registry  /  @0xmaxma/claude-gateway  /  1.3.19

@0xmaxma/claude-gateway@1.3.19

Multi-agent gateway for Claude

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package exposes powerful runtime automation: spawning Claude sessions, package updates, Docker/app installation, and workspace prompt file writes. These are dangerous capabilities for a gateway but appear user/admin-invoked and package-aligned rather than covert malware.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall; authenticated runtime API or configured agent startup
Impact
Authenticated users or configured agents can cause local command execution and workspace/config mutation within the product's intended control plane.
Mechanism
gateway-managed subprocess/package-manager/docker execution
Attack narrative
Install-time behavior conditionally runs `bun install --cwd mcp`, which may fetch dependencies but does not itself execute a hidden payload in package source. Runtime code starts a Claude gateway that can spawn subprocesses, call Telegram/Discord/npm/GitHub endpoints, update global packages, run Docker app installs, and rewrite workspace CLAUDE.md as part of agent orchestration. These are broad dual-use capabilities, but inspected source ties them to configured gateway features and authenticated/admin actions.
Rationale
Static source inspection confirms high-risk runtime control-plane features and an install lifecycle dependency install, but not covert credential harvesting, exfiltration, persistence, or unconsented install-time AI-agent hijacking. Downgrade to warn because the dangerous capability is real but package-aligned.
Evidence
package.jsonmcp/package.jsonmcp/server.tsdist/index.jsdist/session/process.jsdist/api/router.jsdist/api/auth.jsdist/api/packages.jsdist/apps/installer.jsmcp/~/.claude-gateway/.env~/.claude-gateway/agents/<id>/.envCLAUDE.mdconfig.json
Network endpoints5
api.telegram.orgdiscord.com/api/v10registry.npmjs.orgraw.githubusercontent.com/0xMaxMa/claude-gateway-appstore/main/apps.json127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs `bun install --cwd mcp` when bun exists
  • dist/session/process.js spawns Claude subprocesses with workspace cwd and env tokens
  • dist/api/packages.js admin route can run `npm install -g ...@latest` at runtime
  • dist/apps/installer.js can run git/docker/sudo commands for app installation workflows
  • dist/index.js writes generated CLAUDE.md into configured agent workspaces
Evidence against
  • No install-time code beyond package-manager install in mcp directory was found
  • No hardcoded command-output exfiltration endpoint or hidden C2 host found
  • Network hosts are package-aligned: Telegram, Discord, npm registry, GitHub/appstore, local gateway callbacks
  • API routes use configured API-key auth for agent messages and package update admin checks
  • Env file reads load declared ~/.claude-gateway and per-agent configuration for runtime operation
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 101 file(s), 1.18 MB of source, external domains: 127.0.0.1, api.telegram.org, cdn.jsdelivr.net, discord.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/discord/receiver.jsView file
36exports.DiscordReceiver = void 0; L37: const child_process_1 = require("child_process"); L38: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/discord/receiver.jsView on unpkg · L36
dist/api/router.jsView file
42const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/api/router.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js -> dist/api/gateway-router.js -> dist/api/router.js L42: const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/api/router.jsView on unpkg · L42
81}; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L88: return new Promise((resolve, reject) => { L89: const child = (0, child_process_1.spawn)('claude', ['--print', '--dangerously-sk[redacted]'], { L90: env: { ...process.env },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/api/router.jsView on unpkg · L81
dist/api/packages.jsView file
192try { L193: (0, child_process_1.execSync)(`npm install -g ${packageName}@latest`, { L194: stdio: ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/api/packages.jsView on unpkg · L192
dist/agent/runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @0xmaxma/claude-gateway@1.3.18 matchedIdentity = npm:QDB4bWF4bWEvY2xhdWRlLWdhdGV3YXk:1.3.18 similarity = 0.960 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/agent/runner.jsView on unpkg

Findings

4 Critical5 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationdist/api/router.js
CriticalTrigger Reachable Dangerous Capabilitydist/api/router.js
CriticalPrevious Version Dangerous Deltadist/agent/runner.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/discord/receiver.js
HighShell
HighSame File Env Network Executiondist/api/router.js
HighRuntime Package Installdist/api/packages.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License