registry  /  @claw-link/gateway-host  /  0.3.8

@claw-link/gateway-host@0.3.8

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an explicit host gateway that installs a user service and runs configured AI-agent CLIs after operator setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs clhost setup/install/add-agent/run/update or starts the installed service.
Impact
Can persist a background service and execute configured local agent runtimes for claimed jobs, consistent with package purpose.
Mechanism
User-invoked host gateway, service installer, outbound bridge polling, configured CLI spawning, optional P2P transport.
Rationale
Static source inspection shows risky primitives are aligned with a user-invoked AI host gateway: service installation, bridge networking, native P2P acceleration, and configured runtime spawning. I found no lifecycle execution, credential harvesting beyond configured host tokens, unrelated exfiltration, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonbin/cli.jsscripts/install.jssrc/config.jssrc/bridge.jssrc/worker.jssrc/adapters/base.jssrc/adapters/cli.jssrc/scaffold.jssrc/transport/p2p.jsnative/index.js~/.clawlink-host/config.json~/.clawlink-host/app~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml~/.clawlink-host/transport.keyagent workspace baseline files
Network endpoints6
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgelocalhost:3000aps1-1.relay.n0.iroh.linkeuc1-1.relay.n0.iroh.linkuse1-1.relay.n0.iroh.linkusw1-1.relay.n0.iroh.link

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • scripts/install.js can create launchd/systemd/schtasks services, but only via user-invoked setup/install/update commands
  • src/adapters/base.js spawns configured agent CLIs and src/worker.js executes remote claimed jobs by design
  • native/harness-core.darwin-arm64.node ships native QUIC/P2P code; strings show iroh relay/client libraries, not unrelated payloads
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook
  • bin/cli.js only dispatches explicit CLI commands; import does not start service or worker
  • scripts/install.js global npm install is best-effort to expose clhost during setup, not lifecycle execution
  • src/bridge.js sends token-authenticated outbound requests only to configured bridge URL
  • src/scaffold.js copies baseline AGENTS/CLAUDE files only after interactive opt-in and never overwrites existing files
  • src/adapters/base.js uses argv arrays, shell:false on POSIX, redacts secrets, and filters known auto-approve flags
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 120 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L19
6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L6
scripts/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.10 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.10 similarity = 0.704 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/install.jsView on unpkg
36if (clhostOnPath()) return true; L37: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L38: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L36
8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L18: L19: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L20: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L31: function clhostOnPath() { L32: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L33: return execSafe(probe) != null; ... L78: if (runtime === 'openclaw') { L79: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L80: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/install.jsView on unpkg · L8
native/harness-core.darwin-arm64.nodeView file
path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7947056 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/harness-core.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/install.js
HighChild Processnative/index.js
HighShell
HighRuntime Package Installscripts/install.js
MediumDynamic Requirenative/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/install.js
MediumShips Native Binarynative/harness-core.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings