registry  /  @solongate/proxy  /  0.81.34

@solongate/proxy@0.81.34

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `login` installs persistent Claude Code command hooks and a shell shim. The guard later self-updates installed hook files from the configured SolonGate Cloud API and uploads audit/policy-related data when enabled.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the package CLI `login` and completes device authorization; installed hooks then run on Claude Code tool events.
Impact
Persistent interception of Claude Code tool calls and transmission of configured audit data; cloud control of future hook source remains a supply-chain risk.
Mechanism
First-party AI-agent hook installation, cloud policy/audit integration, and signed-hash-checked remote hook replacement.
Rationale
Source establishes a user-invoked, first-party global AI-agent extension with remote hook updates and audit networking. No install-time lifecycle mutation, stealth execution, or unrelated credential exfiltration was found, so this warrants warning rather than blocking.
Evidence
package.jsondist/login.jsdist/global-install.jshooks/guard.mjshooks/audit.mjshooks/shield.mjs~/.claude/settings.json~/.solongate/hooks/guard.mjs
Network endpoints5
api.solongate.com/api/v1/hooks/guardapi.solongate.com/api/v1/hooks/auditapi.solongate.com/api/v1/hooks/shieldapi.solongate.com/api/v1/audit-logsapi.solongate.com/api/v1/policies/active

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/login.js` runs `runGlobalInstall` after device login unless `--no-install`.
  • `dist/global-install.js` writes Claude Code hooks into `~/.claude/settings.json` and shell-profile Claude shims.
  • `hooks/guard.mjs` fetches newer hook source from `/api/v1/hooks/*` and atomically replaces installed hooks.
  • Installed hooks read local API keys/config and send policy/audit requests to SolonGate Cloud.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • Global mutation is reached through explicit `login` after interactive device authorization.
  • Hook updates require a configured SolonGate API key and perform SHA-256 equality checks.
  • Observed endpoints are package-aligned SolonGate APIs; no unrelated exfiltration endpoint was found.
  • `dist/inject.js` and `dist/create.js` package-manager calls are explicit CLI subcommands, not install-time behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.70 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

15 flagged · loading source
dist/tui/index.jsView file
2198patternName = aws_access_key severity = critical line = 2198 matchedText = var SAMP...i"];
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tui/index.jsView on unpkg · L2198
matchType = previous_version_dangerous_delta matchedPackage = @solongate/proxy@0.81.31 matchedIdentity = npm:QHNvbG9uZ2F0ZS9wcm94eQ:0.81.31 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tui/index.jsView on unpkg
2198patternName = aws_access_key severity = critical line = 2198 matchedText = var SAMP...i"];
Critical
Secret Pattern

AWS access key ID in dist/tui/index.js

dist/tui/index.jsView on unpkg · L2198
615const ps = `Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$n=New-Object System.Windows.Forms.NotifyIcon;$n.Icon=[System.Drawing.SystemIcons]::In... L616: const p = spawn("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", detached: true, windowsHide: true }); L617: p.on("error", () => {
High
Shell

Package source references shell execution.

dist/tui/index.jsView on unpkg · L615
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
281log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L282: const child = spawn(cmd[0], cmd.slice(1), { L283: stdio: "inherit", L284: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L285: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L281
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/lib.jsView file
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/index.jsView file
8875patternName = aws_access_key severity = critical line = 8875 matchedText = SAMPLES ...i"];
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L8875
11330__dirname = dirname(fileURLToPath(import.meta.url)); L11331: HOOKS_DIR = resolve4(__dirname, "..", "hooks"); L11332: SHIM_BEGIN = "# >>> SolonGate shield (auto secret redaction) >>>"; ... L11338: var login_exports = {}; L11339: import { spawn as spawn2 } from "child_process"; L11340: function startSpinner(text) { L11341: if (!process.stderr.isTTY) { L11342: process.stderr.write(` ${text} L11343: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L11330
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
12116const pm = detectPackageManager(); L12117: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L12118: log3(` Installing @solongate/proxy via ${pm}...`); L12119: try { L12120: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L12121: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L12116
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

4 Critical9 High4 Medium6 Low
CriticalCritical Secretdist/tui/index.js
CriticalPrevious Version Dangerous Deltadist/tui/index.js
CriticalSecret Patterndist/tui/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/shield.js
HighShelldist/tui/index.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings