registry  /  @claw-link/gateway-host  /  0.3.9

@claw-link/gateway-host@0.3.9

ClawLink Host Gateway — a secure, outbound-only worker that bridges a local agent CLI (OpenClaw, Hermes, Claude, Codex, Cursor) to your ClawLink agents. No inbound ports; authenticated per-agent by a Host Token.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-configured host gateway that persists a background service and executes configured AI agent CLIs for jobs from its authenticated ClawLink bridge.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs clhost setup/install/add-agent/run or starts the installed service
Impact
Package-aligned remote agent execution after user supplies a Host Token; no install-time or hidden execution found
Mechanism
Authenticated outbound job polling and local AI CLI spawning
Rationale
Static inspection shows risky primitives, but they are explicit product behavior for a Host Gateway and are activated by user CLI setup rather than lifecycle hooks. I found no covert credential collection, unconsented AI-agent control-surface mutation, hidden install execution, or unrelated exfiltration.
Evidence
package.jsonbin/cli.jsscripts/install.jsscripts/uninstall.jssrc/worker.jssrc/bridge.jssrc/adapters/base.jssrc/adapters/cli.jssrc/scaffold.jsnative/index.js~/.clawlink-host/config.json~/.clawlink-host/app~/.clawlink-host/worker-status.json~/.clawlink-host/drain~/.clawlink-host/transport.key~/Library/LaunchAgents/co.clawlink.host.plist~/.config/systemd/user/clawlink-host.service~/.clawlink-host/run-host.cmd~/.clawlink-host/run-host.vbs~/.clawlink-host/task.xml
Network endpoints2
rgzinqbdnesinmbshgtc.supabase.co/functions/v1/host-bridgelocalhost:3000

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • scripts/install.js installs persistent launchd/systemd/schtasks service when user runs setup/install
  • src/worker.js polls remote bridge for jobs and runs configured AI runtime adapters
  • src/adapters/base.js uses child_process.spawn for local agent CLIs
  • native/index.js loads a shipped NAPI native transport binary on darwin-arm64
  • templates/codex/AGENTS.md and templates/claude/CLAUDE.md are opt-in agent context files
Evidence against
  • package.json has no preinstall/postinstall/prepare lifecycle hooks
  • bin/cli.js only dispatches user-invoked commands; worker runs via clhost run/service
  • scripts/install.js prompts for Host Token and baseline scaffolding before config/workspace changes
  • src/bridge.js sends authenticated outbound calls to package-aligned host bridge
  • src/adapters/base.js uses argv arrays and shell:false on POSIX, strips dangerous auto-approve flags
  • No credential harvesting, hidden exfiltration, destructive actions, or reviewer prompt injection found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 124 KB of source, external domains: rgzinqbdnesinmbshgtc.supabase.co, schemas.microsoft.com, www.apple.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
19try { L20: const lddPath = require('child_process').execSync('which ldd').toString().trim() L21: return readFileSync(lddPath, 'utf8').includes('musl')
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L19
6L7: const { existsSync, readFileSync } = require('fs') L8: const { join } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L6
scripts/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @claw-link/gateway-host@0.3.6 matchedIdentity = npm:QGNsYXctbGluay9nYXRld2F5LWhvc3Q:0.3.6 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/install.jsView on unpkg
36if (clhostOnPath()) return true; L37: try { execSync(`npm install -g @claw-link/gateway-host@${VERSION}`, { stdio: 'ignore', timeout: 120000 }); } L38: catch { /* no permission / offline — reportCli() prints the manual fallback */ }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install.jsView on unpkg · L36
8const readline = require('readline'); L9: const { execSync } = require('child_process'); L10: ... L18: L19: const VERSION = (() => { try { return require('../package.json').version; } catch { return '0.0.0'; } })(); L20: const RUNTIMES = ['openclaw', 'hermes', 'claude', 'codex', 'cursor']; ... L31: function clhostOnPath() { L32: const probe = process.platform === 'win32' ? 'where clhost' : 'command -v clhost'; L33: return execSafe(probe) != null; ... L78: if (runtime === 'openclaw') { L79: agent.local_gateway_url = await ask(rl, ' Local OpenClaw gateway URL', 'http://localhost:3000'); L80: agent.local_gateway_token = await ask(rl, ' Local OpenClaw gateway token (optional)', '');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/install.jsView on unpkg · L8
native/harness-core.darwin-arm64.nodeView file
path = native/harness-core.darwin-arm64.node kind = native_binary sizeBytes = 7947056 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/harness-core.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/install.js
HighChild Processnative/index.js
HighShell
HighRuntime Package Installscripts/install.js
MediumDynamic Requirenative/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/install.js
MediumShips Native Binarynative/harness-core.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings