registry  /  @solongate/proxy  /  0.59.3

@solongate/proxy@0.59.3

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit `login` configures global Claude Code hooks and optionally a shell wrapper. Installed hooks can self-update from the SolonGate API and upload audit records.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `login` CLI flow and supplies or authorizes a SolonGate API key.
Impact
Broad Claude Code interception, remote hook replacement, and policy/audit data transmission after opt-in.
Mechanism
User-invoked global AI-agent hook installation with cloud-delivered hook updates and audit upload.
Rationale
The package implements an explicit global Claude Code security extension with remote update and audit capabilities. It is not malicious by the stated boundary because setup requires a user command, but the broad persistent control surface warrants a warning.
Evidence
package.jsondist/index.jsdist/global-install.jshooks/guard.mjshooks/audit.mjshooks/shield.mjsREADME.md~/.claude/settings.json~/.claude/settings.solongate.bak~/.solongate/cloud-guard.json~/.solongate/hooks/guard.mjs~/.solongate/hooks/audit.mjs~/.solongate/hooks/stop.mjs~/.solongate/hooks/shield.mjs~/.bashrc~/.zshrc~/.profile
Network endpoints2
api.solongate.comapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/global-install.js` invoked by explicit `login` writes `~/.claude/settings.json` hooks and shell shims.
  • `hooks/guard.mjs` fetches newer hook bundles from `https://api.solongate.com` and replaces installed hook files.
  • `hooks/audit.mjs` posts tool names and argument summaries to `/api/v1/audit-logs` when local-only logging is not enabled.
  • `hooks/shield.mjs` proxies Claude traffic and spawns the real `claude` command with a local upstream override.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or uninstall lifecycle hook.
  • Global hook installation is reached through the user-invoked `login` flow, not package import or installation.
  • Network destinations and credential use are package-aligned SolonGate policy/audit services.
  • Metadata URL references in `hooks/guard.mjs` are SSRF-blocking policy patterns, not metadata requests.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.29 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

10 flagged · loading source
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
269log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L270: const child = spawn(cmd[0], cmd.slice(1), { L271: stdio: "inherit", L272: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L273: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L269
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c3 = JSON.parse(readFileSync(p, "utf-8")); L45: return c3 && typeof c3 === "object" ? c3 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L119: const resBody = await res.text().catch(() => ""); L120: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L121: `); ... L276: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c3 = JSON.parse(readFileSync(p, "utf-8")); L45: return c3 && typeof c3 === "object" ? c3 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L119: const resBody = await res.text().catch(() => ""); L120: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L121: `); ... L276: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
7628const pm = detectPackageManager(); L7629: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L7630: log3(` Installing @solongate/proxy via ${pm}...`); L7631: try { L7632: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L7633: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L7628
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L26: import { homedir } from 'node:os'; L27: import { gunzipSync } from 'node:zlib'; L28: import { createHash } from 'node:crypto'; ... L54: if (isAbsolute(dir)) return dir; L55: const fallback = resolve(homedir(), '.solongate', 'local-logs'); L56: try {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

8 High4 Medium5 Low
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings