registry  /  @solongate/proxy  /  0.62.0

@solongate/proxy@0.62.0

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit setup installs persistent Claude Code hooks that inspect and enforce tool events. Those hooks remotely refresh policy, WASM, and hook code from SolonGate. No npm install-time activation is declared.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the package's global setup/login command, then starts a configured Claude Code session.
Impact
Configured tool-call data is sent to SolonGate and a service-controlled update can replace installed hook code.
Mechanism
Persistent agent-hook installation with remote policy, audit, and self-update support.
Rationale
This is a real persistent remote-managed AI-agent capability, so it warrants a warning. It is explicitly user-invoked rather than an unconsented install-time mutation, and inspected source does not establish malicious intent or behavior.
Evidence
package.jsondist/global-install.jsdist/index.jshooks/guard.mjshooks/audit.mjshooks/stop.mjshooks/shield.mjs
Network endpoints3
api.solongate.com/api/v1/hooks/guardapi.solongate.com/api/v1/policies/activeapi.solongate.com/api/v1/audit-logs

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/global-install.js` writes global Claude hooks and `~/.claude/settings.json` after explicit setup.
  • `dist/global-install.js` can add a `claude` shell shim and optionally lock hook/config files.
  • `hooks/guard.mjs` downloads and atomically replaces persistent hook files from the SolonGate API.
  • `hooks/guard.mjs` loads remotely fetched policy WASM and uploads deny/audit events.
  • `dist/index.js` can run package-manager commands only through explicit CLI project setup.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle script.
  • The global installer requires an explicit CLI action and a supplied SolonGate API key.
  • Network behavior is confined to the configured SolonGate API endpoint.
  • No source evidence of unrelated credential harvesting, destructive actions, or hidden exfiltration endpoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.47 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

11 flagged · loading source
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
269log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L270: const child = spawn(cmd[0], cmd.slice(1), { L271: stdio: "inherit", L272: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L273: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L269
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
8997__dirname = dirname(fileURLToPath(import.meta.url)); L8998: HOOKS_DIR = resolve4(__dirname, "..", "hooks"); L8999: SHIM_BEGIN = "# >>> SolonGate shield (auto secret redaction) >>>"; ... L9005: var login_exports = {}; L9006: import { spawn } from "child_process"; L9007: function startSpinner(text) { L9008: if (!process.stderr.isTTY) { L9009: process.stderr.write(` ${text} L9010: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L8997
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
9771const pm = detectPackageManager(); L9772: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L9773: log3(` Installing @solongate/proxy via ${pm}...`); L9774: try { L9775: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L9776: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L9771
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

9 High4 Medium6 Low
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings