registry  /  @solongate/proxy  /  0.81.15

@solongate/proxy@0.81.15

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit login installs persistent Claude Code hooks and a shell shim. On later Claude tool invocations, the guard can fetch and replace those executable hooks from the SolonGate API, then transmit audit data.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `solongate login` without `--no-install`, then invokes a configured Claude Code tool hook.
Impact
A compromised or malicious cloud response could replace installed hook code; configured tool arguments and decisions are sent to the service.
Mechanism
First-party agent-hook installation with cloud-delivered self-updating executable hooks and audit telemetry.
Rationale
Source confirms an opt-in but broad Claude Code extension with remote self-updating code and outbound audit logging. This warrants a warning for lifecycle risk, not a block: no npm lifecycle hook or concrete unconsented malicious chain is present.
Evidence
package.jsondist/login.jsdist/global-install.jshooks/guard.mjshooks/audit.mjsdist/lib.js~/.claude/settings.json~/.solongate/hooks/guard.mjs~/.solongate/hooks/audit.mjs~/.solongate/hooks/shield.mjs
Network endpoints4
api.solongate.com/api/v1/hooks/guardapi.solongate.com/api/v1/hooks/auditapi.solongate.com/api/v1/hooks/shieldapi.solongate.com/api/v1/audit-logs

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/login.js` runs global setup by default after an explicit `login` authorization.
  • `dist/global-install.js` writes `~/.claude/settings.json` hooks and shell startup shims for `claude`.
  • `hooks/guard.mjs` downloads newer hook source, verifies only a server-supplied SHA-256, then atomically replaces `~/.solongate/hooks/{guard,audit,shield}.mjs`.
  • Installed hooks send tool arguments and audit decisions to the configured SolonGate API endpoint.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • The control-surface changes require an explicit `login` command; `login --no-install` avoids them.
  • The default network host is package-aligned: `https://api.solongate.com`.
  • `dist/lib.js` exports library APIs and shows no import-time installation or hook mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.63 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

15 flagged · loading source
dist/tui/index.jsView file
1976patternName = aws_access_key severity = critical line = 1976 matchedText = var SAMP...i"];
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tui/index.jsView on unpkg · L1976
1976patternName = aws_access_key severity = critical line = 1976 matchedText = var SAMP...i"];
Critical
Secret Pattern

AWS access key ID in dist/tui/index.js

dist/tui/index.jsView on unpkg · L1976
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
281log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L282: const child = spawn(cmd[0], cmd.slice(1), { L283: stdio: "inherit", L284: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L285: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L281
dist/lib.jsView file
6541/\bbash\s+-c\b/i, L6542: // Subshell wrapper: bash -c L6543: /\bsh\s+-c\b/i,
High
Shell

Package source references shell execution.

dist/lib.jsView on unpkg · L6541
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/index.jsView file
8642patternName = aws_access_key severity = critical line = 8642 matchedText = SAMPLES ...i"];
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L8642
10617__dirname = dirname(fileURLToPath(import.meta.url)); L10618: HOOKS_DIR = resolve4(__dirname, "..", "hooks"); L10619: SHIM_BEGIN = "# >>> SolonGate shield (auto secret redaction) >>>"; ... L10625: var login_exports = {}; L10626: import { spawn as spawn2 } from "child_process"; L10627: function startSpinner(text) { L10628: if (!process.stderr.isTTY) { L10629: process.stderr.write(` ${text} L10630: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L10617
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
11403const pm = detectPackageManager(); L11404: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L11405: log3(` Installing @solongate/proxy via ${pm}...`); L11406: try { L11407: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L11408: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L11403
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13
dist/login.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @solongate/proxy@0.81.7 matchedIdentity = npm:QHNvbG9uZ2F0ZS9wcm94eQ:0.81.7 similarity = 0.706 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/login.jsView on unpkg

Findings

4 Critical9 High4 Medium6 Low
CriticalCritical Secretdist/tui/index.js
CriticalPrevious Version Dangerous Deltadist/login.js
CriticalSecret Patterndist/tui/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/shield.js
HighShelldist/lib.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings