
  • dist/api/router.js spawns `claude --print --dangerously-skip-permissions` for user/admin wizard generation.
  • dist/cron/manager.js can execute configured cron commands and deliver stdout to Telegram/Discord.
  • dist/index.js writes assembled workspace prompts to agent `CLAUDE.md` and syncs bundled skills to user skill dirs.
Evidence against
  • Postinstall only installs the bundled mcp subproject dependencies; no credential read/exfil or agent prompt mutation at install time found.
  • Network endpoints are package-aligned: Telegram, Discord, npm registry, GitHub raw app/skill registry, local gateway callbacks.
  • Command execution paths are runtime features gated by configured agents, admin API routes, cron jobs, app install, or user channel actions.
  • Secret/env reads are for documented gateway config and bot tokens under ~/.claude-gateway, not harvested to an attacker endpoint.
  • README documents the Claude gateway, channels, app store, cron, self-update, and CLAUDE.md generation behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 100 file(s), 1.17 MB of source, external domains: 127.0.0.1, api.telegram.org, cdn.jsdelivr.net, discord.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/discord/receiver.jsView file
36exports.DiscordReceiver = void 0; L37: const child_process_1 = require("child_process"); L38: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/discord/receiver.jsView on unpkg · L36
dist/api/router.jsView file
42const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/api/router.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js -> dist/api/gateway-router.js -> dist/api/router.js L42: const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/api/router.jsView on unpkg · L42
81}; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L88: return new Promise((resolve, reject) => { L89: const child = (0, child_process_1.spawn)('claude', ['--print', '--dangerously-sk[redacted]'], { L90: env: { ...process.env },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/api/router.jsView on unpkg · L81
dist/api/packages.jsView file
192try { L193: (0, child_process_1.execSync)(`npm install -g ${packageName}@latest`, { L194: stdio: ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/api/packages.jsView on unpkg · L192

Findings

3 Critical5 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationdist/api/router.js
CriticalTrigger Reachable Dangerous Capabilitydist/api/router.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/discord/receiver.js
HighShell
HighSame File Env Network Executiondist/api/router.js
HighRuntime Package Installdist/api/packages.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License