registry  /  @claw-link/gateway-host  /  0.3.13

@claw-link/gateway-host@0.3.13

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party ClawLink host gateway with explicit setup of a persistent service that can run local AI agent CLIs for remotely claimed jobs. The capability is high impact but transparent and package-aligned, with no install-time activation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs clhost setup/install/add-agent/link/run or starts the installed service
Impact
Remote ClawLink jobs can cause local agent CLI execution within configured workspaces and permissions; trusted writable turns may allow shell-capable agent execution.
Mechanism
persistent agent gateway polling ClawLink and spawning configured local runtimes
Rationale
Source inspection shows powerful remote-agent gateway behavior and persistent service setup, but all activation is explicit and aligned with the package purpose. There is no npm lifecycle execution, hidden payload, credential harvesting, or unconsented AI-agent hijack, so warn rather than block.
Evidence
package.jsonbin/cli.jsscripts/install.jsscripts/uninstall.jssrc/worker.jssrc/bridge.jssrc/config.jssrc/adapters/base.jssrc/adapters/cli.jssrc/adapters/codex.jssrc/adapters/claude.jssrc/scaffold.js~/.clawlink-host/config.json~/.clawlink-host/app~/.clawlink-host/host.log~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml<agent work_dir>/AGENTS.md<agent work_dir>/CLAUDE.md<agent work_dir>/.clawlink/attachments
Network endpoints3
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgergzinqbdnesinmbshgtc.supabase.co/functions/v1/host-linklocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • scripts/install.js explicitly installs persistent launchd/systemd/Windows scheduled-task service on user command
  • src/worker.js polls ClawLink bridge for remote jobs and dispatches them to local agent runtimes
  • src/adapters/base.js spawns configured local CLIs; codex/claude adapters can use stronger write/shell permissions for trusted writable turns
  • scripts/install.js can copy package into ~/.clawlink-host/app and write baseline agent files into workspaces
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/cli.js only activates setup/install/run behavior through explicit CLI commands
  • networking is package-aligned: ClawLink host bridge, link redemption, localhost OpenClaw, attachment URLs
  • src/adapters/base.js uses argv arrays on POSIX and filters known auto-approve flags in args_template
  • src/logger.js redacts configured tokens; config.js stores tokens under ~/.clawlink-host/config.json mode 0600
  • No eval/vm, credential harvesting, destructive payload, or unconsented broad AI-agent config mutation found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 135 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L19
6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L6
scripts/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.11 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.11 similarity = 0.926 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/install.jsView on unpkg
36if (clhostOnPath()) return true; L37: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L38: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L36
8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L18: L19: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L20: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L31: function clhostOnPath() { L32: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L33: return execSafe(probe) != null; ... L78: if (runtime === 'openclaw') { L79: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L80: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/install.jsView on unpkg · L8
native/harness-core.darwin-arm64.nodeView file
path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7947056 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/harness-core.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/install.js
HighChild Processnative/index.js
HighShell
HighRuntime Package Installscripts/install.js
MediumDynamic Requirenative/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/install.js
MediumShips Native Binarynative/harness-core.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings