registry  /  @12errh/antigravity-proxy  /  1.0.6

@12errh/antigravity-proxy@1.0.6

LLM proxy for Antigravity — translate Google Gemini API calls to any provider

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are tied to the stated local LLM proxy function and require explicit CLI/runtime use.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs antigravity start or related CLI commands
Impact
Intercepts and transforms Antigravity model requests as advertised; no hidden credential harvesting or install-time execution confirmed.
Mechanism
local HTTPS proxy, certificate setup, provider forwarding, optional context file install
Rationale
The package contains powerful proxy, certificate, process, and AI-context modification behavior, but source inspection shows it is activated by explicit CLI use and matches the advertised Antigravity LLM proxy purpose. I found no install-time payload, hidden exfiltration, destructive behavior, or unconsented AI-agent control mutation.
Evidence
package.jsonbin/cli.jsdist/index.jsdist/config.jsdist/install-context.jsdist/context-injector.jsdist/workspace-context.jsdist/cli/commands/start.jsdist/cli/utils/cert.jsdist/cli/utils/port.jsdist/adapter.js~/.antigravity/agent-context.md~/.antigravity/.context-installedcerts/cert.pemcerts/key.pem.envlogs/
Network endpoints12
cloudcode-pa.googleapis.comdaily-cloudcode-pa.googleapis.comintegrate.api.nvidia.com/v1openrouter.ai/api/v1api.openai.com/v1api.groq.com/openai/v1api.anthropic.com/v1generativelanguage.googleapis.comopencode.ai/zen/v1opencode.ai/zen/go/v1localhost:4000localhost:11434

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/install-context.js writes agent-context.md to ~/.antigravity on proxy startup when source exists
  • dist/cli/commands/start.js can run npm install --production if node_modules is missing
  • dist/cli/utils/cert.js uses sudo/certutil/security to trust a local TLS cert on user command
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly only runs build before publishing
  • bin/cli.js exposes user-invoked commands; start is not import-time execution
  • dist/index.js proxy behavior is package-aligned: local dashboard/TLS proxy and LLM provider forwarding
  • dist/adapter.js provider endpoints are standard configurable LLM APIs, not hidden exfil hosts
  • dist/cli/utils/port.js only enumerates/kills processes on configured proxy ports
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 123 file(s), 738 KB of source, external domains: api.anthropic.com, api.groq.com, api.openai.com, generativelanguage.googleapis.com, integrate.api.nvidia.com, opencode.ai, openrouter.ai

Source & flagged code

5 flagged · loading source
dist/cli/utils/port.jsView file
1import { execSync } from 'child_process'; L2: import { platform } from 'os';
High
Child Process

Package source references child process execution.

dist/cli/utils/port.jsView on unpkg · L1
dist/cli/utils/cert.jsView file
40const sha1 = crypto.createHash('sha1').update(derBytes).digest('hex').toUpperCase(); L41: const out = execSync(`powershell -NoProfile -Command "Get-ChildItem Cert:\\LocalMachine\\Root | Where-Object { $_.Thumbprint -eq '${sha1}' } | Measure-Object | Select-Object -Expan... L42: return out.trim() !== '0';
High
Shell

Package source references shell execution.

dist/cli/utils/cert.jsView on unpkg · L40
2import path from 'path'; L3: import { execSync } from 'child_process'; L4: import { platform } from 'os'; ... L37: const b64 = lines.join(''); L38: const derBytes = Buffer.from(b64, 'base64'); L39: const crypto = require('crypto');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/utils/cert.jsView on unpkg · L2
dist/cli/commands/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @12errh/antigravity-proxy@1.0.5 matchedIdentity = npm:[redacted]:1.0.5 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/commands/start.jsView on unpkg
135console.log(' Installing dependencies...'); L136: execSync('npm install --production', { cwd: PROXY_DIR, stdio: 'inherit', timeout: 120000 }); L137: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/commands/start.jsView on unpkg · L135

Findings

1 Critical3 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/cli/commands/start.js
HighChild Processdist/cli/utils/port.js
HighShelldist/cli/utils/cert.js
HighRuntime Package Installdist/cli/commands/start.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/utils/cert.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License