registry  /  @12errh/antigravity-proxy  /  1.0.10

@12errh/antigravity-proxy@1.0.10

LLM proxy for Antigravity — translate Google Gemini API calls to any provider

AI Security Review

scanned 2d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall migrates package data; user runs antigravity start/certs/setup/remove for proxy and cert actions
Impact
Can intercept and transform Antigravity model traffic and forward prompts to configured LLM providers; no confirmed covert exfiltration or destructive install behavior
Mechanism
explicit local AI proxy with hosts-file routing, trusted local TLS cert, and provider forwarding
Rationale
Source inspection shows a dangerous but package-aligned explicit proxy that mutates hosts and trust stores only through user-invoked commands; the postinstall hook is limited to package-owned data migration. Because it can control AI-agent traffic and inject context, warn rather than block.
Evidence
package.jsonbin/cli.jsdist/data-paths.jssrc/cli/commands/start.tssrc/cli/utils/cert.tssrc/install-context.tssrc/index.tssrc/adapter.tssrc/dashboard.ts~/.antigravity//etc/hostsC:\Windows\System32\drivers\etc\hosts/Library/Keychains/System.keychain/usr/local/share/ca-certificates/antigravity-proxy.crt
Network endpoints12
cloudcode-pa.googleapis.comdaily-cloudcode-pa.googleapis.comruntime.us-east-1.kiro.devkiro.devapp.kiro.devintegrate.api.nvidia.com/v1openrouter.ai/api/v1api.openai.com/v1api.groq.com/openai/v1api.anthropic.com/v1generativelanguage.googleapis.comopencode.ai/zen/v1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/cli/utils/cert.ts adds/removes hosts entries for cloudcode-pa.googleapis.com, daily-cloudcode-pa.googleapis.com, kiro.dev, app.kiro.dev, runtime.us-east-1.kiro.dev
  • src/cli/utils/cert.ts can trust a locally generated TLS cert in OS trust stores
  • src/index.ts installs package agent context to ~/.antigravity and injects/rewrites model context when not in passthrough mode
  • bin/cli.js uses Windows UAC elevation helper for start/switch/remove/setup/certs/stop commands
  • src/cli/commands/start.ts can run npm install/npx tsc, kill ports, launch Antigravity, and configure proxy routing
Evidence against
  • package.json postinstall only calls dist/data-paths.js migrateUserData, copying old package data/certs/logs into ~/.antigravity
  • No install-time foreign AI-agent config mutation found beyond package-owned ~/.antigravity migration marker/data copy
  • Hosts/cert/proxy changes are activated by explicit CLI commands, mainly antigravity start/certs/remove
  • Network endpoints are aligned with an LLM proxy/provider product and user-configured providers
  • No credential harvesting or hardcoded exfiltration endpoint found; dashboard webhook is user-configured
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 133 file(s), 807 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, generativelanguage.googleapis.com, integrate.api.nvidia.com, opencode.ai, openrouter.ai

Source & flagged code

5 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @12errh/antigravity-proxy@1.0.7 matchedIdentity = npm:[redacted]:1.0.7 similarity = 0.642 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
3import { createRequire } from 'module'; L4: import { execSync, spawn } from 'child_process'; L5: import { platform } from 'os';
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L3
47const vbsFile = `${process.env.TEMP || ''}\\antigravity_elevate.vbs`; L48: const vbs = `Set oShell = CreateObject("Shell.Application")\noShell.ShellExecute "cmd.exe", "/c ""${tmpFile}""", "", "runas", 1`; L49: fs.writeFileSync(vbsFile, vbs, 'ascii');
High
Shell

Package source references shell execution.

bin/cli.jsView on unpkg · L47
dist/cli/utils/cert.jsView file
2import path from 'path'; L3: import { execSync } from 'child_process'; L4: import { platform } from 'os'; ... L38: const b64 = lines.join(''); L39: const derBytes = Buffer.from(b64, 'base64'); L40: const crypto = require('crypto');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/utils/cert.jsView on unpkg · L2
dist/cli/commands/start.jsView file
134depSpinner.text = 'Installing dependencies...'; L135: execSync('npm install --production', { cwd: PROXY_DIR, stdio: 'pipe', timeout: 120000 }); L136: succeedSpinner(depSpinner, 'Dependencies installed');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/commands/start.jsView on unpkg · L134

Findings

1 Critical3 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShellbin/cli.js
HighRuntime Package Installdist/cli/commands/start.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/utils/cert.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License