registry  /  @claw-link/gateway-host  /  0.3.3

@claw-link/gateway-host@0.3.3

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked gateway/worker that stores tokens locally, installs an explicit background service, and relays jobs to configured local AI runtimes.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs clhost setup/install/add-agent/run or npm start; no package lifecycle trigger.
Impact
Runs configured local agent CLIs and sends/receives job content through ClawLink; behavior is package-aligned and consent-driven.
Mechanism
Outbound authenticated gateway with optional native P2P transport and explicit service persistence.
Rationale
The suspicious primitives are consistent with the advertised gateway: explicit service installation, token-authenticated outbound bridge calls, local runtime spawning, and optional bundled native transport. I found no lifecycle execution, credential harvesting, unconsented AI-agent control-surface mutation, destructive behavior, or off-purpose exfiltration in the inspected source.
Evidence
package.jsonbin/cli.jsscripts/install.jssrc/worker.jssrc/bridge.jssrc/adapters/base.jssrc/adapters/codex.jssrc/transport/p2p.jsnative/index.jssrc/scaffold.jstemplates/codex/AGENTS.md~/.clawlink-host/config.json~/.clawlink-host/app~/.clawlink-host/transport.key~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml
Network endpoints2
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgelocalhost:3000

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall lifecycle scripts; execution is via explicit CLI commands.
    • bin/cli.js dispatches user-invoked commands; default/setup routes to interactive installer, run routes to worker.
    • scripts/install.js persistence is explicit service installation/update under launchd/systemd/schtasks for the advertised background gateway.
    • src/bridge.js only posts host-token authenticated actions to the configured ClawLink host-bridge endpoint.
    • src/adapters/base.js spawns configured agent runtime with argv arrays and shell false on POSIX; forbidden unsafe flags are stripped.
    • templates/codex/AGENTS.md and scaffold.js add baseline agent files only after an interactive opt-in and do not overwrite existing files.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 26 file(s), 98.4 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

    Source & flagged code

    6 flagged · loading source
    native/index.jsView file
    19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
    High
    Child Process

    Package source references child process execution.

    native/index.jsView on unpkg · L19
    6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    native/index.jsView on unpkg · L6
    scripts/install.jsView file
    33if (clhostOnPath()) return true; L34: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L35: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    scripts/install.jsView on unpkg · L33
    8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L15: L16: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L17: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L28: function clhostOnPath() { L29: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L30: return execSafe(probe) != null; ... L75: if (runtime === 'openclaw') { L76: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L77: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    scripts/install.jsView on unpkg · L8
    native/harness-core.darwin-arm64.nodeView file
    path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7914016 magicHex = [redacted]
    Medium
    Ships Native Binary

    Package ships native binary artifacts.

    native/harness-core.darwin-arm64.nodeView on unpkg
    src/transport/p2p.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.4 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.4 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    src/transport/p2p.jsView on unpkg

    Findings

    1 Critical3 High6 Medium4 Low
    CriticalPrevious Version Dangerous Deltasrc/transport/p2p.js
    HighChild Processnative/index.js
    HighShell
    HighRuntime Package Installscripts/install.js
    MediumDynamic Requirenative/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencescripts/install.js
    MediumShips Native Binarynative/harness-core.darwin-arm64.node
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings