registry  /  @0xmaxma/claude-gateway  /  1.3.20

@0xmaxma/claude-gateway@1.3.20

Multi-agent gateway for Claude

AI Security Review

scanned 7d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI agent gateway that spawns Claude subprocesses, generates MCP configs, syncs skills, and exposes authenticated API/dashboard routes. Risk is real agent-control capability, but source inspection did not confirm unconsented install-time mutation or classic malware.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
postinstall installs mcp dependencies; runtime gateway/API use activates Claude spawning, skill sync, package update, and bot integrations
Impact
Authenticated or configured users can drive Claude agents with broad tool access; runtime may alter Claude user config/skills, but not from the npm lifecycle hook.
Mechanism
agent gateway with permission-skipping Claude subprocesses and runtime MCP/skill setup
Policy narrative
On install, the only lifecycle action is a Bun dependency install under the bundled mcp directory. When the gateway is later run, it can create agent workspaces, generate MCP config, spawn Claude with skipped permissions, pre-trust workspaces in ~/.claude.json, sync skills into ~/.claude/skills, and interact with Telegram/Discord/npm/GitHub endpoints. These are powerful agent-platform behaviors, but they are aligned with the package’s declared gateway function and are runtime/API driven rather than a confirmed covert install-time hijack.
Rationale
Source inspection shows dangerous AI-agent capability and runtime Claude control-surface writes, but not the blockable pattern of unconsented lifecycle mutation of foreign/broad agent surfaces. Treat as warn-level agent extension lifecycle risk rather than malicious malware.
Evidence
package.jsondist/session/process.jsdist/shell/trust.jsdist/api/router.jsdist/api/packages.jsdist/skills/sync.jsdist/api/gateway-router.jsmcp/node_modules~/.claude-gateway/**~/.claude.json~/.claude/settings.json~/.claude/skills/**<agent workspace>/.sessions/<id>/mcp-config.json<agent workspace>/CLAUDE.md
Network endpoints5
api.telegram.orgdiscord.com/api/v10registry.npmjs.orgraw.githubusercontent.com/0xMaxMa/claude-gateway-appstore/main/apps.json127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs `bun install --cwd mcp`, but does not directly write Claude/Codex control files.
  • dist/session/process.js writes per-session `workspace/.sessions/<id>/mcp-config.json`, merges ~/.claude settings, and launches Claude with `--dangerously-skip-permissions`.
  • dist/shell/trust.js can write ~/.claude.json trust/onboarding flags before spawning Claude.
  • dist/api/router.js runClaude uses `claude --print --dangerously-skip-permissions` for wizard generation.
  • dist/api/packages.js admin package-update route can run `npm install -g` for mapped packages.
  • dist/skills/sync.js syncs package/shared skills into ~/.claude/skills with marker cleanup at runtime.
Evidence against
  • No install-time code found that drops .mcp.json, CLAUDE.md, ~/.claude.json, or ~/.claude/skills entries.
  • Network endpoints are package-aligned: Telegram API, Discord API, npm registry, GitHub raw app/skill registry, localhost gateway callbacks.
  • Child process usage is core to the declared Claude gateway/agent runner and generally API/user-invoked.
  • Package writes mostly under ~/.claude-gateway agent workspaces, sessions, config, logs, media, and app state.
  • No credential harvesting or arbitrary exfiltration endpoint found; bot/API tokens are loaded for configured integrations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 102 file(s), 1.19 MB of source, external domains: 127.0.0.1, api.telegram.org, cdn.jsdelivr.net, discord.com, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = if command -v bun >/dev/null 2>&1; then bun install --cwd mcp; else echo 'Warning: bun not found. Run `cd mcp && bun install` manually to enable MCP tools.'; fi
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/discord/receiver.jsView file
36exports.DiscordReceiver = void 0; L37: const child_process_1 = require("child_process"); L38: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/discord/receiver.jsView on unpkg · L36
dist/api/router.jsView file
42const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/api/router.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js -> dist/api/gateway-router.js -> dist/api/router.js L42: const path = __importStar(require("path")); L43: const child_process_1 = require("child_process"); L44: const runner_1 = require("../agent/runner"); ... L81: }; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L85: const WIZARD_MAX_CONCURRENT = 2; L86: /** Call Claude --print with stdin prompt; resolves with stdout on exit 0. */ L87: function runClaude(prompt, timeoutMs = 120000) { ... L100: if (code === 0) L101: resolve(Buffer.concat(out).toString('utf-8')); L102: else
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/api/router.jsView on unpkg · L42
81}; L82: const TELEGRAM_API_BASE = process.env.TELEGRAM_API_BASE ?? 'https://api.telegram.org'; L83: /** Max simultaneous wizard/start Claude subprocesses to prevent resource exhaustion. */ ... L88: return new Promise((resolve, reject) => { L89: const child = (0, child_process_1.spawn)('claude', ['--print', '--dangerously-sk[redacted]'], { L90: env: { ...process.env },
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/api/router.jsView on unpkg · L81
dist/api/packages.jsView file
192try { L193: (0, child_process_1.execSync)(`npm install -g ${packageName}@latest`, { L194: stdio: ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/api/packages.jsView on unpkg · L192
dist/api/gateway-router.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @0xmaxma/claude-gateway@1.3.19 matchedIdentity = npm:QDB4bWF4bWEvY2xhdWRlLWdhdGV3YXk:1.3.19 similarity = 0.960 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/api/gateway-router.jsView on unpkg

Findings

4 Critical5 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalCommand Output Exfiltrationdist/api/router.js
CriticalTrigger Reachable Dangerous Capabilitydist/api/router.js
CriticalPrevious Version Dangerous Deltadist/api/gateway-router.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/discord/receiver.js
HighShell
HighSame File Env Network Executiondist/api/router.js
HighRuntime Package Installdist/api/packages.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License