registry  /  @claw-link/gateway-host  /  0.3.6

@claw-link/gateway-host@0.3.6

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked ClawLink host worker that installs a background service, stores host tokens locally, polls ClawLink for jobs, and runs configured local agent CLIs as its documented purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI use such as clhost setup/install/run/add-agent/update
Impact
Runs user-configured AI runtimes on ClawLink jobs; no install-time execution, credential exfiltration, or unconsented agent-control mutation found.
Mechanism
outbound gateway worker plus optional background service and P2P transport
Rationale
The suspicious primitives are package-aligned: explicit service installation, local token storage, outbound bridge polling, and spawning configured AI CLIs are the advertised gateway behavior. I found no lifecycle execution, hidden exfiltration, destructive code, or unconsented AI-agent control-surface writes.
Evidence
package.jsonbin/cli.jsscripts/install.jsscripts/uninstall.jssrc/worker.jssrc/bridge.jssrc/adapters/base.jssrc/adapters/cli.jssrc/scaffold.jstemplates/codex/AGENTS.mdtemplates/claude/CLAUDE.mdtemplates/cursor/.cursor/rules/clawlink.mdc~/.clawlink-host/config.json~/.clawlink-host/app~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml
Network endpoints6
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgelocalhost:3000aps1-1.relay.n0.iroh.linkeuc1-1.relay.n0.iroh.linkuse1-1.relay.n0.iroh.linkusw1-1.relay.n0.iroh.link

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • scripts/install.js can create user services and copy app code under ~/.clawlink-host/app, but only via CLI commands.
  • src/adapters/base.js spawns configured AI runtime CLIs for remote ClawLink jobs.
  • Package ships native/harness-core.darwin-arm64.node for optional P2P transport.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook.
  • bin/cli.js only dispatches explicit user commands; import alone does not run setup or worker.
  • src/bridge.js sends outbound Host Token-authenticated requests to the configured ClawLink bridge.
  • src/adapters/base.js uses argv arrays, shell:false on POSIX, and strips known unsafe approval flags.
  • templates/* contain benign agent workspace guidance and are copied only after interactive opt-in.
  • Binary strings match iroh/NAPI P2P transport, with no obvious credential harvesting or unrelated endpoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 112 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L19
6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L6
scripts/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.4 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.4 similarity = 0.769 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/install.jsView on unpkg
36if (clhostOnPath()) return true; L37: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L38: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L36
8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L18: L19: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L20: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L31: function clhostOnPath() { L32: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L33: return execSafe(probe) != null; ... L78: if (runtime === 'openclaw') { L79: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L80: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/install.jsView on unpkg · L8
native/harness-core.darwin-arm64.nodeView file
path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7947056 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/harness-core.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/install.js
HighChild Processnative/index.js
HighShell
HighRuntime Package Installscripts/install.js
MediumDynamic Requirenative/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/install.js
MediumShips Native Binarynative/harness-core.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings