registry  /  @solongate/proxy  /  0.71.0

@solongate/proxy@0.71.0

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit `login` command installs first-party Claude Code hooks, with optional shell shimming and OS-level locking. Those hooks can self-update from the SolonGate API after a SHA-256 check and send tool/audit data to that service.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the package CLI `login` without `--no-install` after device authorization.
Impact
Changes Claude Code hook configuration and causes future agent tool calls to be evaluated and logged under the configured SolonGate account.
Mechanism
First-party AI-agent hook installation with remote signed-by-hash hook refresh and audit/policy transport.
Rationale
The package has a real, broad AI-agent control surface and executable remote-update path, but they require an explicit CLI login/install flow and are package-aligned. No lifecycle hook, stealth import-time activation, unrelated credential theft, or concrete malicious behavior was confirmed.
Evidence
package.jsondist/index.jsdist/global-install.jshooks/guard.mjshooks/audit.mjshooks/stop.mjsdist/shield.js~/.claude/settings.json~/.claude/settings.solongate.bak~/.solongate/cloud-guard.json~/.solongate/hooks/guard.mjs~/.solongate/hooks/audit.mjs~/.solongate/hooks/stop.mjs~/.solongate/hooks/shield.mjs~/.bashrc~/.zshrc~/.profile
Network endpoints2
api.solongate.comapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/global-install.js` writes Claude Code hooks into `~/.claude/settings.json`.
  • `dist/global-install.js` can add a `claude` shell shim and optionally set immutable file attributes.
  • `hooks/guard.mjs` downloads, hash-checks, then replaces installed hook files from `https://api.solongate.com`.
  • Installed hooks read tool input and send policy/audit requests to the SolonGate API.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • Global mutation is reached from user-invoked `login`; `--no-install` disables it.
  • Network traffic is package-aligned: policy, hook-update, authentication, and audit API routes.
  • `dist/shield.js` is an explicit local proxy that redacts payload data before forwarding upstream.
  • No source evidence of credential harvesting beyond configured SolonGate credentials or unrelated exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.53 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

12 flagged · loading source
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
269log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L270: const child = spawn(cmd[0], cmd.slice(1), { L271: stdio: "inherit", L272: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L273: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L269
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
9633__dirname = dirname2(fileURLToPath(import.meta.url)); L9634: HOOKS_DIR = resolve4(__dirname, "..", "hooks"); L9635: SHIM_BEGIN = "# >>> SolonGate shield (auto secret redaction) >>>"; ... L9641: var login_exports = {}; L9642: import { spawn } from "child_process"; L9643: function startSpinner(text) { L9644: if (!process.stderr.isTTY) { L9645: process.stderr.write(` ${text} L9646: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L9633
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
10407const pm = detectPackageManager(); L10408: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L10409: log3(` Installing @solongate/proxy via ${pm}...`); L10410: try { L10411: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L10412: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L10407
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13
dist/tui/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @solongate/proxy@0.67.0 matchedIdentity = npm:QHNvbG9uZ2F0ZS9wcm94eQ:0.67.0 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tui/index.jsView on unpkg

Findings

1 Critical9 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/tui/index.js
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings