AI Security Review
scanned 7d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI agent gateway that spawns Claude subprocesses, generates MCP configs, syncs skills, and exposes authenticated API/dashboard routes. Risk is real agent-control capability, but source inspection did not confirm unconsented install-time mutation or classic malware.
Decision evidence
public snapshot- package.json postinstall runs `bun install --cwd mcp`, but does not directly write Claude/Codex control files.
- dist/session/process.js writes per-session `workspace/.sessions/<id>/mcp-config.json`, merges ~/.claude settings, and launches Claude with `--dangerously-skip-permissions`.
- dist/shell/trust.js can write ~/.claude.json trust/onboarding flags before spawning Claude.
- dist/api/router.js runClaude uses `claude --print --dangerously-skip-permissions` for wizard generation.
- dist/api/packages.js admin package-update route can run `npm install -g` for mapped packages.
- dist/skills/sync.js syncs package/shared skills into ~/.claude/skills with marker cleanup at runtime.
- No install-time code found that drops .mcp.json, CLAUDE.md, ~/.claude.json, or ~/.claude/skills entries.
- Network endpoints are package-aligned: Telegram API, Discord API, npm registry, GitHub raw app/skill registry, localhost gateway callbacks.
- Child process usage is core to the declared Claude gateway/agent runner and generally API/user-invoked.
- Package writes mostly under ~/.claude-gateway agent workspaces, sessions, config, logs, media, and app state.
- No credential harvesting or arbitrary exfiltration endpoint found; bot/API tokens are loaded for configured integrations.
Source & flagged code
8 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/discord/receiver.jsView on unpkg · L36Source executes local commands and sends command output to an external endpoint.
dist/api/router.jsView on unpkg · L42A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/api/router.jsView on unpkg · L42A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/api/router.jsView on unpkg · L81Package source invokes a package manager install command at runtime.
dist/api/packages.jsView on unpkg · L192This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/api/gateway-router.jsView on unpkg