registry  /  @alfe.ai/gateway  /  0.3.0

@alfe.ai/gateway@0.3.0

Alfe local gateway daemon — persistent control plane for agent integrations

AI Security Review

scanned 20h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs alfe-gateway daemon/start/install or imports and calls exported daemon functions.
Impact
Authenticated Alfe cloud commands can update runtimes, reconcile integrations, call MCP tools, and execute registered integration handlers in the agent environment.
Mechanism
persistent cloud-controlled agent gateway with runtime upgrades, MCP operations, and dynamic integration handlers
Policy narrative
When explicitly started, the daemon reads Alfe config, opens a local IPC socket, connects to Alfe cloud over WebSocket, and can process authenticated cloud desired-state and command messages. Those commands can update CLI/runtime packages, reconcile integrations, register/import handler files, and operate MCP servers. Service persistence is available through explicit CLI install, not npm lifecycle execution.
Rationale
Static inspection confirms a high-privilege agent gateway, but its dangerous primitives are documented, user-invoked, and aligned with the package purpose; no hidden install hook, credential harvesting, remote asset decode/execute, or unconsented foreign agent control-surface mutation was found. Warn due to persistent remote agent-control capability and dynamic integration execution.
Evidence
package.jsonREADME.mddist/bin/gateway.jsdist/health.jsdist/upgrade.jsdist/runtime-upgrade.jsdist/logger.js~/.alfe/config.toml~/.alfe/gateway.sock~/.alfe/gateway.pid~/.alfe/logs/gateway.log~/Library/LaunchAgents/ai.alfe.gateway.plist~/.config/systemd/user/alfe-gateway.service/etc/systemd/system/alfe-gateway.service~/.openclaw~/.hermes
Network endpoints3
wss://gateway.alfe.ai/wsa47f010d8d39fb4350f913492189f283@o4511008239452160.ingest.us.sentry.io/451167944854732882dde4631336561f2fcc89d7531623de@o4511008239452160.ingest.us.sentry.io/4511679411191808

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/health.js starts a persistent Alfe cloud WebSocket using user's API key and accepts COMMAND/DESIRED_STATE messages.
  • dist/health.js handles cloud commands for daemon.update/runtime.update, running npm install -g or runtime update commands.
  • dist/health.js dynamically imports integration handler files registered after cloud-driven reconciliation.
  • dist/health.js can add/remove/call MCP servers through local IPC and an MCP bundler.
  • dist/health.js installService writes launchd/systemd persistence, but only via explicit CLI install command.
Evidence against
  • package.json has no npm lifecycle hooks, so install/import does not auto-run service setup.
  • dist/bin/gateway.js exposes user-invoked CLI commands; daemon/start/install are not hidden install-time behavior.
  • eval/new Function matches are bundled dependency capability checks, not remote asset decode/execute logic.
  • Network use is package-aligned: Alfe API, gateway WebSocket, AI proxy, and Sentry telemetry.
  • OpenClaw MCP cleanup preserves non-Alfe user entries and is sentinel-gated.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 6 file(s), 726 KB of source, external domains: 127.0.0.1, adaptivecards.io, aws.amazon.com, dotenvx.com, github.com, json-schema.org, www.apple.com, www.google.com, your-log-dashboard-url.com

Source & flagged code

7 flagged · loading source
dist/health.jsView file
3import { mkdir, readFile, rename, stat, unlink, writeFile } from "node:fs/promises"; L4: import { execFile, execSync, spawn } from "node:child_process"; L5: import { promisify } from "node:util"; ... L12: import { parse } from "smol-toml"; L13: import WebSocket from "ws"; L14: import { createConnection, createServer } from "node:net"; ... L327: } L328: const body = await res.json(); L329: if (!res.ok) return { ... L360: ok: true, L361: data: result.body.data L362: };
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/health.jsView on unpkg · L3
Trigger-reachable chain: manifest.main -> dist/src/index.js -> dist/health.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/health.jsView on unpkg
matchType = previous_version_dangerous_delta matchedPackage = @alfe.ai/gateway@0.2.5 matchedIdentity = npm:QGFsZmUuYWkvZ2F0ZXdheQ:0.2.5 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/health.jsView on unpkg
3import { mkdir, readFile, rename, stat, unlink, writeFile } from "node:fs/promises"; L4: import { execFile, execSync, spawn } from "node:child_process"; L5: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/health.jsView on unpkg · L3
870try { L871: new Function(""); L872: return true;
High
Eval

Package source references dynamic code evaluation.

dist/health.jsView on unpkg · L870
58}) : target, mod)); L59: var __require = /* @__PURE__ */ createRequire(import.meta.url); L60: //#endregion
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/health.jsView on unpkg · L58
3import { mkdir, readFile, rename, stat, unlink, writeFile } from "node:fs/promises"; L4: import { execFile, execSync, spawn } from "node:child_process"; L5: import { promisify } from "node:util"; ... L12: import { parse } from "smol-toml"; L13: import WebSocket from "ws"; L14: import { createConnection, createServer } from "node:net"; ... L327: } L328: const body = await res.json(); L329: if (!res.ok) return { ... L360: ok: true, L361: data: result.body.data L362: };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/health.jsView on unpkg · L3

Findings

3 Critical3 High5 Medium5 Low
CriticalRemote Asset Decode Executedist/health.js
CriticalTrigger Reachable Dangerous Capabilitydist/health.js
CriticalPrevious Version Dangerous Deltadist/health.js
HighChild Processdist/health.js
HighShell
HighEvaldist/health.js
MediumDynamic Requiredist/health.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/health.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License