AI Security Review
scanned 9d ago · by lpm-firewall-aiThe package exposes powerful runtime automation: spawning Claude sessions, package updates, Docker/app installation, and workspace prompt file writes. These are dangerous capabilities for a gateway but appear user/admin-invoked and package-aligned rather than covert malware.
Decision evidence
public snapshot- package.json postinstall runs `bun install --cwd mcp` when bun exists
- dist/session/process.js spawns Claude subprocesses with workspace cwd and env tokens
- dist/api/packages.js admin route can run `npm install -g ...@latest` at runtime
- dist/apps/installer.js can run git/docker/sudo commands for app installation workflows
- dist/index.js writes generated CLAUDE.md into configured agent workspaces
- No install-time code beyond package-manager install in mcp directory was found
- No hardcoded command-output exfiltration endpoint or hidden C2 host found
- Network hosts are package-aligned: Telegram, Discord, npm registry, GitHub/appstore, local gateway callbacks
- API routes use configured API-key auth for agent messages and package update admin checks
- Env file reads load declared ~/.claude-gateway and per-agent configuration for runtime operation
Source & flagged code
8 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/discord/receiver.jsView on unpkg · L36Source executes local commands and sends command output to an external endpoint.
dist/api/router.jsView on unpkg · L42A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/api/router.jsView on unpkg · L42A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/api/router.jsView on unpkg · L81Package source invokes a package manager install command at runtime.
dist/api/packages.jsView on unpkg · L192This package version adds a dangerous source file absent from the previous stored version.
dist/agent/runner.jsView on unpkg