registry  /  @solongate/proxy  /  0.81.39

@solongate/proxy@0.81.39

AI tool security proxy: protect any AI tool server with customizable policies, path/command constraints, rate limiting, and audit logging. No code changes required.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack is present. An explicit `solongate login` installs Claude Code hooks, optional shell shims, and cloud-audit behavior; those hooks can transmit tool-call metadata and argument summaries to the configured SolonGate API.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `solongate login` with a SolonGate API key, then starts Claude Code.
Impact
Broad AI-agent lifecycle modification and potential disclosure of AI tool-call contents to the configured service.
Mechanism
Explicit global Claude hook installation with cloud policy and audit logging.
Rationale
Source inspection confirms an explicit global AI-agent extension installer with cloud audit exfiltration, but no lifecycle-triggered or covert malicious chain. Warn rather than block under the stated control-surface policy.
Evidence
package.jsondist/index.jshooks/guard.mjshooks/audit.mjshooks/shield.mjshooks/stop.mjs~/.claude/settings.json~/.solongate/cloud-guard.json~/.solongate/hooks/guard.mjs~/.zshrc~/.bashrc~/.profile
Network endpoints2
api.solongate.comapi.anthropic.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `login` explicitly installs global Claude hooks and shell shims.
  • Hooks send tool names and argument summaries to SolonGate audit API.
  • Optional `SOLONGATE_OS_LOCK=1` makes hook/config files immutable.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • CLI dispatch runs installation only for explicit `login`; `logout` restores.
  • Observed endpoints are package-aligned SolonGate audit/policy APIs and Anthropic proxy upstream.
  • No remote code download/eval or stealth import-time execution found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.73 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.solongate.com, cdn.solongate.com, dashboard.solongate.com, solongate.com

Source & flagged code

14 flagged · loading source
dist/tui/index.jsView file
2290patternName = aws_access_key severity = critical line = 2290 matchedText = var SAMP...i"];
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tui/index.jsView on unpkg · L2290
2290patternName = aws_access_key severity = critical line = 2290 matchedText = var SAMP...i"];
Critical
Secret Pattern

AWS access key ID in dist/tui/index.js

dist/tui/index.jsView on unpkg · L2290
706const ps = `Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$n=New-Object System.Windows.Forms.NotifyIcon;$n.Icon=[System.Drawing.SystemIcons]::In... L707: const p = spawn2("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", detached: true, windowsHide: true }); L708: p.on("error", () => {
High
Shell

Package source references shell execution.

dist/tui/index.jsView on unpkg · L706
dist/shield.jsView file
3import { request as httpsRequest } from "https"; L4: import { spawn } from "child_process"; L5: import { URL } from "url";
High
Child Process

Package source references child process execution.

dist/shield.jsView on unpkg · L3
281log(`redacting secrets on the LLM path \u2192 masking before ${upstream.host} (127.0.0.1:${port})`); L282: const child = spawn(cmd[0], cmd.slice(1), { L283: stdio: "inherit", L284: env: { ...process.env, ANTHROPIC_BASE_URL: `http://127.0.0.1:${port}` }, L285: shell: process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/shield.jsView on unpkg · L281
dist/audit/index.jsView file
1395var DANGEROUS_PATTERNS = [ L1396: { pattern: /eval\s*\(/, label: "eval() \u2014 arbitrary code execution" }, L1397: { pattern: /\bexec\s*\(/, label: "exec() \u2014 arbitrary code execution" },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/audit/index.jsView on unpkg · L1395
dist/lib.jsView file
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L42
42try { L43: JSON.parse(str); L44: return true; ... L2982: // Keys in mapping nodes earlier in the sequence override keys specified in L2983: // later mapping nodes. -- http://yaml.org/type/merge.html L2984: addToJSMap(ctx, map) { ... L4515: function shouldWarn(deprecation) { L4516: const env = typeof process !== "undefined" && process.env || {}; L4517: if (deprecation) { ... L5075: handle: "!!", L5076: prefix: "tag:private.yaml.org,2002:" L5077: }]
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib.jsView on unpkg · L42
dist/index.jsView file
8973patternName = aws_access_key severity = critical line = 8973 matchedText = SAMPLES ...i"];
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L8973
11605__dirname = dirname(fileURLToPath(import.meta.url)); L11606: HOOKS_DIR = resolve4(__dirname, "..", "hooks"); L11607: SHIM_BEGIN = "# >>> SolonGate shield (auto secret redaction) >>>"; ... L11613: var login_exports = {}; L11614: import { spawn as spawn3 } from "child_process"; L11615: function startSpinner(text) { L11616: if (!process.stderr.isTTY) { L11617: process.stderr.write(` ${text} L11618: `);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L11605
41try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L41
41Cross-file remote execution chain: dist/index.js spawns dist/audit/index.js; helper contains network access plus dynamic code execution. L41: try { L42: const p = join(homedir(), ".solongate", "cloud-guard.json"); L43: if (!existsSync(p)) return {}; L44: const c2 = JSON.parse(readFileSync(p, "utf-8")); L45: return c2 && typeof c2 === "object" ? c2 : {}; ... L52: if (!resolvedId) { L53: const listRes = await fetch(`${apiUrl}/api/v1/policies`, { L54: headers: { "Authorization": `Bearer ${apiKey}` }, ... L120: const resBody = await res.text().catch(() => ""); L121: process.stderr.write(`[SolonGate] Audit log rejected (${res.status}): ${resBody} L122: `); ... L262: if (!apiKey) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L41
12393const pm = detectPackageManager(); L12394: const cmd = pm === "yarn" ? "yarn add @solongate/proxy" : `${pm} install @solongate/proxy`; L12395: log3(` Installing @solongate/proxy via ${pm}...`); L12396: try { L12397: execSync(cmd, { stdio: "pipe", cwd: process.cwd() }); L12398: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L12393
hooks/guard.mjsView file
13* - API_KEY (sg_live_…/sg_test_…) from env/.env, attached to every API call. L14: * - API_URL defaults to https://api.solongate.com. L15: * - Enforcement is gated on the API key (the key identifies the project + ... L19: * L20: * Exit code 2 = BLOCK, exit code 0 = ALLOW. L21: * Logs DENY decisions to SolonGate Cloud. ALLOWs are logged by audit.mjs. ... L24: import { readFileSync, existsSync, statSync, writeFileSync, mkdirSync, chmodSync, renameSync, appendFileSync } from 'node:fs'; L25: import { spawn } from 'node:child_process'; L26: import { resolve, join, dirname, isAbsolute } from 'node:path'; L27: import { homedir } from 'node:os'; L28: import { gunzipSync } from 'node:zlib'; L29: import { createHash } from 'node:crypto';
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

hooks/guard.mjsView on unpkg · L13

Findings

3 Critical9 High4 Medium6 Low
CriticalCritical Secretdist/tui/index.js
CriticalSecret Patterndist/tui/index.js
CriticalSecret Patterndist/index.js
HighChild Processdist/shield.js
HighShelldist/tui/index.js
HighSame File Env Network Executiondist/shield.js
HighCredential Exfiltrationdist/lib.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCloud Metadata Accesshooks/guard.mjs
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/audit/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings