registry  /  @claw-link/gateway-host  /  0.3.11

@claw-link/gateway-host@0.3.11

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface, but the package is a first-party AI-agent host gateway that installs a persistent local worker and can execute remote jobs through local agent CLIs after explicit setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs clhost setup/install/add-agent/run and provides a Host Token.
Impact
Persistent ClawLink worker can run configured AI agent runtimes in selected workspaces; trusted profile can allow shell-capable writable turns.
Mechanism
explicit service setup plus remote job polling and local runtime spawning
Rationale
Static inspection does not support a malicious verdict: risky primitives are explicit ClawLink host-gateway functionality, with no install-time hook, stealth exfiltration, destructive action, or unconsented broad AI-agent control mutation. Because it installs a persistent agent host and can run remote jobs through local AI CLIs, downgrade to warn rather than mark fully clean.
Evidence
package.jsonbin/cli.jsscripts/install.jssrc/config.jssrc/bridge.jssrc/worker.jssrc/adapters/base.jssrc/adapters/cli.jssrc/adapters/codex.jstemplates/codex/AGENTS.md~/.clawlink-host/config.json~/.clawlink-host/app~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml<agent work_dir>/AGENTS.md<agent work_dir>/CLAUDE.md<agent work_dir>/.clawlink/attachments
Network endpoints2
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgelocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/install.js explicitly installs persistent launchd/systemd/Windows scheduled-task service on user command
  • src/worker.js polls remote host-bridge jobs and runs configured local AI runtimes
  • src/adapters/codex.js can grant writable turns workspace-write or trusted danger-full-access when configured
  • src/adapters/cli.js downloads job attachments into workspace and spawns local runtime binaries
  • templates/codex/AGENTS.md and templates/claude/CLAUDE.md add agent workspace instructions when user opts in
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/cli.js only dispatches explicit CLI commands; setup/install are user-invoked
  • scripts/install.js service and config writes are under named ClawLink paths and package-owned service labels
  • src/bridge.js uses fixed ClawLink/Supabase host-bridge endpoint with bearer Host Token, aligned with package purpose
  • src/adapters/base.js uses spawn argv arrays with shell false on POSIX and filters auto-approve flags from args_template
  • No credential harvesting beyond user-provided host/local gateway tokens and no stealth exfiltration found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 131 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L19
6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L6
scripts/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.10 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.10 similarity = 0.741 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/install.jsView on unpkg
36if (clhostOnPath()) return true; L37: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L38: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L36
8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L18: L19: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L20: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L31: function clhostOnPath() { L32: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L33: return execSafe(probe) != null; ... L78: if (runtime === 'openclaw') { L79: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L80: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/install.jsView on unpkg · L8
native/harness-core.darwin-arm64.nodeView file
path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7947056 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/harness-core.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/install.js
HighChild Processnative/index.js
HighShell
HighRuntime Package Installscripts/install.js
MediumDynamic Requirenative/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/install.js
MediumShips Native Binarynative/harness-core.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings