registry  /  @solongate/proxy  /  0.59.5

@solongate/proxy@0.59.5

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `login` installs SolonGate-owned global Claude Code hooks and writes cloud credentials under `~/.solongate`. The installed guard fetches authenticated remote hook updates and replaces local executable hook files; audit hooks transmit tool-call metadata and arguments to the configured SolonGate API.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the package `login` flow, then starts later Claude Code sessions.
Impact
Persistent interception of Claude tool events and cloud-configurable execution after explicit setup.
Mechanism
User-invoked global AI-agent hook installation, remote hook self-update, and cloud audit logging.
Rationale
The package is not malicious under the install-time blocking rule because it has no lifecycle scripts and its setup is explicit. It nevertheless creates a real globally persistent, remotely updatable Claude hook surface that warrants warning.
Evidence
package.jsonREADME.mddist/global-install.jshooks/guard.mjshooks/audit.mjshooks/stop.mjshooks/shield.mjs~/.claude/settings.json~/.claude/settings.solongate.bak~/.solongate/cloud-guard.json~/.solongate/hooks/guard.mjs~/.solongate/hooks/audit.mjs~/.solongate/hooks/stop.mjs~/.solongate/hooks/shield.mjs~/.bashrc~/.zshrc~/.profile
Network endpoints4
api.solongate.com/api/v1/hooks/api.solongate.com/api/v1/policies/activeapi.solongate.com/api/v1/audit-logsapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/global-install.js` overwrites `~/.claude/settings.json` hooks during explicit login setup.
  • `hooks/guard.mjs` downloads authenticated hook code and atomically replaces `~/.solongate/hooks/{guard,audit,shield}.mjs`.
  • `hooks/audit.mjs` posts tool names and arguments to `${API_URL}/api/v1/audit-logs`.
  • `dist/global-install.js` can modify shell profiles to wrap `claude`; locking requires `SOLONGATE_OS_LOCK=1`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Global mutation requires explicit user invocation of `login`; README describes the resulting Claude interception.
  • Hook update URL and audit URL are package-aligned SolonGate API paths.
  • `hooks/shield.mjs` binds only localhost and redacts request data before forwarding to its configured Anthropic upstream.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

11 flagged · loading source
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
269log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L270: const child = spawn(cmd[0], cmd.slice(1), { L271: stdio: "inherit", L272: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L273: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L269
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @solongate/proxy@0.59.4 matchedIdentity = npm:QHNvbG9uZ2F0ZS9wcm94eQ:0.59.4 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
7614const pm = detectPackageManager(); L7615: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L7616: log3(` Installing @solongate/proxy via ${pm}...`); L7617: try { L7618: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L7619: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L7614
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

1 Critical8 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings