registry  /  @solongate/proxy  /  0.59.4

@solongate/proxy@0.59.4

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit login/global-install configures SolonGate hooks for every Claude Code session and can add a shell wrapper. The guard subsequently retrieves policy, audit logs, and newer hook bundles from SolonGate Cloud.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the package's `login` flow or global installer, then starts Claude Code.
Impact
Remote service-controlled hook updates can alter behavior across Claude Code sessions after opt-in.
Mechanism
Global AI-agent hook installation with remote hook self-update and audit telemetry.
Rationale
Source inspection confirms an explicit first-party global Claude Code extension with remote self-updating hooks and telemetry, creating meaningful lifecycle risk. No install-time activation, unrelated endpoint, or concrete covert malicious chain was found.
Evidence
package.jsondist/global-install.jsdist/index.jshooks/guard.mjshooks/audit.mjshooks/shield.mjshooks/stop.mjs~/.claude/settings.json~/.claude/settings.solongate.bak~/.solongate/cloud-guard.json~/.solongate/hooks/guard.mjs~/.solongate/hooks/audit.mjs~/.solongate/hooks/shield.mjs~/.bashrc~/.zshrc~/.profile
Network endpoints4
api.solongate.com/api/v1/hooks/api.solongate.com/api/v1/policies/activeapi.solongate.com/api/v1/audit-logsapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/global-install.js` overwrites `~/.claude/settings.json` with global PreToolUse/PostToolUse/Stop hooks.
  • `hooks/guard.mjs` downloads newer hook code from the cloud and atomically replaces installed hook files.
  • Installed audit/guard hooks send tool arguments and decisions to the configured SolonGate API.
  • Optional OS-lock commands can make hook/config/settings files immutable.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Global hook setup occurs through explicit `login`/global-install CLI flow and accepts a user API key.
  • Observed network hosts are package-aligned SolonGate endpoints; no unrelated credential-exfiltration endpoint found.
  • Child-process use launches the explicit shield target or refreshes the package's own hook.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

11 flagged · loading source
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
269log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L270: const child = spawn(cmd[0], cmd.slice(1), { L271: stdio: "inherit", L272: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L273: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L269
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c3 = JSON.parse(readFileSync(p, "utf-8")); L45: return c3 && typeof c3 === "object" ? c3 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L119: const resBody = await res.text().catch(() => ""); L120: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L121: `); ... L276: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c3 = JSON.parse(readFileSync(p, "utf-8")); L45: return c3 && typeof c3 === "object" ? c3 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L119: const resBody = await res.text().catch(() => ""); L120: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L121: `); ... L276: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
7628const pm = detectPackageManager(); L7629: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L7630: log3(` Installing @solongate/proxy via ${pm}...`); L7631: try { L7632: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L7633: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L7628
hooks/guard.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @solongate/proxy@0.59.3 matchedIdentity = npm:QHNvbG9uZ2F0ZS9wcm94eQ:0.59.3 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

hooks/guard.mjsView on unpkg
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

1 Critical8 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltahooks/guard.mjs
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings