registry  /  @12errh/antigravity-proxy  /  1.0.5

@12errh/antigravity-proxy@1.0.5

LLM proxy for Antigravity — translate Google Gemini API calls to any provider

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are tied to the advertised local LLM proxy/CLI workflow and require explicit runtime commands or configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs antigravity start/certs/config or sends requests through the proxy.
Impact
Routes Antigravity model traffic to configured providers and manages local proxy state; no confirmed unconsented exfiltration or payload execution.
Mechanism
User-invoked local proxy, certificate management, provider forwarding, and optional context injection.
Rationale
Static inspection found a user-invoked Antigravity LLM proxy with expected network forwarding, config writes, cert setup, and CLI process management, but no install-time/import-time malware or hidden credential exfiltration. Scanner flags map to package-aligned functionality rather than concrete malicious behavior.
Evidence
package.jsonbin/cli.jsdist/index.jsdist/cli/commands/start.jsdist/cli/utils/cert.jsdist/cli/utils/port.jsdist/install-context.jsdist/context-injector.jsdist/antigravity-context.jsdist/adapter.jsdist/router.js

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli/commands/start.js can run npm install --production if node_modules is missing, but only during user-invoked antigravity start.
  • dist/cli/utils/cert.js can install a local TLS certificate into OS trust stores when start/certs trust is invoked.
  • dist/context-injector.js can inject Antigravity tool guidance into proxied model requests when contextStripMode is not passthrough.
Evidence against
  • package.json has no install/postinstall hooks; prepublishOnly only runs npm run build.
  • bin/cli.js only registers explicit CLI commands; no import-time execution beyond command setup.
  • dist/index.js is a local proxy/dashboard for Antigravity requests and forwards to configured LLM providers or Google backend.
  • Network endpoints are package-aligned providers: cloudcode-pa.googleapis.com, openrouter.ai, integrate.api.nvidia.com, api.openai.com, api.anthropic.com, api.groq.com, generativelanguage.googleapis.com, opencode.ai.
  • No source evidence of credential harvesting, hidden exfiltration, persistence beyond user config, destructive payloads, or reviewer/prompt manipulation aimed at this review.
  • Agent context content is operational tool guidance for Antigravity; no instructions to steal secrets or conceal behavior were found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 123 file(s), 730 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, generativelanguage.googleapis.com, integrate.api.nvidia.com, opencode.ai, openrouter.ai

Source & flagged code

5 flagged · loading source
dist/cli/utils/port.jsView file
1import { execSync } from 'child_process'; L2: import { platform } from 'os';
High
Child Process

Package source references child process execution.

dist/cli/utils/port.jsView on unpkg · L1
dist/cli/utils/cert.jsView file
40const sha1 = crypto.createHash('sha1').update(derBytes).digest('hex').toUpperCase(); L41: const out = execSync(`powershell -NoProfile -Command "Get-ChildItem Cert:\\LocalMachine\\Root | Where-Object { $_.Thumbprint -eq '${sha1}' } | Measure-Object | Select-Object -Expan... L42: return out.trim() !== '0';
High
Shell

Package source references shell execution.

dist/cli/utils/cert.jsView on unpkg · L40
2import path from 'path'; L3: import { execSync } from 'child_process'; L4: import { platform } from 'os'; ... L37: const b64 = lines.join(''); L38: const derBytes = Buffer.from(b64, 'base64'); L39: const crypto = require('crypto');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/utils/cert.jsView on unpkg · L2
dist/cli/commands/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @12errh/antigravity-proxy@1.0.4 matchedIdentity = npm:[redacted]:1.0.4 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/commands/start.jsView on unpkg
146console.log(' Installing dependencies...'); L147: execSync('npm install --production', { cwd: PROXY_DIR, stdio: 'inherit', timeout: 120000 }); L148: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/commands/start.jsView on unpkg · L146

Findings

1 Critical3 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/cli/commands/start.js
HighChild Processdist/cli/utils/port.js
HighShelldist/cli/utils/cert.js
HighRuntime Package Installdist/cli/commands/start.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/utils/cert.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License